| View previous topic :: View next topic |
| Author |
Message |
AndyF
Joined: 17 Nov 2015
Posts: 12
|
 Posted: Tue Nov 17, 2015 9:34 pm Post subject: IGD2 Port triggering |
 |
|
Hi, Does miniupnpd support what the IGD2 specs call port triggering.
I mean when a client requests a different internal port to external port then the reverse is also set up so the source port gets changed on outgoing packets.
Section 2.5.16 figure 2.2 in
UPnP-gw-WANIPConnection-v2-Service.pdf
I am using Linux/netfilter
TIA. |
|
| Back to top |
|
 |
miniupnp
Site Admin
Joined: 14 Apr 2007
Posts: 1589
|
| Posted: Tue Nov 24, 2015 8:49 am Post subject: |
|
|
I don't think so.
can you provide iptables rules that you use to do port triggering ?
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
| Back to top |
|
|
AndyF
Joined: 17 Nov 2015
Posts: 12
|
| Posted: Tue Nov 24, 2015 10:28 am Post subject: |
|
|
It was early days of me trying to solve an issue when I posted.
The term port triggering in the UPnP docs somewhat confuses me as to what they exactly mean as other definitions I've read do indeed seem to be "impossible" with iptables.
I did manage to solve my issue, but I was/am using igd2-for-linux.
The issue is three xbox ones with the game black ops 3.
Previously we had 3 xbox 360s which have now been traded in.
The 360s were easy to get open nat as they would ask for udp 3074 and if they couldn't have it they would ask for and use another port - the "and use" being important here. Games would also use this new port and would have open nat.
The xbox one its self behaves the same = tries for 3074 if it can't have it it gets another port and uses it ( so it will have open nat even on old IGD). Games (well BO3 is only tested so far) are different, they also try for a port = 3075 for BO3 but if they can't have it they will ask for another but still want to use 3075 internally.
So with IGDv1 behavior the xbox ones ones will show open nat but at least 2 out of 3 games will have moderate nat.
I use linux from scratch and a little DC PC as a router and other things.
The "fix" for me was a lazy and so far incomplete copy & paste hack to the idg2-for-linux code, which is only really going to work for me on my setup.
The hack is that when the game asks to open a port I also set up a masq rule for outbound connections from that internal host:port that maps to the new external port. This seems to be what IGD2 requires - and it certainly gets me open nat for BO3 all 3 consoles.
Here's how it looks from logs the line starting ADF is my "hack".
| Code: |
Nov 23 21:18:09 asr upnpd[25021]: ActionName = AddPortMapping
Nov 23 21:18:09 asr upnpd[25021]: Portmapping with same external port '3075' and protocol 'UDP' are mapped to another client already.
Nov 23 21:18:12 asr upnpd[25021]: ActionName = AddPortMapping
Nov 23 21:18:12 asr upnpd[25021]: /sbin/iptables -I FORWARD -p UDP -d 192.168.0.220 --dport 3075 -j ACCEPT
Nov 23 21:18:12 asr upnpd[25021]: /sbin/iptables -t nat -I PREROUTING -i ppp0 -p UDP --dport 3120 -j DNAT --to 192.168.0.220:3075
Nov 23 21:18:12 asr upnpd[25021]: ADF /sbin/iptables -t nat -I POSTROUTING -o ppp0 -s 192.168.0.220 -p UDP --sport 3075 -j MASQUERADE --to-ports 3120
|
|
|
| Back to top |
|
|
miniupnp
Site Admin
Joined: 14 Apr 2007
Posts: 1589
|
|
| Back to top |
|
|
miniupnp
Site Admin
Joined: 14 Apr 2007
Posts: 1589
|
|
| Back to top |
|
|
miniupnp
Site Admin
Joined: 14 Apr 2007
Posts: 1589
|
| Posted: Wed Nov 25, 2015 9:21 pm Post subject: |
|
|
Wont it work with
| Code: | | iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.220 -p UDP -sport 3075 --dport 3120 -j SNAT --to-source 192.168.0.220:3120 |
because it is already implemented for PCP-PEER 
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
| Back to top |
|
|
miniupnp
Site Admin
Joined: 14 Apr 2007
Posts: 1589
|
| Posted: Wed Nov 25, 2015 9:29 pm Post subject: |
|
|
| miniupnp wrote: | Wont it work with
| Code: | | iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.220 -p UDP --sport 3075 --dport 3120 -j SNAT --to-source 192.168.0.220:3120 |
because it is already implemented for PCP-PEER |
Should be | Code: | | --to-source <public.ip>:3120 |
looking at the documentation, MASQUERADE is probably better.
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
| Back to top |
|
|
miniupnp
Site Admin
Joined: 14 Apr 2007
Posts: 1589
|
| Posted: Wed Nov 25, 2015 9:37 pm Post subject: |
|
|
i'm not even sure addpeernatrule() works ...
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
| Back to top |
|
|
AndyF
Joined: 17 Nov 2015
Posts: 12
|
| Posted: Wed Dec 02, 2015 10:03 pm Post subject: |
|
|
Bit late - I didn't get any mail notifications for the latest posts.
On SNAT vs MASQUERADE, I did MASQUERADE because that's what I use as my IP address is dynamic. I used to have a static with a previous ISP and would have used SNAT if I were still with them.
I don't know about PCP-PEER or if xbox would use PCP at all.
I notice that the example appends -A, but you would really need to insert -I anything in POSTROUTING or the connection would get caught by the normal/resident SNAT/MASQUERADE rule that will typically be there already. |
|
| Back to top |
|
|
miniupnp
Site Admin
Joined: 14 Apr 2007
Posts: 1589
|
|
| Back to top |
|
|
miniupnp
Site Admin
Joined: 14 Apr 2007
Posts: 1589
|
| Posted: Tue Jan 26, 2016 4:04 pm Post subject: |
|
|
I'm adding a specific chain for miniupnpd rules
| Code: |
iptables -t nat -A POSTROUTING -o ppp0 -j MINIUPNPD-POSTROUTING
|
(in your boot time iptables init)
then miniupnpd will add :
| Code: |
iptables -t nat -A MINIUPNPD-POSTROUTING -o ppp0 -s 192.168.0.220 -p UDP --sport 3075 -j MASQUERADE --to-ports 3120 |
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
| Back to top |
|
|
AndyF
Joined: 17 Nov 2015
Posts: 12
|
| Posted: Tue Jan 26, 2016 4:15 pm Post subject: |
|
|
Cool, I can't say when exactly but I will test (after re-reading the other xbox one thread) sometime.
I think the new table will need to be inserted rather than appended.
Edit I mean the jump to the new chain. |
|
| Back to top |
|
|
miniupnp
Site Admin
Joined: 14 Apr 2007
Posts: 1589
|
| Posted: Tue Jan 26, 2016 4:31 pm Post subject: |
|
|
| AndyF wrote: | I think the new table will need to be inserted rather than appended.
Edit I mean the jump to the new chain. |
It all depend on how your chains are initialized at boot time.
several -I in a script makes the rules in reverse order
have a look at netfilter/iptables_init.sh script, which is only an example
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
| Back to top |
|
|
AndyF
Joined: 17 Nov 2015
Posts: 12
|
| Posted: Tue Jan 26, 2016 5:32 pm Post subject: |
|
|
Yes, you are right - I guess it could be quite a pain/source of error for you having to support varied platforms and needing to know what they do and in what order.
As an LFS user I don't have/use all these "normal" scripts so I get to break/mend my own stuff
So yea when I get to test I will just adjust my setup to suit.
Currently using hacked/IGD2 I need to insert as I am working directly in POSTROUTING. I will need miniupnpd to come up before my iptables to use as is. |
|
| Back to top |
|
|
AndyF
Joined: 17 Nov 2015
Posts: 12
|
| Posted: Thu Jan 28, 2016 5:33 pm Post subject: |
|
|
I got to test today, didn't try anything "special" with the build used the default config.h and only changed a few things in miniupnpd.conf. Adjusted iptables_init.sh to fit with my existing setup.
The .conf diff is just as below (posted in case I did something stupid being a total beginner with miniupnpd!
In summary it works OK - the xboxes and the game open the ports/react to taken ports just as with my existing setup but there is one potential issue.
The xbones themselves seem to be consistent in what port they ask for (I guess because they are getting the same IP from DHCP) if their first choice is gone.
The game (black ops 3) isn't. It requests 3075 and if if it's gone it requests some other apparently random port 3xxx.
Why is this an issue - well it may not be by luck for this game (need more time to test) but this is what I get when I tested by bringing up XB_1+ the game then bringing up XB_2 + the game.
| Code: |
Chain MINIUPNPD (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3074 to:192.168.0.220:3074
1 43 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3075 to:192.168.0.220:3075
1 137 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:56437 to:192.168.0.221:56437
1 43 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3135 to:192.168.0.221:3075
Chain MINIUPNPD-POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
2 178 MASQUERADE udp -- * ppp0 192.168.0.220 0.0.0.0/0 udp spt:3074 masq ports: 3074
43 1646 MASQUERADE udp -- * ppp0 192.168.0.220 0.0.0.0/0 udp spt:3075 masq ports: 3075
1 89 MASQUERADE udp -- * ppp0 192.168.0.221 0.0.0.0/0 udp spt:56437 masq ports: 56437
40 1532 MASQUERADE udp -- * ppp0 192.168.0.221 0.0.0.0/0 udp spt:3075 masq ports: 3135
|
After shutting both down and repeating the first xbox gets the same ports, the second xbox gets the same second choice as previously but the game goes for random after failing to get 3075 leading to this situation -
| Code: |
Chain MINIUPNPD (1 references)
pkts bytes target prot opt in out source destination
1 137 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3074 to:192.168.0.220:3074
2 86 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3075 to:192.168.0.220:3075
2 274 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:56437 to:192.168.0.221:56437
2 86 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3135 to:192.168.0.221:3075
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3090 to:192.168.0.221:3075
Chain MINIUPNPD-POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
3 267 MASQUERADE udp -- * ppp0 192.168.0.220 0.0.0.0/0 udp spt:3074 masq ports: 3074
83 3178 MASQUERADE udp -- * ppp0 192.168.0.220 0.0.0.0/0 udp spt:3075 masq ports: 3075
2 178 MASQUERADE udp -- * ppp0 192.168.0.221 0.0.0.0/0 udp spt:56437 masq ports: 56437
82 3140 MASQUERADE udp -- * ppp0 192.168.0.221 0.0.0.0/0 udp spt:3075 masq ports: 3135
0 0 MASQUERADE udp -- * ppp0 192.168.0.221 0.0.0.0/0 udp spt:3075 masq ports: 3090
|
As you can see this time the game on XB_2 requested 3090 external (it always used 3075 internal). but as the rules are appended the masq is to the previous port (3125) is still being used.
By chance this still works - the game reports open nat. I guess what happens is that it connects out and the server does the nat test by firing back a new connection on the port it sees rather than relying on any communication about what ports have just been opened via upnp. You can see the the DNAT rule for 3135 counter has incremented.
It remains to bee seen whether the game it's self eg. p2p voice comms are affected - I did a quick test and could join/play OK.
Being new to miniupnpd I don't have verbose logs or know how to tweak/what are default timeouts etc. On my old setup I made rules only last 18 hours just to avoid having tables full of old rules (IIRC default was a week).
| Code: |
--- a/miniupnpd/miniupnpd.conf
+++ b/etc/miniupnpd/miniupnpd.conf
@@ -1,5 +1,5 @@
# WAN network interface
-#ext_ifname=eth1
+ext_ifname=ppp0
#ext_ifname=xl1
# If the WAN interface has several IP addresses, you
# can specify the one to use below
@@ -16,7 +16,7 @@
# listening_ip=192.168.0.1/24 88.22.44.13
#listening_ip=192.168.0.1/24
#listening_ip=10.5.0.0/16
-#listening_ip=eth0
+listening_ip=eth0
# CAUTION: mixing up WAN and LAN interfaces may introduce security risks!
# Be sure to assign the correct interfaces to LAN and WAN and consider
# implementing UPnP permission rules at the bottom of this configuration file
@@ -75,12 +75,12 @@
# Bitrates reported by daemon in bits per second
# by default miniupnpd tries to get WAN interface speed
-#bitrate_up=1000000
-#bitrate_down=10000000
+bitrate_up=15000000
+bitrate_down=60000000
# Secure Mode, UPnP clients can only add mappings to their own IP
-#secure_mode=yes
-secure_mode=no
+secure_mode=yes
+#secure_mode=no
# Default presentation URL is HTTP address on port 80
# If set to an empty string, no presentationURL element will appear
@@ -142,7 +142,7 @@ uuid=514972fd-03d8-42a1-9f6d-4ab15e17b73f
# also consider implementing network-specific restrictions
# CAUTION: failure to enforce any rules may permit insecure requests to be made!
allow 1024-65535 192.168.0.0/24 1024-65535
-allow 1024-65535 192.168.1.0/24 1024-65535
-allow 1024-65535 192.168.0.0/23 22
-allow 12345 192.168.7.113/32 54321
+#allow 1024-65535 192.168.1.0/24 1024-65535
+#allow 1024-65535 192.168.0.0/23 22
+#allow 12345 192.168.7.113/32 54321
deny 0-65535 0.0.0.0/0 0-65535
|
[/code] |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
