miniupnp.tuxfamily.org Forum Index miniupnp.tuxfamily.org
The forum about miniupnp and libnatpmp
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Xbox 360 works, Xbox One doesn't
Goto page Previous  1, 2, 3, 4
 
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpd Bugs
View previous topic :: View next topic  
Author Message
xelprep



Joined: 16 Jan 2016
Posts: 5

PostPosted: Mon Jan 18, 2016 5:55 am    Post subject: Reply with quote

Just checked the http header:

Code:
Server: FreeBSD/10.2-STABLE UPnP/1.1 MiniUPnPd/1.9


The 1.1 is the important number here, right?
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1388

PostPosted: Mon Jan 18, 2016 10:01 am    Post subject: Reply with quote

right. It should be OK
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
xelprep



Joined: 16 Jan 2016
Posts: 5

PostPosted: Wed Jan 20, 2016 5:09 am    Post subject: Reply with quote

I just noticed this when I run
Code:
pkg info miniupnpd


Code:
Options        :
   CHECK_PORTINUSE: on
   IPV6           : on
   LEASEFILE      : off
   PF_ENABLE_FILTER_RULES: on
   UPNP_IGDV2     : on
   UPNP_STRICT    : off
Annotations    :
   cpe            : cpe:2.3:a:miniupnp_project:miniupnpd:1.9.20160113:::::freebsd10:x64
   repo_type      : binary
   repository     : pfSense


I think my problem might be the IGDV2 state being "on". However, BoHiCa is seemingly having success with IGDv2 using the same miniupnpd version that is included in the latest pfsense.

BoHiCa wrote:
Hi Thomas!

I just rebuilt and re-tested with the 1.9.20160113 release you posted earlier this week.

I re-tested both igd1 and igd2 (both with --uda-version=1.1 on the options line) with the Xbox One (latest patch) and the Xbone is currently reporting the magic sauce of "Open NAT" with *both* IGD v2 and IGD v1! Well done! I'll keep toying with it and let you know if something pops up further on down the road. Thanks for all you do!

Just shout if posting miniupnpd debug logs with this build would be helpful to you or not.


BoHiCa, can you specify what options you used when you built this version?
Back to top
View user's profile Send private message
BoHiCa



Joined: 19 Jun 2015
Posts: 22

PostPosted: Sat Jan 23, 2016 4:11 am    Post subject: Reply with quote

These are the compile CONFIG_OPTS I use when building the daemon:

for igd V2:

Code:
--portinuse --vendorcfg --leasefile --pcp-peer --uda-version=1.1 --igd2


for igd V1:

Code:
--portinuse --vendorcfg --leasefile --pcp-peer --uda-version=1.1


I have had the Xbone network type reported back as "Moderate" once during the last week of running the IGD v2 build, but 99% of the time when checking the network status (I check 2-3X daily), it reports back as "Open NAT" (cone). I restarted the Xbone (hard-restart) once right after the "Moderate" status came back, which was about a week ago. I have not had the IGD V1 builds, through several recent iterations of the code, so far report back anything but "Open NAT".

I'm currently running the latest release: 1.9.20160113 and have been since 16-Jan-2016.

I would try to get an IGD V1 build and check again.

Lastly, if you don't need IPV6, I would also remove that from the compile time options. IPV6 is a "poop-show" everywhere right now...

You also might want to make sure that the firewall rules are properly set up for miniupnpd. I'm on a linux firewall distro (SmoothWall Express v 3.1 pre update 7) that uses iptables.
Back to top
View user's profile Send private message
xelprep



Joined: 16 Jan 2016
Posts: 5

PostPosted: Sun Jan 24, 2016 12:17 am    Post subject: Reply with quote

Thanks for the info. The pfsense devs reverted back to IGD1 and everything is working as expected again. Although they removed IPv6 from the options, the binary still seems to have IPv6 support enabled. I doubt this will affect anything, it just seems weird.
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1388

PostPosted: Tue Jan 26, 2016 6:28 pm    Post subject: Reply with quote

@xelprep
is there the "static-port" option on your nat pf rule ?
That could make a difference
http://www.freebsd.org/cgi/man.cgi?query=pf.conf&sektion=5&n=1

see http://miniupnp.tuxfamily.org/forum/viewtopic.php?p=4434#4434
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
xelprep



Joined: 16 Jan 2016
Posts: 5

PostPosted: Wed Jan 27, 2016 5:57 am    Post subject: Reply with quote

Yes, indeed there is. I have my Xboxes set with DHCP reservations and those particular IPs are static port when it comes to upnp. Everything is working great now with IGD1, so I'm pretty sure the problem lies with Microsoft since it was only their products that stopped working with IGD2.
Back to top
View user's profile Send private message
yakkowarner



Joined: 02 Dec 2015
Posts: 11

PostPosted: Wed Apr 20, 2016 2:48 am    Post subject: Reply with quote

I appreciate everyone who's jumped in with more information than I was able to provide. I sat back when things started going a little over my head. Smile

So, I tried getting the latest code (20160222), configured it with the options BoHiCa mentioned specifically (--portinuse --vendorcfg --leasefile --pcp-peer --uda-version=1.1), compiled, and deployed. Unfortunately, my Xbox stubbornly refuses to consider my NAT open.

It is reporting it's using version 1.1, and if I use Intel's uPnP DeviceSpy tool, I am able to see the gateway and run a simple query (GetExternalIPAddress), so I think it's configured right.

Is there something I can do to troubleshoot?
Back to top
View user's profile Send private message
BoHiCa



Joined: 19 Jun 2015
Posts: 22

PostPosted: Wed Apr 20, 2016 3:11 am    Post subject: Reply with quote

miniupnpd-2.0 was released today, lol. It is almost identical to 1.9.20160222 however.

It seems to be *critical* for XBone to achieve "Open NAT" (cone NAT) nirvana that it be configured as a DHCP client. If the XBone (or 360) is configured statically, it just doesn't seem to work as well. Most modern soho/shrink wrap routers available today support the concept of "DHCP reservations" where your client thinks it is configured for DHCP (because it is) but the router has a specific IP address reserved for it (via the devices MAC address), so when the device/node asks for an IP via DHCP, it will always get the same one, which is very handy.

I don't think you have described the gateway that the XBone is sitting behind (Beyond it being a Debian Wheezy box, if you have I missed it) which might help understand what is happening. Can you tell if the appropriate iptables rules are being added during the "Test Multiplayer Connection" process? If you don't have a rule that looks similar to this:

Chain MINIUPNPD (3 references)
pkts bytes target prot opt in out source destination
12 1644 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.201 udp dpt:3074

where the destination (192.168.1.201) IP is the same as your XBone, you are not going to get Open NAT. miniupnpd simply must be able to insert/add/remove rules via iptables or it isn't going to work.

If you are using an iptables firewall, what is the output of this script (included with the default installation of miniupnpd): /usr/bin/miniupnpd/iptables_display.sh

That may shine a light on what is going on.
Back to top
View user's profile Send private message
yakkowarner



Joined: 02 Dec 2015
Posts: 11

PostPosted: Wed Apr 20, 2016 4:09 am    Post subject: Reply with quote

I do have my XBone set up for DHCP. My dhcpd is configured to always give it the same IP based on its MAC address.

Nothing appears in the iptables rules when I run the multiplayer network test. This has pretty much been my problem all along - it's like the Xbox doesn't even try. Though if I turn on the 360 sitting right next to it, plugged into the same switch, I'll get ports opened with no problems. That's what's so maddeningly frustrating about this endeavor.

My network is set up thus:

My XBone (and my 360) are wired into a dumb switch, which is wired through the house to another dumb switch, which in turn is wired to my Debian/Wheezy server on eth1. The server's eth0 is wired directly to a Comcast Business gateway.

The gateway does perform a level of NAT, so my server's eth0 address is 10.1.10.10. But the server is in the gateway's DMZ, so it forwards all traffic to my server. (I run email and web servers that get incoming traffic fine, so this seems to work.) I do have my actual, public external IP address specified in the miniupnpd.conf file, so if I query the GetExternalIPAddress method, I get the real external IP. (This was actually my reason for trying to move from linux-igd to miniupnpd, because the former doesn't allow for specifying the external address when it thinks it's 10.1.10.10.)

For reference, this is what I see after the 360 turns on. (I did this after turning on the XBone, going through the multiplayer networking test, and verifying that there were no entries in iptables.)

Code:

Chain PREROUTING (policy ACCEPT 232 packets, 14828 bytes)
 pkts bytes target     prot opt in     out     source               destination
28038 1543K MINIUPNPD  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
 1991  101K MINIUPNPD  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
 1892 95854 MINIUPNPD  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
Chain MINIUPNPD (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:26113 to:10.19.98.144:26113
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:3074 to:10.19.98.144:3074
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
1885K  163M MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* Outbound traffic is masqueraded */
    0     0 MINIUPNPD-POSTROUTING  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 MINIUPNPD-POSTROUTING  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 MINIUPNPD-POSTROUTING  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
iptables: No chain/target/match by that name.
Chain MINIUPNPD (3 references)
 pkts bytes target     prot opt in     out     source               destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 104M   11G ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            /* Allow anything from internal iface to get NATted */
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            /* Allow all local traffic */
 177M  231G ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /* Allow responses to connections made from internal iface */
    0     0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0            /* Allow all outbound connections from internal iface */
    0     0 MINIUPNPD  all  --  eth0   !eth0   0.0.0.0/0            0.0.0.0/0
    0     0 MINIUPNPD  all  --  eth0   !eth0   0.0.0.0/0            0.0.0.0/0
    0     0 MINIUPNPD  all  --  eth0   !eth0   0.0.0.0/0            0.0.0.0/0
Chain MINIUPNPD (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            10.19.98.144         udp dpt:26113
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            10.19.98.144         udp dpt:3074
Back to top
View user's profile Send private message
BoHiCa



Joined: 19 Jun 2015
Posts: 22

PostPosted: Wed Apr 20, 2016 5:08 am    Post subject: Reply with quote

I use a SmoothWall Express 3.1 router on my perimeter and also have Crapcast (not the business grade, but just the regular consumer level stuff).

One *key* difference in your config is that you are double-NAT'd, which can be quite problematic for things like this. It is very interesting that the 360 doesn't seem to care however. I think the XBone is giving up because some part of their test suite doesn't pass, so it doesn't even try to get the teredo port forward set up (udp: 3074). Why this matters is that essentially what M$ is doing is setting up a teredo tunnel between the XBone and XBox Live. Thus, much like with VPN's, the double-NAT is problematic.

Things I would try:

1. Make sure the iptables rules are cleaned out before testing the XBone. There is a script included with miniupnpd that will dump the chains for you: iptables_flush.sh, make sure it has MINIUPNPD-POSTROUTING in it and not the older MINIUPNPD-PCP-PEER chain). It is also possible that any lingering dingleberries from the 360 will mess up the XBone (e.g. the existing teredo forward to the 360). Then try the XBone again and check the output of iptables_display.sh again.

2. If it is at all possible, see if you can get your router configured to "bridge mode" which will pass your public IP to your router's WAN NIC. That will clear out the double-NAT scenario you are in now. I realize that may not be possible depending on other services you may be using of the ISP (VoIP, etc.), but with tunnels, double-NAT = toxic.

Your miniupnpd.conf file may also be of interest. Mine looks like this:

Code:
# WAN network interface
ext_ifname=eth3

# If the WAN interface has several IP addresses, you
# can specify the one to use below
ext_ip={public_ip}

# LAN network interfaces IPs / networks
# There can be multiple listening IPs for SSDP traffic
# It can be IP address or network interface name (ie. "eth0")
# It is mandatory to use the network interface name in order to enable IPv6
# HTTP is available on all interfaces.
# When MULTIPLE_EXTERNAL_IP is enabled, the external IP
# address associated with the subnet follows. For example:
#  listening_ip=192.168.0.1/24 88.22.44.13
listening_ip=192.168.1.1
listening_ip=172.16.64.1

# CAUTION: mixing up WAN and LAN interfaces may introduce security risks!
# Be sure to assign the correct interfaces to LAN and WAN and consider
# implementing UPnP permission rules at the bottom of this configuration file

# Port for HTTP (descriptions and SOAP) traffic. Set to 0 for autoselect.
#http_port=0
# Port for HTTPS. Set to 0 for autoselect (default)
#https_port=0

# Path to the UNIX socket used to communicate with MiniSSDPd
# If running, MiniSSDPd will manage M-SEARCH answering.
# default is /var/run/minissdpd.sock
#minissdpdsocket=/var/run/minissdpd.sock

# Enable NAT-PMP support (default is no)
enable_natpmp=yes

# Enable UPNP support (default is yes)
enable_upnp=yes

# PCP
# Configure the minimum and maximum lifetime of a port mapping in seconds
# 120s and 86400s (24h) are suggested values from PCP-base
min_lifetime=120
max_lifetime=86400

# Lease file location
lease_file=/usr/etc/upnp.leases

# To enable the next few runtime options, see compile time
# ENABLE_MANUFACTURER_INFO_CONFIGURATION (config.h)

# Name of this service, default is "`uname -s` router"
friendly_name=miniwall64

# Manufacturer name, default is "`uname -s`"
manufacturer_name=Smoothwall Express

# Manufacturer URL, default is URL of OS vendor
manufacturer_url=http://www.smoothwall.org/

# Model name, default is "`uname -s` router"
model_name=SmoothwallExpress-3.1-polar-x86_64-Update6

# Model description, default is "`uname -s` router"
model_description=A premiere, community supported router/firewall

# Model URL, default is URL of OS vendor
model_url=http://www.smoothwall.org/

# Bitrates reported by daemon in bits per second
# by default miniupnpd tries to get WAN interface speed
bitrate_up=512000
bitrate_down=8000000

# Secure Mode, UPnP clients can only add mappings to their own IP
secure_mode=yes

# Default presentation URL is HTTP address on port 80
# If set to an empty string, no presentationURL element will appear
# in the XML description of the device, which prevents MS Windows
# from displaying an icon in the "Network Connections" panel.
presentation_url=https://192.168.1.1:441/cgi-bin/index.cgi

# Report system uptime instead of daemon uptime
system_uptime=yes

# Notify interval in seconds. default is 30 seconds.
notify_interval=60

# Unused rules cleaning.
# never remove any rule before this threshold for the number
# of redirections is exceeded. default to 20
clean_ruleset_threshold=10

# Clean process work interval in seconds. default to 0 (disabled).
# a 600 seconds (10 minutes) interval makes sense
clean_ruleset_interval=600

# uuid={guid}, generate your own UUID with "make genuuid"
uuid={guid}

# Daemon's serial and model number when reporting to clients
# (in XML description)
serial=2.0
model_number=3.1_igd-1_uda-1.1

# UPnP permission rules
# (allow|deny) (external port range) IP/mask (internal port range)
# A port range is <min port>-<max port> or <port> if there is only
# one port in the range.
# IP/mask format must be nnn.nnn.nnn.nnn/nn
# It is advised to only allow redirection of port >= 1024
# and end the rule set with "deny 0-65535 0.0.0.0/0 0-65535"
# The following default ruleset allows specific LAN side IP addresses
# to request only ephemeral ports. It is recommended that users
# modify the IP ranges to match their own internal networks, and
# also consider implementing network-specific restrictions
# CAUTION: failure to enforce any rules may permit insecure requests to be made!
allow 1024-65535 192.168.1.201/255.255.255.255 1024-65535
deny 0-65535 0.0.0.0/0 0-65535


Make sure your XBone is in the "allow" range. I only allow my XBone client to use the daemon, everything else is blocked out of using UPnP services on the perimeter firewall.
Back to top
View user's profile Send private message
yakkowarner



Joined: 02 Dec 2015
Posts: 11

PostPosted: Wed Apr 20, 2016 5:58 am    Post subject: Reply with quote

I did have my gateway set to bridging mode at first. Then it got flipped back to routing. Since I can't change that myself (there's no setting for that on the gateway's admin web page), I had to contact Comcast support (business class is actually halfway decent when it comes to support, believe it or not) to have them flip it back to bridging. Then it flipped back to routing mode again a few days later. I can only guess that some periodic update gets pushed down to the gateway and resets it to routing mode. That's the point where I just gave up and put my server in the gateway's DMZ. It's not a perfect solution, but I figured it was better than having to contact support every few days.

Comparing my miniupnpd.conf file to yours.

I have presentation_url commented out (the comments say it'll default to port 80, but my server is running apache on port 80; could that be an issue?).

Other differences:
I have the following commented out, compared to yours that aren't: min_lifetime, max_lifetime, lease_file, friendly_name, manufacturer_name, manufacturer_url, model_name, model_description, model_url, bitrate_up, bitrate_down, clean_ruleset_threshold, serial, model_number.

My secure_mode=no
My allow is 1024-65535 10.19.98.0/24 1024-65535 (everything on my internal network).

When I first ran the test, the 360 was off, and I had just reset my iptables and loaded it with iptables_init. I did verify that there were no forwarding rules to the 360 at the time. I noticed that iptables_display's output has a line that reads "iptables: No chain/target/match by that name.", which got me curious, so I peeked in the iptables_display code, and found that's the line that lists MINIUPNPD-PCP-PEER. So that seems ok.

If it is a problem with double-NAT, then I may be stuck, since my gateway really wants to be a router and not a bridge. It doesn't appear to have uPnP on it, either (at least, not by that name) -- though I'm not sure how that would work simultaneously with the server in the DMZ (let alone an Xbox 360 that happily opens the same port when I need it).
Back to top
View user's profile Send private message
Strobl



Joined: 28 Jul 2017
Posts: 1
Location: House

PostPosted: Fri Aug 04, 2017 7:00 am    Post subject: Reply with quote

Do you guys think it will work on the new xbox one X when it comes out?
Back to top
View user's profile Send private message
BoHiCa



Joined: 19 Jun 2015
Posts: 22

PostPosted: Mon Aug 07, 2017 10:05 pm    Post subject: Reply with quote

Strobl wrote:
Do you guys think it will work on the new xbox one X when it comes out?
If M$ implements the UPnP standard in the X1X appropriately, it should work fine! M$, even though they are a founding member of UPnP, has historically introduced various "quirks" into their implementation of the UPnP standard. We'll just have to wait and see!
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpd Bugs All times are GMT
Goto page Previous  1, 2, 3, 4
Page 4 of 4

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP
© 2007 Thomas Bernard, author of MiniUPNP.