miniupnp.tuxfamily.org

LinuxfarmerHH · Guest

Seems that i have miniupnpd 2.0.20170421-2 on my lede router.

The graphical Luci frontend in LEDE and OpenWRT does not offer miniupnpd support for IPv6, But it should be possible to configure that from the ssh login. There is no help for the IPv6 side at openwrt and lede, No offered config file to look inside.

But as so called ds-lite internet access is spreading here, port forward must be done at the IPv6 level, because IPv4 is shared. -> RFC6598

For testing reasons i tried this without success.

config upnpd 'config'
option download '1024'
option upload '512'
option internal_iface 'lan'
option port '5000'
option upnp_lease_file '/var/upnp.leases'
option enabled '1'
option uuid '8ddee5c9-1afd-4244-9c7c-1acebce29'
option enable_natpmp '0'

config perm_rule
option action 'allow'
option ext_ports '1025-65535'
option int_addr '::/a7f'
option int_ports '1025-65535'
option comment 'Windows IPv6 PC'

config perm_rule
option action 'deny'
option ext_ports '0-65535'
option int_addr '::/0'
option int_ports '0-65535'
option comment 'Default deny IPv6'

config perm_rule
option action 'deny'
option ext_ports '0-65535'
option int_addr '0.0.0.0/0'
option int_ports '0-65535'
option comment 'Default deny IPv4'

miniupnp · Site Admin Joined: 14 Apr 2007 Posts: 1587

I don't undestand what you are trying to do.
Does miniupnpd responds to IPv6 SSDP queries ?
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/

LinuxfarmerHH · Guest

Like to have miniupnpd to only pinhole for the ::e7e computer in the IPv6 Range. Tried with scan6 but got no response as result, because there is some kind of config error.

parsing error file /var/etc/miniupnpd.conf line 13 : allow 1025
parsing error file /var/etc/miniupnpd.conf line 14 : deny 0

Found that in this config file.

ext_ifname=eth0.2
listening_ip=br-lan
port=5000
enable_natpmp=no
enable_upnp=yes
secure_mode=yes
pcp_allow_thirdparty=no
system_uptime=yes
lease_file=/var/upnp.leases
bitrate_down=8388608
bitrate_up=4194304
uuid=8ddee5c9-1afd-4244-9c7c-1acf302936d9
allow 1025-65535 ::/e7e 1025-65535
deny 0-65535 ::/0 0-65535

How should that lines look like?

miniupnp · Site Admin Joined: 14 Apr 2007 Posts: 1587

LinuxfarmerHH · Guest

Checked that it is compiled with --IGD2 and -IPV6, now with more logging i can see this.

Sun Sep 3 14:55:48 2017 daemon.info miniupnpd[2917]: system uptime is 414602 seconds
Sun Sep 3 14:55:48 2017 daemon.info miniupnpd[2917]: Reloading rules from lease file
Sun Sep 3 14:55:48 2017 daemon.info miniupnpd[2917]: version 2.0 starting UPnP-IGD ext if eth0.2 BOOTID=1504450548
Sun Sep 3 14:55:48 2017 daemon.notice miniupnpd[2917]: HTTP listening on port 5000
Sun Sep 3 14:55:48 2017 daemon.notice miniupnpd[2917]: HTTP IPv6 address given to control points : [2a02:2028:cb80:2e00::1]

Is there any example for the ipv6 ACL lines?

miniupnp · Site Admin Joined: 14 Apr 2007 Posts: 1587

There is no ACL for IPv6 pin holes.
That feature is rarely used. Most users stick to IGD1 as IGD2 cause compatibility issues
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/

LinuxfarmerHH · Guest

Is it possible to limit the port forward range to the upper ports from 1024 for security reasons?
Please insert config examples into the readme or howto file.

miniupnp · Site Admin Joined: 14 Apr 2007 Posts: 1587

I think you need to patch at source level to do so.
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/