miniupnp.tuxfamily.org Forum Index miniupnp.tuxfamily.org
The forum about miniupnp and libnatpmp
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Cannot add IPv6 PinHoles to OpenWrt e other CPEs

 
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpc Bugs
View previous topic :: View next topic  
Author Message
fredy



Joined: 14 Aug 2019
Posts: 6

PostPosted: Fri Aug 16, 2019 3:48 am    Post subject: Cannot add IPv6 PinHoles to OpenWrt e other CPEs Reply with quote

With IPv6 being a reality in most residential scenarios now a days I have been trying to use miniupnp client to allow an incoming connections thorough the router towards the LAN device with IPv6, possibly known as IPv6FirewallControl.

I have tested on various devices and apparently almost none of them worked properly so I am trying to understand exactly if the problem is on the miniupnp client, on the router running miniupnpd or anywhere else.

The first classical test I have done was in a router running OpenWrt 18.06 and miniupnpd 2.1-1 with IPv6 addresses in both WAN and LAN.
I have downloaded the miniupnp client upnpc-exe-win32-20150918.zip for Windows and tried the following example command:

upnpc -6 -A "" "" 2001:db8:1234::5678 12345 tcp 300
(where 2001:db8:1234::5678 is an example for the IPv6 address of the device I want to allow the incoming connection)

For OpenWrt 18.06 it worked and added the ip6tables rule but with a bad limitation: on the Windows machine it gets its IPv6 addresses by both RA (Stateless) and DHCPv6(Statefull). It had 3 addresses, 1 via DHCPv6 and 2 via SLAAC (for those Temporary IPv6 Address). It only works for 1 of the addresses and not for the other two. This may be a problem depending on the IPv6 Address the application making the request chooses to be used on the request. I even tried to disable "Enable secure mode" in miniupnpd configuration but it keeps giving the same error which is:

AddPinhole([]: -> [2001:db8:1234::5678]:12345) failed with code 606 (Action not authorized)
(Obs: real IPv6 address replaced for posting here)

I have tried not only in a OpenWrt 18.06 device but also with OpenWrt 17.01 running miniupnpd 2.0, in a newer TP-Link and some other custom ISP Routers from MitraStar all with UPnP support enabled and none of the worked as expected. In OpenWrt 17.01 and MitraStar if I allow the connection manually adding a firewall rule it works fine but not via UPnP support.

The error a keep getting on most scenarios is: AddPinhole([]: -> [2001:db8:1234::5678]:12345) failed with code -3 (UnknownError)

I also get the following error message sometimes: AddPinhole([]: -> [2001:db8:1234::5678]:12345) failed with code 401 (Invalid Action)

I am trying to understand if the problem may be on the upnp daemon running in the routers tested, on the miniupnp client I am using to make this test or on the command syntax.

For OpenWrt 17.01 (which runs miniupnpd 2.0.20170421-2) although it doesn't have the option specifically about IGD version to advertise, it is possible to see in the logs that it listen also on a IPv6 Address.
When trying to run the command in the client, on the miniupnpd server side I get the following: "daemon.notice miniupnpd[3622]: SoapMethod: Unknown: AddPinhole"

In any case where it doesn't work when running the miniupnp client and trying to AddPinholes I always get a: "Local LAN ip address : 192.168.1.10" instead for example the local IPv6 address.

Has anyone was ever able to confirm it works with OpenWrt 17.01 and miniupnpd version 2.0 or earlier since support for IPv6 and IGD2 was added or with any of the most recent residential wifi routers available in the market ?
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1474

PostPosted: Sun Sep 01, 2019 10:13 pm    Post subject: Reply with quote

miniupnpd enforces the "InternalClient value equals to the control point's IP address." check.
If you have 3 IPv6 addresses, upnpc is only picking one of them...
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
fredy



Joined: 14 Aug 2019
Posts: 6

PostPosted: Sun Sep 01, 2019 11:05 pm    Post subject: Reply with quote

Then that may be an issue because in IPv6 is quiet common to have multiple addresses at the interface, specially when the Operating System has Temporary IPv6 Address enabled (which seems to be by default).

Add to that that also some systems may normally get a RA and a DHCPv6 addresses.

Perhaps a mechanism the daemon can double-check back who requested the ACL to be added is the same device.
Serrvers normally will not have Temporary Address enabled and on that case is much likely there will be manual ACL added and not via miniupnpd.


Last edited by fredy on Sun Sep 01, 2019 11:07 pm; edited 1 time in total
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1474

PostPosted: Sun Sep 01, 2019 11:07 pm    Post subject: Reply with quote

How can the daemon check two different IPs are the same device ?
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
fredy



Joined: 14 Aug 2019
Posts: 6

PostPosted: Sun Sep 01, 2019 11:09 pm    Post subject: Reply with quote

miniupnp wrote:
How can the daemon check two different IPs are the same device ?


Maybe some kind of token o simple authentication mechanism. The important thing is the a device holding any IPv6 Address be able to request an ACL to be added to the firewall for its usage and simplification for the end-user.
Back to top
View user's profile Send private message
fredy



Joined: 14 Aug 2019
Posts: 6

PostPosted: Sun Sep 01, 2019 11:19 pm    Post subject: Reply with quote

Also could you please comment on the other points to help find out what the errors were ? I know some of them may be specific to OpenWrt and I have already reported to them, but I have posted here also to be able to identify it with more accuracy and perhaps fix them.

The points the remain unclear are:

- What does "code 606 (Action not authorized)" exactly mean ?

- What does "code -3 (UnknownError)" exactly mean in the above context ?

- What does "failed with code 401 (Invalid Action)" exactly mean and how does it differ from the previous one ?

- Could the version of Miniupnpd used in OpenWrt 17.01 (2.0.20170421-2) just have not been compiled with --igd2 option or do you think the issue is related to another point ? Since it exists since 2012 I find strange it is not there so wanted to confirm if it just wasn't compiled with IGD2.

- What does this error message means: "daemon.notice miniupnpd[3622]: SoapMethod: Unknown: AddPinhole" ? Lack of IGD2 support or anything else ?

- Is it normal the upnpc (client) only shows the IPv4 address as Local LAN Address instead of the IPv6 or/as well.

Thanks
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1474

PostPosted: Sun Sep 01, 2019 11:20 pm    Post subject: Reply with quote

The IGD Control point should use the same IP address it requests the pinhole for...
Have you tested with other software ?
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
fredy



Joined: 14 Aug 2019
Posts: 6

PostPosted: Sun Sep 01, 2019 11:30 pm    Post subject: Reply with quote

miniupnp wrote:

Have you tested with other software ?


No I haven't so far..

Do you think it would be a wrong approach to have some mechanism that validated the requesting device is the holder of other IPv6 addresses may it may be requesting the ACL ?

The reason I ask this is because due to this methods that allow having multiple IPv6 Addresses (Temporary Addresses or RA+ DHCPv6) it happens sometimes that outgoing IP used isn't necessarily the one shown as "IPv6 Address" in Windows or the first one that appears on the interface on Linux systems and this may confuse or make things work in expected way either for the user or for the device which is requesting the ACL.
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1474

PostPosted: Sun Sep 01, 2019 11:31 pm    Post subject: Reply with quote

fredy wrote:
Also could you please comment on the other points to help find out what the errors were ? I know some of them may be specific to OpenWrt and I have already reported to them, but I have posted here also to be able to identify it with more accuracy and perhaps fix them.

The points the remain unclear are:

- What does "code 606 (Action not authorized)" exactly mean ?

hum... I don't know how to be more precise. it means the action is not Authorized !
see http://upnp.org/specs/gw/UPnP-gw-WANIPv6FirewallControl-v1-Service.pdf page 16
fredy wrote:

- What does "code -3 (UnknownError)" exactly mean in the above context ?

I think there is some kind of HTTP error. You should capture the SOAP stream to know more.
fredy wrote:

- What does "failed with code 401 (Invalid Action)" exactly mean and how does it differ from the previous one ?

401 invalid action is a UPnP error code. It means the action (AddPinhole) is not supported by the UPNP Device
fredy wrote:

- Could the version of Miniupnpd used in OpenWrt 17.01 (2.0.20170421-2) just have not been compiled with --igd2 option or do you think the issue is related to another point ? Since it exists since 2012 I find strange it is not there so wanted to confirm if it just wasn't compiled with IGD2.
I don't know. Please ask the relevent people in OpenWrt for the options the miniupnpd package have been compiled with.
fredy wrote:

- What does this error message means: "daemon.notice miniupnpd[3622]: SoapMethod: Unknown: AddPinhole" ? Lack of IGD2 support or anything else ?

It means miniupnpd was not build with IGD2 and IPv6 support.
fredy wrote:

- Is it normal the upnpc (client) only shows the IPv4 address as Local LAN Address instead of the IPv6 or/as well.
have you tried the "-6" command line option ?
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1474

PostPosted: Sun Sep 01, 2019 11:34 pm    Post subject: Reply with quote

fredy wrote:
miniupnp wrote:

Have you tested with other software ?


No I haven't so far..

Do you think it would be a wrong approach to have some mechanism that validated the requesting device is the holder of other IPv6 addresses may it may be requesting the ACL ?

The reason I ask this is because due to this methods that allow having multiple IPv6 Addresses (Temporary Addresses or RA+ DHCPv6) it happens sometimes that outgoing IP used isn't necessarily the one shown as "IPv6 Address" in Windows or the first one that appears on the interface on Linux systems and this may confuse or make things work in expected way either for the user or for the device which is requesting the ACL.

miniupnpd and miniupnpc don't currently support the UPnP DeviceProtection. You should look for a IGD2 implementation that support it.
http://upnp.org/specs/gw/UPnP-gw-WANIPv6FirewallControl-v1-Service.pdf
http://upnp.org/specs/gw/UPnP-gw-DeviceProtection-V1-Service.pdf
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
fredy



Joined: 14 Aug 2019
Posts: 6

PostPosted: Sun Sep 01, 2019 11:45 pm    Post subject: Reply with quote

miniupnp wrote:

hum... I don't know how to be more precise. it means the action is not Authorized !
see http://upnp.org/specs/gw/UPnP-gw-WANIPv6FirewallControl-v1-Service.pdf page 16

Sorry maybe I wasn't enough clear on my question. Obviously it means it was not Authorized, but wanted to find out if perhaps it could be due to the IPv6 Address stated in the command line was different from the one the upnpc picks up from the Operating System when it communicates to the miniupnpd daemon in the router.
However if I remember well when I tested i tried with every single IPv6 Address of the interface and I got the same error message. I may be able to double check that with a known version of miniupnpd with igd2 compiled.

miniupnp wrote:

- What does "failed with code 401 (Invalid Action)" exactly mean and how does it differ from the previous one ?
401 invalid action is a UPnP error code. It means the action (AddPinhole) is not supported by the UPNP Device

Then I understand the miniupnpd daemon at the router may have not been compiled with IGD2 and IPv6 support.

miniupnp wrote:

- Is it normal the upnpc (client) only shows the IPv4 address as Local LAN Address instead of the IPv6 or/as well.
have you tried the "-6" command line option ?

Yes I did and it shows always the IPv4 address.
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1474

PostPosted: Sun Sep 01, 2019 11:48 pm    Post subject: Reply with quote

fredy wrote:
miniupnp wrote:

hum... I don't know how to be more precise. it means the action is not Authorized !
see http://upnp.org/specs/gw/UPnP-gw-WANIPv6FirewallControl-v1-Service.pdf page 16

Sorry I think I wasn't enough clear on my question. Obviously it means it was not Authorized, but wanted to find out if perhaps it could be due to the IPv6 Address stated in the command line was different from the one the upnpc picks up from the Operating System when it communicates to the miniupnpd daemon in the router.
However if I remember well when I tested i tried with every single IPv6 Address of the interface and I got the same error message. I may be able to double check that with a known version of miniupnpd with igd2 compiled.
you should check the logs on the IGD to get more details.
fredy wrote:

miniupnp wrote:

- What does "failed with code 401 (Invalid Action)" exactly mean and how does it differ from the previous one ?
401 invalid action is a UPnP error code. It means the action (AddPinhole) is not supported by the UPNP Device

Then I understand the miniupnpd daemon at the router may have not been compiled with IGD2 and IPv6 support.

miniupnp wrote:

- Is it normal the upnpc (client) only shows the IPv4 address as Local LAN Address instead of the IPv6 or/as well.
have you tried the "-6" command line option ?

Yes I did and it shows always the IPv4 address.

well then you should fill a bug report https://github.com/miniupnp/miniupnp/issues
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpc Bugs All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP
© 2007 Thomas Bernard, author of MiniUPNP.