miniupnp.tuxfamily.org Forum Index miniupnp.tuxfamily.org
The forum about miniupnp and libnatpmp
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

IGD2 Port triggering
Goto page 1, 2  Next
 
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> NAT/UPnP
View previous topic :: View next topic  
Author Message
AndyF



Joined: 17 Nov 2015
Posts: 12

PostPosted: Tue Nov 17, 2015 9:34 pm    Post subject: IGD2 Port triggering Reply with quote

Hi, Does miniupnpd support what the IGD2 specs call port triggering.

I mean when a client requests a different internal port to external port then the reverse is also set up so the source port gets changed on outgoing packets.

Section 2.5.16 figure 2.2 in

UPnP-gw-WANIPConnection-v2-Service.pdf

I am using Linux/netfilter

TIA.
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Tue Nov 24, 2015 8:49 am    Post subject: Reply with quote

I don't think so.

can you provide iptables rules that you use to do port triggering ?
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
AndyF



Joined: 17 Nov 2015
Posts: 12

PostPosted: Tue Nov 24, 2015 10:28 am    Post subject: Reply with quote

It was early days of me trying to solve an issue when I posted.

The term port triggering in the UPnP docs somewhat confuses me as to what they exactly mean as other definitions I've read do indeed seem to be "impossible" with iptables.

I did manage to solve my issue, but I was/am using igd2-for-linux.

The issue is three xbox ones with the game black ops 3.

Previously we had 3 xbox 360s which have now been traded in.

The 360s were easy to get open nat as they would ask for udp 3074 and if they couldn't have it they would ask for and use another port - the "and use" being important here. Games would also use this new port and would have open nat.

The xbox one its self behaves the same = tries for 3074 if it can't have it it gets another port and uses it ( so it will have open nat even on old IGD). Games (well BO3 is only tested so far) are different, they also try for a port = 3075 for BO3 but if they can't have it they will ask for another but still want to use 3075 internally.

So with IGDv1 behavior the xbox ones ones will show open nat but at least 2 out of 3 games will have moderate nat.

I use linux from scratch and a little DC PC as a router and other things.

The "fix" for me was a lazy and so far incomplete copy & paste hack to the idg2-for-linux code, which is only really going to work for me on my setup.

The hack is that when the game asks to open a port I also set up a masq rule for outbound connections from that internal host:port that maps to the new external port. This seems to be what IGD2 requires - and it certainly gets me open nat for BO3 all 3 consoles.

Here's how it looks from logs the line starting ADF is my "hack".

Code:

Nov 23 21:18:09 asr upnpd[25021]: ActionName = AddPortMapping
Nov 23 21:18:09 asr upnpd[25021]: Portmapping with same external port '3075' and protocol 'UDP' are mapped to another client already.
Nov 23 21:18:12 asr upnpd[25021]: ActionName = AddPortMapping
Nov 23 21:18:12 asr upnpd[25021]: /sbin/iptables -I FORWARD -p UDP -d 192.168.0.220 --dport 3075 -j ACCEPT
Nov 23 21:18:12 asr upnpd[25021]: /sbin/iptables -t nat -I PREROUTING -i ppp0 -p UDP --dport 3120 -j DNAT --to 192.168.0.220:3075
Nov 23 21:18:12 asr upnpd[25021]: ADF /sbin/iptables -t nat -I POSTROUTING -o ppp0 -s 192.168.0.220 -p UDP --sport 3075 -j MASQUERADE --to-ports 3120
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Tue Nov 24, 2015 10:53 am    Post subject: Reply with quote

OK, I see what should be done.
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Wed Nov 25, 2015 5:12 pm    Post subject: Reply with quote

see https://github.com/miniupnp/miniupnp/issues/166
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Wed Nov 25, 2015 9:21 pm    Post subject: Reply with quote

Wont it work with
Code:
iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.220 -p UDP  -sport 3075 --dport 3120 -j SNAT --to-source 192.168.0.220:3120

because it is already implemented for PCP-PEER Smile
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Wed Nov 25, 2015 9:29 pm    Post subject: Reply with quote

miniupnp wrote:
Wont it work with
Code:
iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.220 -p UDP --sport 3075 --dport 3120 -j SNAT --to-source 192.168.0.220:3120

because it is already implemented for PCP-PEER Smile

Should be
Code:
--to-source <public.ip>:3120


looking at the documentation, MASQUERADE is probably better.
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Wed Nov 25, 2015 9:37 pm    Post subject: Reply with quote

i'm not even sure addpeernatrule() works ...
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
AndyF



Joined: 17 Nov 2015
Posts: 12

PostPosted: Wed Dec 02, 2015 10:03 pm    Post subject: Reply with quote

Bit late - I didn't get any mail notifications for the latest posts.

On SNAT vs MASQUERADE, I did MASQUERADE because that's what I use as my IP address is dynamic. I used to have a static with a previous ISP and would have used SNAT if I were still with them.

I don't know about PCP-PEER or if xbox would use PCP at all.

I notice that the example appends -A, but you would really need to insert -I anything in POSTROUTING or the connection would get caught by the normal/resident SNAT/MASQUERADE rule that will typically be there already.
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Tue Jan 26, 2016 3:40 pm    Post subject: Reply with quote

I implemented the MASQUERADING rule :
https://github.com/miniupnp/miniupnp/tree/postrouting
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Tue Jan 26, 2016 4:04 pm    Post subject: Reply with quote

I'm adding a specific chain for miniupnpd rules
Code:

iptables -t nat -A POSTROUTING -o ppp0 -j MINIUPNPD-POSTROUTING
(in your boot time iptables init)

then miniupnpd will add :
Code:

iptables -t nat -A MINIUPNPD-POSTROUTING -o ppp0 -s 192.168.0.220 -p UDP --sport 3075 -j MASQUERADE --to-ports 3120

_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
AndyF



Joined: 17 Nov 2015
Posts: 12

PostPosted: Tue Jan 26, 2016 4:15 pm    Post subject: Reply with quote

Cool, I can't say when exactly but I will test (after re-reading the other xbox one thread) sometime.

I think the new table will need to be inserted rather than appended.

Edit I mean the jump to the new chain.
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Tue Jan 26, 2016 4:31 pm    Post subject: Reply with quote

AndyF wrote:
I think the new table will need to be inserted rather than appended.

Edit I mean the jump to the new chain.

It all depend on how your chains are initialized at boot time.
several -I in a script makes the rules in reverse order Smile
have a look at netfilter/iptables_init.sh script, which is only an example
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
AndyF



Joined: 17 Nov 2015
Posts: 12

PostPosted: Tue Jan 26, 2016 5:32 pm    Post subject: Reply with quote

Yes, you are right - I guess it could be quite a pain/source of error for you having to support varied platforms and needing to know what they do and in what order.

As an LFS user I don't have/use all these "normal" scripts so I get to break/mend my own stuff Smile

So yea when I get to test I will just adjust my setup to suit.

Currently using hacked/IGD2 I need to insert as I am working directly in POSTROUTING. I will need miniupnpd to come up before my iptables to use as is.
Back to top
View user's profile Send private message
AndyF



Joined: 17 Nov 2015
Posts: 12

PostPosted: Thu Jan 28, 2016 5:33 pm    Post subject: Reply with quote

I got to test today, didn't try anything "special" with the build used the default config.h and only changed a few things in miniupnpd.conf. Adjusted iptables_init.sh to fit with my existing setup.

The .conf diff is just as below (posted in case I did something stupid being a total beginner with miniupnpd!

In summary it works OK - the xboxes and the game open the ports/react to taken ports just as with my existing setup but there is one potential issue.

The xbones themselves seem to be consistent in what port they ask for (I guess because they are getting the same IP from DHCP) if their first choice is gone.

The game (black ops 3) isn't. It requests 3075 and if if it's gone it requests some other apparently random port 3xxx.

Why is this an issue - well it may not be by luck for this game (need more time to test) but this is what I get when I tested by bringing up XB_1+ the game then bringing up XB_2 + the game.

Code:

Chain MINIUPNPD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:3074 to:192.168.0.220:3074
    1    43 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:3075 to:192.168.0.220:3075
    1   137 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:56437 to:192.168.0.221:56437
    1    43 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:3135 to:192.168.0.221:3075

Chain MINIUPNPD-POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   178 MASQUERADE  udp  --  *      ppp0    192.168.0.220        0.0.0.0/0            udp spt:3074 masq ports: 3074
   43  1646 MASQUERADE  udp  --  *      ppp0    192.168.0.220        0.0.0.0/0            udp spt:3075 masq ports: 3075
    1    89 MASQUERADE  udp  --  *      ppp0    192.168.0.221        0.0.0.0/0            udp spt:56437 masq ports: 56437
   40  1532 MASQUERADE  udp  --  *      ppp0    192.168.0.221        0.0.0.0/0            udp spt:3075 masq ports: 3135


After shutting both down and repeating the first xbox gets the same ports, the second xbox gets the same second choice as previously but the game goes for random after failing to get 3075 leading to this situation -

Code:

Chain MINIUPNPD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    1   137 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:3074 to:192.168.0.220:3074
    2    86 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:3075 to:192.168.0.220:3075
    2   274 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:56437 to:192.168.0.221:56437
    2    86 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:3135 to:192.168.0.221:3075
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:3090 to:192.168.0.221:3075

Chain MINIUPNPD-POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    3   267 MASQUERADE  udp  --  *      ppp0    192.168.0.220        0.0.0.0/0            udp spt:3074 masq ports: 3074
   83  3178 MASQUERADE  udp  --  *      ppp0    192.168.0.220        0.0.0.0/0            udp spt:3075 masq ports: 3075
    2   178 MASQUERADE  udp  --  *      ppp0    192.168.0.221        0.0.0.0/0            udp spt:56437 masq ports: 56437
   82  3140 MASQUERADE  udp  --  *      ppp0    192.168.0.221        0.0.0.0/0            udp spt:3075 masq ports: 3135
    0     0 MASQUERADE  udp  --  *      ppp0    192.168.0.221        0.0.0.0/0            udp spt:3075 masq ports: 3090


As you can see this time the game on XB_2 requested 3090 external (it always used 3075 internal). but as the rules are appended the masq is to the previous port (3125) is still being used.

By chance this still works - the game reports open nat. I guess what happens is that it connects out and the server does the nat test by firing back a new connection on the port it sees rather than relying on any communication about what ports have just been opened via upnp. You can see the the DNAT rule for 3135 counter has incremented.

It remains to bee seen whether the game it's self eg. p2p voice comms are affected - I did a quick test and could join/play OK.

Being new to miniupnpd I don't have verbose logs or know how to tweak/what are default timeouts etc. On my old setup I made rules only last 18 hours just to avoid having tables full of old rules (IIRC default was a week).

Code:

--- a/miniupnpd/miniupnpd.conf
+++ b/etc/miniupnpd/miniupnpd.conf
@@ -1,5 +1,5 @@
 # WAN network interface
-#ext_ifname=eth1
+ext_ifname=ppp0
 #ext_ifname=xl1
 # If the WAN interface has several IP addresses, you
 # can specify the one to use below
@@ -16,7 +16,7 @@
 #  listening_ip=192.168.0.1/24 88.22.44.13
 #listening_ip=192.168.0.1/24
 #listening_ip=10.5.0.0/16
-#listening_ip=eth0
+listening_ip=eth0
 # CAUTION: mixing up WAN and LAN interfaces may introduce security risks!
 # Be sure to assign the correct interfaces to LAN and WAN and consider
 # implementing UPnP permission rules at the bottom of this configuration file
@@ -75,12 +75,12 @@
 
 # Bitrates reported by daemon in bits per second
 # by default miniupnpd tries to get WAN interface speed
-#bitrate_up=1000000
-#bitrate_down=10000000
+bitrate_up=15000000
+bitrate_down=60000000
 
 # Secure Mode, UPnP clients can only add mappings to their own IP
-#secure_mode=yes
-secure_mode=no
+secure_mode=yes
+#secure_mode=no
 
 # Default presentation URL is HTTP address on port 80
 # If set to an empty string, no presentationURL element will appear
@@ -142,7 +142,7 @@ uuid=514972fd-03d8-42a1-9f6d-4ab15e17b73f
 # also consider implementing network-specific restrictions
 # CAUTION: failure to enforce any rules may permit insecure requests to be made!
 allow 1024-65535 192.168.0.0/24 1024-65535
-allow 1024-65535 192.168.1.0/24 1024-65535
-allow 1024-65535 192.168.0.0/23 22
-allow 12345 192.168.7.113/32 54321
+#allow 1024-65535 192.168.1.0/24 1024-65535
+#allow 1024-65535 192.168.0.0/23 22
+#allow 12345 192.168.7.113/32 54321
 deny 0-65535 0.0.0.0/0 0-65535
[/code]
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> NAT/UPnP All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP
© 2007 Thomas Bernard, author of MiniUPNP.