How to allow UPnP from multiple subnets?

[cabbagepatchkid]

Hi All,

I have a RT-N66U running merlin with the IP address 192.168.1.1. Connected wirelessly to that I have a TP-Link router running DD-WRT. This has the IP address 192.168.2.1 and there's an entry in the routing table on the merlin to this router. This all works fine except for when it comes to UPnP.

If a device on the DD-WRT tries to use UPnP the following message appears in the merlin log:

HTTP peer 192.168.2.2:43392 is not from a LAN, closing the connection

Using the JFFS custom scripts feature, I have created a copy of the miniupnpd config file and edited in an attempt to let it accept connections from this subnet, however it doesn't work and I instead get the messages below.

Any idea how I can get this working? Thanks!

Jan 4 21:59:50 miniupnpd[654]: HTTP listening on port 59383
Jan 4 21:59:50 miniupnpd[654]: setsockopt(udp, IP_ADD_MEMBERSHIP): No such device
Jan 4 21:59:50 miniupnpd[654]: Failed to add multicast membership for interface 192.168.2.0
Jan 4 21:59:50 miniupnpd[654]: setsockopt(udp, IP_ADD_MEMBERSHIP): No such device
Jan 4 21:59:50 miniupnpd[654]: Failed to add multicast membership for interface 192.168.1.0
Jan 4 21:59:50 miniupnpd[654]: setsockopt(udp_notify, IP_MULTICAST_IF): Cannot assign requested address
Jan 4 21:59:50 miniupnpd[654]: Failed to open sockets for sending SSDP notify messages. EXITING

Here's my config file:

ext_ifname=eth0
#listening_ip=br0
listening_ip=192.168.1.0/24
listening_ip=192.168.2.0/24
port=0
enable_upnp=yes
enable_natpmp=yes
secure_mode=yes
upnp_nat_postrouting_chain=PUPNP
upnp_forward_chain=FUPNP
upnp_nat_chain=VUPNP
min_lifetime=120
max_lifetime=86400
notify_interval=60
system_uptime=yes
friendly_name=RT-N66U
model_number=380.63
serial=f8:32:e4:ab:96:70
lease_file=/tmp/upnp.leases
clean_ruleset_interval=600
clean_ruleset_threshold=20
presentation_url=http://192.168.1.1:80/
uuid=99fcb29e-92b9-4b29-9e0e-70f4edf7718e

allow 1024-65535 192.168.1.0/24 1-65535
allow 1024-65535 192.168.2.0/24 1-65535

deny 0-65535 0.0.0.0/0 0-65535

 

[ColinTaylor]

It appears to be failing because 192.168.1.0/24 and 192.168.2.0/24 are not interfaces. Try removing those 2 listening_ip entries and going back to "listening_ip=br0".

If that doesn't work you could try "listening_ip=192.168.0.0/22"

If all else fails you might have to create a virtual interface for the 192.168.2.0 network.

 

[cabbagepatchkid]

Thanks Colin, I've tried your suggestions.

When I set the listening interface back to br0, I see this message in the logs:

Jan 7 16:03:03 miniupnpd[660]: HTTP peer 192.168.2.2:44977 is not from a LAN, closing the connection

When I set it to 192.168.0.0/22 I see the following:

Jan 7 16:06:33 miniupnpd[657]: HTTP listening on port 51961
Jan 7 16:06:33 miniupnpd[657]: setsockopt(udp, IP_ADD_MEMBERSHIP): No such device
Jan 7 16:06:33 miniupnpd[657]: Failed to add multicast membership for interface 192.168.0.0
Jan 7 16:06:33 miniupnpd[657]: setsockopt(udp_notify, IP_MULTICAST_IF): Cannot assign requested address
Jan 7 16:06:33 miniupnpd[657]: Failed to open sockets for sending SSDP notify messages. EXITING

What would the settings be for a virtual interface?

 

[john9527]

Try this.....

listening_ip=192.168.1.1/24
listening_ip=192.168.2.1/24

 

[cabbagepatchkid]

Hi John. If I try that, I get:

Jan 7 16:31:39 miniupnpd[802]: HTTP listening on port 36351
Jan 7 16:31:39 miniupnpd[802]: setsockopt(udp, IP_ADD_MEMBERSHIP): No such device
Jan 7 16:31:39 miniupnpd[802]: Failed to add multicast membership for interface 192.168.2.1
Jan 7 16:31:39 miniupnpd[802]: setsockopt(udp_notify, IP_MULTICAST_IF): Cannot assign requested address
Jan 7 16:31:39 miniupnpd[802]: Failed to open sockets for sending SSDP notify messages. EXITING

 

[ColinTaylor]

I don't know why miniupnpd seems to only accept interfaces, the documentation suggests that networks (in CIDR notation) are acceptable as well.

Regarding virtual interfaces; this is not something that I've really played around with so it might be a complete red-herring. But...

If, for example, your DD-WRT box has an IP address of 192.168.1.50 (on the Asus) try

ifconfig br0:0 192.168.1.50

And then add "listening_ip=br0:0" You might have to mess around with the routing a bit though.

 

[john9527]

Searching for answers....Do you have your router netmask set to cover both subnets in the router configuration? (Note that moving to a non /24 netmask can impact some router networkmap functions).

 

[cabbagepatchkid]

Ah! No, I don't. It is set to 255.255.255.0.

Should it be 255.255.0.0?

 

[john9527]

You want to keep it as small as possible...... try 255.255.252.0 and see if it makes a difference.

 

[cabbagepatchkid]

Just tried this and it won't let me set it. The error is "LAN and WAN should have different IP addresses and subnet".

My WAN is set to 192.168.0.250 with subnet 255.255.255.0.

The error is a bit beyond me! Any ideas?

 

[cabbagepatchkid]

Hi John, Colin.

Thanks very much for your help. I altered my WAN IP and the upstream router to use 10.0.0.x range and I've now been able to set the Asus's LAN mask to 255.255.252.0 (and IP remains at 192.168.1.1) and all seems to be working fine. I can't see the error messages in the log any more, at least.

Just for completeness, listening_ip is set to br0 and not IP address ranges.