What's new

UPnP not working with AC68 and Xbox One

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Tagilso

Occasional Visitor
My setup: ISP modem -> ac68 with last Merlin fw -> Xbox one

ISP modem can't go bridged sadly.
Ac68 IP is in the modem DMZ.

The issue: after enabling upnp (btw, why is it disabled by default?) and choosing a port interval 1-65535, the NAT test fails on the Xbox saying that UPnP was not successful.
The ports do not appear in forwarding panel in the Asus, and I have also tried disabling hw acceleration.
Any idea? Thanks.
 
It was due to some change in miniupnpd. RMerlin has reverted the change in 384.8 alpha. So you can try 384.8 or use old fw 384.5, 384.6.
 
You shouldn't be allowing 1-65535 on internal ports, then you are just begging for something to hug port 80 for instance or 443 and cause HTTP/HTTPS from internal clients to not work. Stay with 1024-65535 for internal ports range.

As mentioned above, the latest version of miniupnpd is having issues when UPNP is running behind NAT, as your ISP doesn't allow for bridge you run into double-NAT and the upnp daemon is not working correctly.

I find it strange that your ISP can't provide bridge mode? Most hardware will support bridge mode, it's essential in so many situations that it has to be some really silly hardware for it not to support it. Bridge mode to make sure you are avoiding double-NAT is so much more reliable and better compared to utilise the DMZ function.
 
You shouldn't be allowing 1-65535 on internal ports, then you are just begging for something to hug port 80 for instance or 443 and cause HTTP/HTTPS from internal clients to not work. Stay with 1024-65535 for internal ports range.

As mentioned above, the latest version of miniupnpd is having issues when UPNP is running behind NAT, as your ISP doesn't allow for bridge you run into double-NAT and the upnp daemon is not working correctly.

I find it strange that your ISP can't provide bridge mode? Most hardware will support bridge mode, it's essential in so many situations that it has to be some really silly hardware for it not to support it. Bridge mode to make sure you are avoiding double-NAT is so much more reliable and better compared to utilise the DMZ function.

I'll try first with the alpha, then with an older version. Is there any version that has a confirmed working upnp with double-nat?
The modem model (Technicolor 789vac v2) should support bridge-mode, but the firmware has been customized by the ISP. The most I can do is disabling NAT, but then everything stops working (not surprisingly).

About the ports, yeah I agree with you, but following Microsoft guidelines, some needed ports stay under the 1024 value. What do you think?
https://support.microsoft.com/en-ca/help/4026770/xbox-open-these-network-ports-for-xbox-one
 
About the ports, yeah I agree with you, but following Microsoft guidelines, some needed ports stay under the 1024 value. What do you think?
https://support.microsoft.com/en-ca/help/4026770/xbox-open-these-network-ports-for-xbox-one
As has been discussed ad nauseam in these forums the MS information is misleading. Note that they are talking about "open" ports not "forwarded" ports. For example port 53 (DNS) is an outgoing (remote destination) port and all outgoing ports are open by default.
 
Last edited:
As has been discussed ad nauseam in these forums the MS information is misleading. Note that they are talking about "open" ports not "forwarded" ports. For example port 53 (DNS) is an outgoing port and all outgoing ports are open by default.
Sorry ColinTaylor and thanks, next time I'll try to be more accurate in forum searching.
 
I can confirm that UPnP seems to work with 384.8_alpha3-g65be6df90 firmware.
I have tested with upnpc CLI forwarding a port, still have to confirm with Xbox because I'm not at home.
 
Technicolor 789vac v2 supports bridge mode, there is no "custom" firmware from your ISP it's just locked down so you don't have access to many of the more advanced settings in order to make sure end-users don't ruin their networks and connections due to them trying to play smart. The firmware is most likely also pre-compiled with some ISP settings embedded so they don't have to manually configure each and every Technicolor 789vac v2 that they get from the supplier. This should just be as simple as telling your ISP to enable bridge mode as the option is clearly there in the hardware. There is simply no reason why they should not be able to do so.

When it comes to Xbox Live on the Xbox One, the only inbound port is 3074 which can be customised in the settings. There is no reason for having sub-1024 available for UPNP for outbound local ports as it just allows for flaky UPNP devices to start messing up your network as nothing should be hogging your routers outbound local ports like 53, 80, 443 etc.. as that would make every other device on your network stop working with basic functionality like DNS, HTTP and HTTPS. Port Forwarding gets confusing because sites like PortForward.com and various others list all the ports than needs to be allowed through a firewall. These home routers don't run a full firewall, they are simply a NAT device and all of these home routers will have automatic hide-nat outbound rules resulting in all outward traffic already being allowed by default. All you need to care about is the inbound traffic and there is normally a lot fewer inbound ports required compared to outbound ports so in most situations when you see a huge list of ports over at PortForward.com and the like its most likely only 1-2 of those ports that is used for inbound traffic and would need a port forward / UPNP to function.

If you are lucky enough to have a ISP and hardware that fully supports native IPv6 you wouldn't rely on the use of NAT at all and all this nonsense wouldn't even be a problem in the first place.


When it comes to the upnp daemon, Merlin just released the 384.8 BETA1 so I would recommend you to update to that one.
 
Technicolor 789vac v2 supports bridge mode, there is no "custom" firmware from your ISP it's just locked down so you don't have access to many of the more advanced settings in order to make sure end-users don't ruin their networks and connections due to them trying to play smart. The firmware is most likely also pre-compiled with some ISP settings embedded so they don't have to manually configure each and every Technicolor 789vac v2 that they get from the supplier. This should just be as simple as telling your ISP to enable bridge mode as the option is clearly there in the hardware. There is simply no reason why they should not be able to do so.

When it comes to Xbox Live on the Xbox One, the only inbound port is 3074 which can be customised in the settings. There is no reason for having sub-1024 available for UPNP for outbound local ports as it just allows for flaky UPNP devices to start messing up your network as nothing should be hogging your routers outbound local ports like 53, 80, 443 etc.. as that would make every other device on your network stop working with basic functionality like DNS, HTTP and HTTPS. Port Forwarding gets confusing because sites like PortForward.com and various others list all the ports than needs to be allowed through a firewall. These home routers don't run a full firewall, they are simply a NAT device and all of these home routers will have automatic hide-nat outbound rules resulting in all outward traffic already being allowed by default. All you need to care about is the inbound traffic and there is normally a lot fewer inbound ports required compared to outbound ports so in most situations when you see a huge list of ports over at PortForward.com and the like its most likely only 1-2 of those ports that is used for inbound traffic and would need a port forward / UPNP to function.

If you are lucky enough to have a ISP and hardware that fully supports native IPv6 you wouldn't rely on the use of NAT at all and all this nonsense wouldn't even be a problem in the first place.


When it comes to the upnp daemon, Merlin just released the 384.8 BETA1 so I would recommend you to update to that one.
Thanks for the detailed and wonderful reply.
I have tested the beta, and I can confirm that upnp works again.

FYI while gaming, two Xboxes upnp- forwarded one port each, with description Teredo and in the range of 30000s. AFAIK Teredo is a v6 in v4 tunnelling protocol, so something might have changed in the way MS handles Xbox multiplayer networking, who knows.

Unfortunately I talked to one of my current ISP's engineer and he has confirmed that bridging is not available NOW. In the past, using another ISP I have managed to bridge the modem. Anyway a recent law in my country will shortly force any ISP to leave customers use their hardware. We'll see.

Finally I observed that other softwares have troubles when using upnp with double NAT. E.g. the transmission torrent daemon seems to abort the upnp forwarding request if no external IP could be obtained from upnp.
All in all, I agree that bridging is the best solution, but with working upnp I can handle this.
 
The inbound connection for Xbox / Xbox Live is indeed Microsoft Teredo which on the Xbox One defaults to using 3074, but with the later OS updates it has become smart enough to utilise random TCP high-ports if it noticed that 3074 is occupied by something else on your local network. Xbox Live tends to not be fond of strict NAT filtration so you might see only moderate NAT even when UPNP is doing the port mappings because of the symmetrical NAT filtration done by AsusWRT which only allows for incoming traffic from the same external IP and port used by the Xbox when creating the port mapping. This is branded as strict NAT filtration and does not equal a full port forward of the ports to your console. You need to have Open NAT filtration also called Full-Cone-NAT to ensure that the mappings will fully work as intended as much of the incoming traffic might originate from other IP-addresses other than the ones used by the console when creating the UPNP port mapping.

Sadly very few routers allows you to change the NAT filtration. The few I know of is various Netgear routers like the R7800 and XR500. With Asus Merlin firmware you will get the capability to change to Full-Cone-NAT under WAN settings if you are using the RT-AC86U or the RT-AX88U. All others are stuck with default which is symmetric / strict NAT filtration. But even having Open NAT filtration won't fully work when you are behind double-NAT as it would require the first NAT device to also support Open NAT filtration. But utilising the DMZ is just telling the router to forward all incoming traffic to a specific IP which should be good enough in order to make sure it works as intended even though bridge mode is always the recommended approach just to avoid NAT altogether on the first device.

For Transmission you could easily do a manual inbound NAT rule / port forward as Transmission lets you specify whichever port you want to use so you are free to choose which every you'd like to use so you can easily avoid a port that would conflict with other services.
 
I've got an AC86U and the default NAT setting in the WAN page is Symmetrical and I have UPnP enabled. Whenever I've run a connection test on my Xbox One or play a game that reports NAT status, they always state Open.

Would I be better off changing the NAT type to Full Cone anyway?
 
As long as you have single Xbox One it tends to work with symmetric NAT. But there is really no harm in running Full-Cone-NAT, the only difference is that the port mappings done through UPNP behaves like full port forwards.
 
We've got two Xbox Ones and a PS4, so would that make Full Cone NAT more appropriate to use?

I've never had a router with this option before.
 
Last edited:
@ColinTaylor is correct. Unless you play the same games on both consoles like Call of Duty that relies on the same port no matter the platform you should be good. But then again, there really is no harm in activating Full-Cone-NAT which will ensure that it will always work as intended.
 
As long as you have single Xbox One it tends to work with symmetric NAT. But there is really no harm in running Full-Cone-NAT, the only difference is that the port mappings done through UPNP behaves like full port forwards.

Full Cone is generally considered less secure, so unless you actually need it, it's best to stick with Symatric.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top