UPnP port forwarding not working with Merlin

[qiuyan81]

Why doesn't upnp port forwarding take effect when I use the merlin version? There is no problem if I use the official version.
This problem has appeared very early, and even after updating to multiple versions, this error cannot be solved.

 

[drinkingbird]

Why doesn't upnp port forwarding take effect when I use the merlin version? There is no problem if I use the official version.
This problem has appeared very early, and even after updating to multiple versions, this error cannot be solved.

What router, what version of merlin? Have not seen any similar complaints.

Did you hard factory reset and manually reconfigure after converting to Merlin?

 

[bennor]

It would help if you posted the Merlin firmware version you are running and the router you are using. If using the GT-AX6000 -A3 - 386.7 per your signature line, 386.7 is old firmware (6/23/2022). May want to update to the latest Merlin firmware (3004.388.4_0) if you haven't done so already.

Why doesn't upnp port forwarding take effect when I use the merlin version? There is no problem if I use the official version.
This problem has appeared very early, and even after updating to multiple versions, this error cannot be solved.

Do you have UPnP enabled in the router GUI interface (WAN - Internet Connection)?

 

[Tech9]

After specific Asuswrt-Merlin version (I believe it was 386.5_2) miniupnpd doesn't work anymore with private WAN IPs in double NAT configurations. Many people with no modem only Bridge Mode option use their ISP modem/router with Asus WAN IP in DMZ. The change comes from miniupnpd developer. Stock Asuswrt perhaps uses older miniupnpd version. So the question @qiuyan81 - your router has Public or Private WAN IP?

 

[qiuyan81]

The firmware version has always been the latest version, but this problem has always existed. This will not happen if you use the official firmware.

 

[qiuyan81]

After specific Asuswrt-Merlin version (I believe it was 386.5_2) miniupnpd doesn't work anymore with private WAN IPs in double NAT configurations. Many people with no modem only Bridge Mode option use their ISP modem/router with Asus WAN IP in DMZ. The change comes from miniupnpd developer. Stock Asuswrt perhaps uses older miniupnpd version. So the question @qiuyan81 - your router has Public or Private WAN IP?

I have a nat1 network type. My optical modem is bridged to my asus router. Using the firmware from the official website, the upnp port can be forwarded normally. The merlin version of the firmware cannot work normally with upnp.

 

[ColinTaylor]

Your WAN IP address in 192.168.1.8 which is a private address @Tech9 talked about.

 

[qiuyan81]

Your WAN IP address in 192.168.1.8 which is a private address @Tech9 talked about.

Yes, but I can use the official firmware and upnp can work normally.

 

[ColinTaylor]

Yes, but I can use the official firmware and upnp can work normally.

Different versions of miniupnpd.

 

[ColinTaylor]

Look for messages in the System Log like this one when you try and create a port forwarding:

miniupnpd[xxxx]: private/reserved address 192.168.x.y is not suitable for external IP

 

[qiuyan81]

After specific Asuswrt-Merlin version (I believe it was 386.5_2) miniupnpd doesn't work anymore with private WAN IPs in double NAT configurations. Many people with no modem only Bridge Mode option use their ISP modem/router with Asus WAN IP in DMZ. The change comes from miniupnpd developer. Stock Asuswrt perhaps uses older miniupnpd version. So the question @qiuyan81 - your router has Public or Private WAN IP?

This is using official firmware, upnp can work normally

 

[Tech9]

This is using official firmware, upnp can work normally

Understood and the reason why is described above. I guess, you have to stick to Asuswrt if you need UPnP working in double NAT environment.

 

[drinkingbird]

Yes, but I can use the official firmware and upnp can work normally.

If you have control of the subnet used on the WAN (between yourself and the ISP device), change it to the CGNAT range, something like 100.100.100.0/24, the router should consider that a public IP and allow uPNP to work with merlin.

However I'm not sure what the point would be, since the upstream router would still need ports manually forwarded (uPNP won't forward to that device). That's why miniupnpd now warns you about it, since it can't work in that scenario, you still need to manually forward ports in that second device.

 

[Tech9]

I remember this working with UPnP enabled on the upstream router as well, but with older Asuswrt-Merlin versions. Or DMZ, it was long time ago.

 

[drinkingbird]

I remember this working with UPnP enabled on the upstream router as well, but with older Asuswrt-Merlin versions. Or DMZ, it was long time ago.

Setting the Asus as DMZ in the ISP device would work, assuming they give you access to do that.

I don't think there is a way to make uPNP propagate across 2 routers but who knows, some sort of helper or proxy but I wouldn't want that happening.

 

[sfx2000]

miniupnpd cannot assume that upstream can also port forward...

If the device is behind a CGNAT or NAT address, miniupnpd will behave properly and log the appropriate message...

miniupnpd: Disable port forwarding when we are behind restrictive nat… · miniupnp/miniupnp@8e10a1a

… with reserved / private IP address In this case port forwarding is impossible, so rather return error code to the client instead of silently trying to do something and informing clients that por...

github.com

 

[drinkingbird]

miniupnpd cannot assume that upstream can also port forward...

If the device is behind a CGNAT or NAT address, miniupnpd will behave properly and log the appropriate message...

miniupnpd: Disable port forwarding when we are behind restrictive nat… · miniupnp/miniupnp@8e10a1a

… with reserved / private IP address In this case port forwarding is impossible, so rather return error code to the client instead of silently trying to do something and informing clients that por...

github.com

I thought someone got it working with CGNAT but if not just use class E space, 240.0.0.0/24 or anything in the 240-255 range. But still only worth doing if you can set a DMZ device on the ISP router.

 

[Tech9]

miniupnpd cannot assume that upstream can also port forward...

Even though the change is technically correct, it was working before in specific configurations. Some folks have no bridge option.

 

[sfx2000]

I thought someone got it working with CGNAT but if not just use class E space, 240.0.0.0/24 or anything in the 240-255 range. But still only worth doing if you can set a DMZ device on the ISP router.

Yeah - there's been a few comments against the move there, and it's been there for a while now...

I'm not sure this is a battle worth fighting as there is always the overriding concern of upnp/nat-pmp opening ports on a dynamic basis...

There is always the option to static port forward - this still works...

 

[Tech9]

There is always the option to static port forward - this still works...

Gamers won't like it. Different games open multiple different ports. The screenshot in post #11 is perhaps result of games. Gaming router after all.