How To HOWTO use Voxel/Entware/miniupnpd on R7800/R9000 router

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

arabesc

Occasional Visitor
I've spent some time replacing the stock miniupnpd service to a newer version from the Entware on my R9000. I would like to share my experience with the community.

Requirements:
  • R7800/R9000/same ecosystem router
  • Voxel's firmware
  • Entware
The stock miniupnpd is located at /usr/sbin/miniupnpd, it uses the /tmp/etc/miniupnpd.conf config file that is generated by the /sbin/cmdupnp script.

To replace the stock miniupnpd by the new version from the Entware it's required to:
  • change the /sbin/cmdupnp script to generate a new config and start the new miniupnpd
  • add new chains to iptables where miniupnpd will add its rules
Install miniupnpd from the Entware:
# opkg install miniupnpd
The new version is located at /opt/sbin/miniupnpd

To add the new chains to iptables create the /opt/scripts/firewall_start.sh script with the following content:
Bash:
#!/bin/sh
iptables -t filter -N Forward-UPnP
iptables -t filter -I FORWARD -j Forward-UPnP
iptables -t nat -N NAT-Prerouting-UPnP
iptables -t nat -I PREROUTING -j NAT-Prerouting-UPnP
iptables -t nat -N NAT-Postrouting-UPnP
iptables -t nat -A POSTROUTING -o brwan -j NAT-Postrouting-UPnP
This script will be executed every time firewall settings are changed.
If you are using pppoe/pptp wan-connection then there might be ppp0 interface name instead of brwan. It's possible to automate the logic but I have no way to test it so I've kept things simple.
The chain names (Forward-UPnP, NAT-Prerouting-UPnP, NAT-Postrouting-UPnP) can be arbitrary but they should match the names used in the /sbin/cmdupnp script and further in the /tmp/etc/miniupnpd.conf.
Ensure the /opt/scripts/firewall_start.sh script is executable:
# chmod u+x /opt/scripts/firewall_start.sh
Execute script to apply changes for the first time:
# /opt/scripts/firewall_start.sh

Change the /sbin/cmdupnp script in the following way:
Bash:
...
SERVICE_PID_FILE="/var/run/miniupnpd.pid"
MINIUPNPD_CONF="/tmp/etc/miniupnpd.conf"
...
print_upnp_conf() {
cat <<EOF
ext_ifname=$1
listening_ip=$2
port=5555
enable_natpmp=yes
enable_upnp=yes
#force_igd_desc_v1=yes
secure_mode=yes
system_uptime=yes
# uncomment the following option if minissdpd is used on the same system
#minissdpdsocket=/var/run/minissdpd.sock
lease_file=/tmp/upnp_pmlist
bitrate_up=$15
bitrate_down=$16
uuid=<insert your uuid here>
upnp_forward_chain=Forward-UPnP
upnp_nat_chain=NAT-Prerouting-UPnP
upnp_nat_postrouting_chain=NAT-Postrouting-UPnP
clean_ruleset_interval=600
notify_interval=$3
model_number=$11
allow 1024-65535 192.168.0.0/24 1024-65535
deny 0-65535 0.0.0.0/0 0-65535
EOF
}
...
upnp_start() {
    ...
    local listenip="$($config get lan_ifname) lo"
    ...
    local uplimit=$($config get uplimit)
    uplimit=$(($uplimit / 125000 * 1000 * 1000))
    local downlimit=$($config get downlimit)
    downlimit=$(($downlimit / 125000 * 1000 * 1000))
    ...
    print_upnp_conf "$wan_ifname" "$listenip" "$($config get upnp_AdverTime)" "$($config get upnp_TimeToLive)" "$name" "$($config get lan_netmask)" "$non_igd" "$(artmtd -r sn | head -1 | awk -F":" '{print $2}')" "$($config get miniupnp_pnpx_hwid)" "$($config get miniupnp_modelurl)" "$($config get miniupnp_modelnumber)" "$($config get miniupnp_modelname)" "$($config get miniupnp_modeldescription)" "$($config get Device_name)" "$uplimit" "$downlimit" > $MINIUPNPD_CONF
    ...
    /opt/sbin/miniupnpd -f "$MINIUPNPD_CONF" -P "$SERVICE_PID_FILE" &
}
Pay attention to the notice <insert your uuid here>, use uuidgen tool or something similar to get your uuid.
The /sbin/cmdupnp script will be reseted after each f/w update. Keeping changes is out of scope of the post.
The format in what the new miniupnpd writes leases to the /tmp/upnp_pmlist file is different from the stock, it will break web-interface a little.

Restart miniupnpd:
# /etc/init.d/upnp restart

Optionally, use upnpclient on another host to test that miniupnpd works:
# upnpc -r 9999 tcp
It should succeed. 9999 is an arbitrary port number, use another port if it's already in use.
The /tmp/upnp_pmlist can be checked for a new lease and iptables for new rules.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top