Menu
What's new
By:
Filters Better Search

Tutorial HOWTO use Voxel/Entware/miniupnpd on R7800/R9000 router

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

arabesc

arabesc

Occasional Visitor
I've spent some time replacing the stock miniupnpd service to a newer version from the Entware on my R9000. I would like to share my experience with the community.

Requirements:
  • R7800/R9000/same ecosystem router
  • Voxel's firmware
  • Entware
The stock miniupnpd is located at /usr/sbin/miniupnpd, it uses the /tmp/etc/miniupnpd.conf config file that is generated by the /sbin/cmdupnp script.

To replace the stock miniupnpd by the new version from the Entware it's required to:
  • change the /sbin/cmdupnp script to generate a new config and start the new miniupnpd
  • add new chains to iptables where miniupnpd will add its rules
Install miniupnpd from the Entware:
# opkg install miniupnpd
The new version is located at /opt/sbin/miniupnpd

To add the new chains to iptables create the /opt/scripts/firewall_start.sh script with the following content:
Bash: 
#!/bin/sh
iptables -t filter -N Forward-UPnP
iptables -t filter -I FORWARD -j Forward-UPnP
iptables -t nat -N NAT-Prerouting-UPnP
iptables -t nat -I PREROUTING -j NAT-Prerouting-UPnP
iptables -t nat -N NAT-Postrouting-UPnP
iptables -t nat -A POSTROUTING -o brwan -j NAT-Postrouting-UPnP
This script will be executed every time firewall settings are changed.
If you are using pppoe/pptp wan-connection then there might be ppp0 interface name instead of brwan. It's possible to automate the logic but I have no way to test it so I've kept things simple.
The chain names (Forward-UPnP, NAT-Prerouting-UPnP, NAT-Postrouting-UPnP) can be arbitrary but they should match the names used in the /sbin/cmdupnp script and further in the /tmp/etc/miniupnpd.conf.
Ensure the /opt/scripts/firewall_start.sh script is executable:
# chmod u+x /opt/scripts/firewall_start.sh
Execute script to apply changes for the first time:
# /opt/scripts/firewall_start.sh

Change the /sbin/cmdupnp script in the following way:
Bash: 
...
SERVICE_PID_FILE="/var/run/miniupnpd.pid"
MINIUPNPD_CONF="/tmp/etc/miniupnpd.conf"
...
print_upnp_conf() {
cat <<EOF
ext_ifname=$1
listening_ip=$2
port=5555
enable_natpmp=yes
enable_upnp=yes
#force_igd_desc_v1=yes
secure_mode=yes
system_uptime=yes
# uncomment the following option if minissdpd is used on the same system
#minissdpdsocket=/var/run/minissdpd.sock
lease_file=/tmp/upnp_pmlist
bitrate_up=$15
bitrate_down=$16
uuid=<insert your uuid here>
upnp_forward_chain=Forward-UPnP
upnp_nat_chain=NAT-Prerouting-UPnP
upnp_nat_postrouting_chain=NAT-Postrouting-UPnP
clean_ruleset_interval=600
notify_interval=$3
model_number=$11
allow 1024-65535 192.168.0.0/24 1024-65535
deny 0-65535 0.0.0.0/0 0-65535
EOF
}
...
upnp_start() {
    ...
    local listenip="$($config get lan_ifname) lo"
    ...
    local uplimit=$($config get uplimit)
    uplimit=$(($uplimit / 125000 * 1000 * 1000))
    local downlimit=$($config get downlimit)
    downlimit=$(($downlimit / 125000 * 1000 * 1000))
    ...
    print_upnp_conf "$wan_ifname" "$listenip" "$($config get upnp_AdverTime)" "$($config get upnp_TimeToLive)" "$name" "$($config get lan_netmask)" "$non_igd" "$(artmtd -r sn | head -1 | awk -F":" '{print $2}')" "$($config get miniupnp_pnpx_hwid)" "$($config get miniupnp_modelurl)" "$($config get miniupnp_modelnumber)" "$($config get miniupnp_modelname)" "$($config get miniupnp_modeldescription)" "$($config get Device_name)" "$uplimit" "$downlimit" > $MINIUPNPD_CONF
    ...
    /opt/sbin/miniupnpd -f "$MINIUPNPD_CONF" -P "$SERVICE_PID_FILE" &
}
Pay attention to the notice <insert your uuid here>, use uuidgen tool or something similar to get your uuid.
The /sbin/cmdupnp script will be reseted after each f/w update. Keeping changes is out of scope of the post.
The format in what the new miniupnpd writes leases to the /tmp/upnp_pmlist file is different from the stock, it will break web-interface a little.

Restart miniupnpd:
# /etc/init.d/upnp restart

Optionally, use upnpclient on another host to test that miniupnpd works:
# upnpc -r 9999 tcp
It should succeed. 9999 is an arbitrary port number, use another port if it's already in use.
The /tmp/upnp_pmlist can be checked for a new lease and iptables for new rules.
 
You must log in or register to reply here.

Similar threads

D
Entware Voxel FW reverse proxy help
Replies
2
Views
473
Duke_
D
Yota
Solved UPnP doesn't work on CGNAT/Double NAT
Replies
5
Views
4K
ZANGIEF
Z
A
Policy-based port routing to bypass NordVPN client
Replies
10
Views
1K
Don->
D
R
One router, two segments desired.
Replies
4
Views
391
Rombo
R
R
ASUS RT-AC88U LAN Port 2 + Guest 2 Isolation
Replies
7
Views
2K
Jeffrey Young
J
Similar threads
Thread starter Title Forum Replies Date
D Howto enable external ssh access to netgear r7800 (i have latest Voxel & Kamoj installed) NETGEAR AC Wireless (Wi-Fi 5) 2
M ProtonVPN on Orbi RBR50 with Voxel Firmware? NETGEAR AC Wireless (Wi-Fi 5) 0
D Entware Voxel FW reverse proxy help NETGEAR AC Wireless (Wi-Fi 5) 2
A Voxel RBS50 mesh with Stock RBR50v2 NETGEAR AC Wireless (Wi-Fi 5) 4
D Orbi Router RBR50 Bricked Voxel NETGEAR AC Wireless (Wi-Fi 5) 2
C Orbi RBR50v2 on Voxel V9.2.5.2.28 rc.user file deleted in mnt/ntgr folder after reboot NETGEAR AC Wireless (Wi-Fi 5) 0

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,010 (members: 15, guests: 995)
Top