arabesc
Occasional Visitor
I've spent some time replacing the stock
Requirements:
To replace the stock
The new version is located at
To add the new chains to
This script will be executed every time firewall settings are changed.
If you are using
The chain names (Forward-UPnP, NAT-Prerouting-UPnP, NAT-Postrouting-UPnP) can be arbitrary but they should match the names used in the
Ensure the
Execute script to apply changes for the first time:
Change the
Pay attention to the notice
The
The format in what the new
Restart
Optionally, use upnpclient on another host to test that
It should succeed. 9999 is an arbitrary port number, use another port if it's already in use.
The
miniupnpd
service to a newer version from the Entware on my R9000. I would like to share my experience with the community.Requirements:
- R7800/R9000/same ecosystem router
- Voxel's firmware
- Entware
miniupnpd
is located at /usr/sbin/miniupnpd
, it uses the /tmp/etc/miniupnpd.conf
config file that is generated by the /sbin/cmdupnp
script.To replace the stock
miniupnpd
by the new version from the Entware it's required to:- change the
/sbin/cmdupnp
script to generate a new config and start the newminiupnpd
- add new chains to
iptables
whereminiupnpd
will add its rules
miniupnpd
from the Entware:# opkg install miniupnpd
The new version is located at
/opt/sbin/miniupnpd
To add the new chains to
iptables
create the /opt/scripts/firewall_start.sh
script with the following content:
Bash:
#!/bin/sh
iptables -t filter -N Forward-UPnP
iptables -t filter -I FORWARD -j Forward-UPnP
iptables -t nat -N NAT-Prerouting-UPnP
iptables -t nat -I PREROUTING -j NAT-Prerouting-UPnP
iptables -t nat -N NAT-Postrouting-UPnP
iptables -t nat -A POSTROUTING -o brwan -j NAT-Postrouting-UPnP
If you are using
pppoe
/pptp
wan-connection then there might be ppp0
interface name instead of brwan
. It's possible to automate the logic but I have no way to test it so I've kept things simple.The chain names (Forward-UPnP, NAT-Prerouting-UPnP, NAT-Postrouting-UPnP) can be arbitrary but they should match the names used in the
/sbin/cmdupnp
script and further in the /tmp/etc/miniupnpd.conf
.Ensure the
/opt/scripts/firewall_start.sh
script is executable:# chmod u+x /opt/scripts/firewall_start.sh
Execute script to apply changes for the first time:
# /opt/scripts/firewall_start.sh
Change the
/sbin/cmdupnp
script in the following way:
Bash:
...
SERVICE_PID_FILE="/var/run/miniupnpd.pid"
MINIUPNPD_CONF="/tmp/etc/miniupnpd.conf"
...
print_upnp_conf() {
cat <<EOF
ext_ifname=$1
listening_ip=$2
port=5555
enable_natpmp=yes
enable_upnp=yes
#force_igd_desc_v1=yes
secure_mode=yes
system_uptime=yes
# uncomment the following option if minissdpd is used on the same system
#minissdpdsocket=/var/run/minissdpd.sock
lease_file=/tmp/upnp_pmlist
bitrate_up=$15
bitrate_down=$16
uuid=<insert your uuid here>
upnp_forward_chain=Forward-UPnP
upnp_nat_chain=NAT-Prerouting-UPnP
upnp_nat_postrouting_chain=NAT-Postrouting-UPnP
clean_ruleset_interval=600
notify_interval=$3
model_number=$11
allow 1024-65535 192.168.0.0/24 1024-65535
deny 0-65535 0.0.0.0/0 0-65535
EOF
}
...
upnp_start() {
...
local listenip="$($config get lan_ifname) lo"
...
local uplimit=$($config get uplimit)
uplimit=$(($uplimit / 125000 * 1000 * 1000))
local downlimit=$($config get downlimit)
downlimit=$(($downlimit / 125000 * 1000 * 1000))
...
print_upnp_conf "$wan_ifname" "$listenip" "$($config get upnp_AdverTime)" "$($config get upnp_TimeToLive)" "$name" "$($config get lan_netmask)" "$non_igd" "$(artmtd -r sn | head -1 | awk -F":" '{print $2}')" "$($config get miniupnp_pnpx_hwid)" "$($config get miniupnp_modelurl)" "$($config get miniupnp_modelnumber)" "$($config get miniupnp_modelname)" "$($config get miniupnp_modeldescription)" "$($config get Device_name)" "$uplimit" "$downlimit" > $MINIUPNPD_CONF
...
/opt/sbin/miniupnpd -f "$MINIUPNPD_CONF" -P "$SERVICE_PID_FILE" &
}
<insert your uuid here>
, use uuidgen
tool or something similar to get your uuid.The
/sbin/cmdupnp
script will be reseted after each f/w update. Keeping changes is out of scope of the post.The format in what the new
miniupnpd
writes leases to the /tmp/upnp_pmlist
file is different from the stock, it will break web-interface a little.Restart
miniupnpd
:# /etc/init.d/upnp restart
Optionally, use upnpclient on another host to test that
miniupnpd
works:# upnpc -r 9999 tcp
It should succeed. 9999 is an arbitrary port number, use another port if it's already in use.
The
/tmp/upnp_pmlist
can be checked for a new lease and iptables
for new rules.