RT-BE86U NAT PMP responses fails. Firmware routing bug?

[raritynb]

Trying to open up a port through the WireGuard VPN tunnel with this command:

natpmpc -g 10.2.1.1 -a 1 0 udp 60

Fails out of the box:

Thu Feb 26 15:03:04 CET 2026
initnatpmp() returned 0 (SUCCESS)
using gateway : 10.2.1.1
sendpublicaddressrequest returned 2 (SUCCESS)
readnatpmpresponseorretry returned -100 (TRY AGAIN)

This worked flawlessly on my old RT-AX86U. I then noticed a route on the old
router was missing on the new one (RT-BE86U).

So I ran this command to fix the issue:

ip route add 10.2.1.1/32 dev wgc1

Now NAT PMP responses are working again.

Shouldn't VPN Director be adding the above route automatically?

Is this a firmware bug @RMerlin? I'm running the latest version (3006.102.7).

This router isn't that popular as I understand it, but it's clearly more responsive
than my old RT-AX86U because of the CPU. The GUI feels more snappy and I get
much higher throughput through the WG tunnel.

 

[RMerlin]

UPNP is not intended to work on VPN interfaces. The default miniupnpd config only allows the LAN subnet, and the daemon only listens to the LAN interface.

 

[raritynb]

WAN > Enable UPnP is set to No (on both my old as well as my new router).

That's why I'm using natpmpc (NAT Port Mapping Protocol client) to open
up a port over the WireGuard tunnel like explained here:

How to manually set up port forwarding | Proton VPN

A guide to manually configuring port forwarding for Proton VPN using the NAT-PMP protocol on macOS and Linux

protonvpn.com

Point is this works great on the old RT-AX86U, but not on the new RT-BE86U.

On the RT-BE86U I have to add this route to make it work:

ip route add 10.2.1.1/32 dev wgc1

I'm guessing VPN Director adds this one on the old one, but not on the new
one.

 

[ColinTaylor]

Where are you running the natpnpc command, on the RT-BE86U?

What output do you get from these commands?

ip rule
ip route show table wgc1

 

[raritynb]

I feel like the output of those commands reveal too much to be posted
directly here.

I'm running the natpmpc command on the router.

 

[Ripshod]

I feel like the output of those commands reveal too much to be posted
directly here.

Nothing there to affect your security else it wouldn't have been asked without obfuscation.
What extras have you installed on the router?

-sh: natpmpc: not found

 

[ColinTaylor]

I feel like the output of those commands reveal too much to be posted
directly here.

I'm running the natpmpc command on the router.

You can obfuscate the last two octets of any WAN addresses. The point was to compare the routing in your output with that of my RT-AX86U to try and identify the source of the problem.