Solved RT-BE86U NAT PMP responses fails. Firmware routing bug?

[raritynb]

Trying to open up a port through the WireGuard VPN tunnel with this command:

natpmpc -g 10.2.1.1 -a 1 0 udp 60

Fails out of the box:

Thu Feb 26 15:03:04 CET 2026
initnatpmp() returned 0 (SUCCESS)
using gateway : 10.2.1.1
sendpublicaddressrequest returned 2 (SUCCESS)
readnatpmpresponseorretry returned -100 (TRY AGAIN)

This worked flawlessly on my old RT-AX86U. I then noticed a route on the old
router was missing on the new one (RT-BE86U).

So I ran this command to fix the issue:

ip route add 10.2.1.1/32 dev wgc1

Now NAT PMP responses are working again.

Shouldn't VPN Director be adding the above route automatically?

Is this a firmware bug @RMerlin? I'm running the latest version (3006.102.7).

This router isn't that popular as I understand it, but it's clearly more responsive
than my old RT-AX86U because of the CPU. The GUI feels more snappy and I get
much higher throughput through the WG tunnel.

 

[RMerlin]

UPNP is not intended to work on VPN interfaces. The default miniupnpd config only allows the LAN subnet, and the daemon only listens to the LAN interface.

 

[raritynb]

WAN > Enable UPnP is set to No (on both my old as well as my new router).

That's why I'm using natpmpc (NAT Port Mapping Protocol client) to open
up a port over the WireGuard tunnel like explained here:

How to manually set up port forwarding | Proton VPN

A guide to manually configuring port forwarding for Proton VPN using the NAT-PMP protocol on macOS and Linux

protonvpn.com

Point is this works great on the old RT-AX86U, but not on the new RT-BE86U.

On the RT-BE86U I have to add this route to make it work:

ip route add 10.2.1.1/32 dev wgc1

I'm guessing VPN Director adds this one on the old one, but not on the new
one.

 

[ColinTaylor]

Where are you running the natpnpc command, on the RT-BE86U?

What output do you get from these commands?

ip rule
ip route show table wgc1

 

[raritynb]

I feel like the output of those commands reveal too much to be posted
directly here.

I'm running the natpmpc command on the router.

 

[Ripshod]

I feel like the output of those commands reveal too much to be posted
directly here.

Nothing there to affect your security else it wouldn't have been asked without obfuscation.
What extras have you installed on the router?

-sh: natpmpc: not found

 

[ColinTaylor]

I feel like the output of those commands reveal too much to be posted
directly here.

I'm running the natpmpc command on the router.

You can obfuscate the last two octets of any WAN addresses. The point was to compare the routing in your output with that of my RT-AX86U to try and identify the source of the problem.

 

[raritynb]

Alright! Since I still have the old one I did a factory reset of both them.

Both are running the latest Asuswrt-Merlin firmware (RT-AX86U: 3004.388.11 & RT-BE86U: 3006.102.7).

192.168.50.1 is the router
192.168.50.10 is the PC
10.2.0.1 is the WireGuard VPN tunnel

Noticed differences straight out fo the box after factory reset:

admin@RT-AX86U:/# ip rule​ 0: from all lookup local 32766: from all lookup main 32767: from all lookup default .	admin@RT-BE86U:/# ip rule 0: from all lookup local 20: from all lookup 8437 32766: from all lookup main 32767: from all lookup default
admin@RT-AX86U:/# ip route default via 85.xxx.xx.1 dev eth0 85.xxx.xx.0/22 dev eth0 proto kernel scope link src 85.xxx.xx.164 85.xxx.xx.1 dev eth0 proto kernel scope link 127.0.0.0/8 dev lo scope link 192.168.50.0/24 dev br0 proto kernel scope link src 192.168.50.1 195.1.0.1 via 85.xxx.xx.1 dev eth0 metric 1 195.1.0.2 via 85.xxx.xx.1 dev eth0 metric 1 239.0.0.0/8 dev br0 scope link	admin@RT-BE86U:/# ip route default via 193.xx.xxx.1 dev eth0 127.0.0.0/8 dev lo scope link 192.168.50.0/24 dev br0 proto kernel scope link src 192.168.50.1 193.xx.xxx.0/21 dev eth0 proto kernel scope link src 193.xx.xxx.205 193.xx.xxx.1 dev eth0 proto kernel scope link 195.1.0.1 via 193.xx.xxx.1 dev eth0 metric 1 195.1.0.2 via 193.xx.xxx.1 dev eth0 metric 1 .

When adding a WireGuard Client connection I noticed that AX86U added a route for it, but the BE86U didn't:

admin@RT-AX86U:/# ip route default via 85.xxx.xx.1 dev eth0 10.2.0.1 dev wgc1 scope link 85.xxx.xx.0/22 dev eth0 proto kernel scope link src 85.xxx.xx.164 85.xxx.xx.1 dev eth0 proto kernel scope link 127.0.0.0/8 dev lo scope link 192.168.50.0/24 dev br0 proto kernel scope link src 192.168.50.1 195.1.0.1 via 85.xxx.xx.1 dev eth0 metric 1 195.1.0.2 via 85.xxx.xx.1 dev eth0 metric 1 239.0.0.0/8 dev br0 scope link

admin@RT-BE86U:/# ip route default via 193.xx.xxx.1 dev eth0 127.0.0.0/8 dev lo scope link 192.168.50.0/24 dev br0 proto kernel scope link src 192.168.50.1 193.xx.xxx.0/21 dev eth0 proto kernel scope link src 193.xx.xxx.205 193.xx.xxx.1 dev eth0 proto kernel scope link 195.1.0.1 via 193.xx.xxx.1 dev eth0 metric 1 195.1.0.2 via 193.xx.xxx.1 dev eth0 metric 1 . .

Other than that I'm seeing a massive difference in the WireGuard routing tables:

admin@RT-AX86U:/# ip route show table wgc1 0.0.0.0/1 dev wgc1 scope link default via 85.xxx.xx.1 dev eth0 66.xxx.xxx.66 via 85.xxx.xx.1 dev eth0 85.xxx.xx.0/22 dev eth0 proto kernel scope link src 85.xxx.xx.164 85.xxx.xx.1 dev eth0 proto kernel scope link 127.0.0.0/8 dev lo scope link 128.0.0.0/1 dev wgc1 scope link 192.168.50.0/24 dev br0 proto kernel scope link src 192.168.50.1 195.1.0.1 via 85.xxx.xx.1 dev eth0 metric 1 195.1.0.2 via 85.xxx.xx.1 dev eth0 metric 1 239.0.0.0/8 dev br0 scope link

admin@RT-BE86U:/# ip route show table wgc1 0.0.0.0/1 dev wgc1 scope link 10.2.0.1 dev wgc1 scope link 66.xxx.xxx.66 via 193.xx.xxx.1 dev eth0 128.0.0.0/1 dev wgc1 scope link . . . . . . .

I'm getting natpmpc on the router by using amtm to install Entware and then:

opkg install natpmpc

 

[RMerlin]

Wireguard routes are created by VPNDirector. Did you configure any route in it? Otherwise, your WG traffic will not be redirected at all.

 

[raritynb]

In the second table, when the RT-AX86U added the route for the VPN tunnel, I hadn't yet used VPN Director. That is, no rules were configured. I only added the WireGuard Client configuration and connected. That's it.

In the third and last table I had already added a VPN Director rule for the PC to use the WGC1 tunnel which added these marked in green:

admin@RT-BE86U:/# ip rule
0: from all lookup local
20: from all lookup 8437
11210: from 192.168.50.10 lookup wgc1
12215: from 192.168.50.10 prohibit
32766: from all lookup main
32767: from all lookup default

There were no changes in the other routing tables after using VPN Director neither on the old nor the new router.

Anyways, I've verified that the WireGuard tunnel itself is working fine on both routers by using ip.me, but I need to manually add a route like this:

ip route add 10.2.0.1/32 dev wgc1

To make natpmpc work on the RT-BE86U.

 

[raritynb]

I've now solved this issue for users with RT-BE86U using NAT PMP client / natpmpc to open up ports with ProtonVPN:

As suggested in other threads here I had an VPN Director exception for the router's IP to not go through the WireGuard tunnel:

from 192.168.50.1 lookup main

When running the NAT PMP client / natpmpc on the router like this:

natpmpc -g 10.2.0.1 -a 1 0 udp 60

The above would go out on the WAN because of the router's IP exception.

So I added a new VPN Director rule for NAT PMP like this:

from all to 10.2.0.1 lookup wgc1

That makes sure NAT PMP goes out through the WireGuard tunnel and everything works.