Miniupnpd comes with the script iptables_init.sh
, which among other things adds an iptables rule:
#adding the rule to MINIUPNPD $IPTABLES -t nat -A PREROUTING -d $EXTIP -i $EXTIF -j MINIUPNPD
Unfortunately, this rule isn’t replaced when the connection is dropped (and the router gets a new dynamic IP). OpenWRT does have a hotplug script:
[ "$ACTION" = "ifup" -a "$INTERFACE" = "wan" ] && \ /etc/init.d/miniupnpd enabled && \ /etc/init.d/miniupnpd restart
Problem here is that /etc/init.d/miniupnpd enabled
returns false! It’s a function defined in /etc/rc.common
that checks for /etc/rc.d/S95miniupnpd
. So the solution is:
ln -s /etc/init.d/miniupnpd ./S95miniupnpd
Realistically, the ipkg should come with this file (effectively enabling miniupnpd by default). A more robust solution would be to modify the hotplug script so that it restarts the daemon without the enabled check, and rely on the restart function not to start the daemon if it wasn’t already running.
I have PPPoE WAN connection, and the above does not seem to work for me. /etc/hotplug.d/iface/20-miniupnpd script works only when the interface is called “wan”, however this is not the case for ppp connections. (At least when other endpont terminates or you send a HUP signal to your pppd.)
[ “$ACTION” = “ifup” -a “$INTERFACE” = “wan” ] && /etc/init.d/miniupnpd enabled
However take a look at /usr/bin/iptables_init.sh , there the
$IPTABLES -t nat -A PREROUTING -d $EXTIP -i $EXTIF -j MINIUPNPD
line, where -d $EXTIP does not seem to be necessary. I’ve changed that line to
$IPTABLES -t nat -A PREROUTING -i $EXTIF -j MINIUPNPD
and it seems to work well.
Take a look at Kamikaze’s default firewall setup
iptables -t nat -L -v
and the prerouting_wan chain there, that neither includes your external IP. So it might better fit Kamikaze’s concept this way.
Please note that miniupnpd won’t be restarted at IP change this way, I don’t know whether it’s important for the UPnP clients to know the external IP, and how they will get aware of it without kicking them out via a restart.
(sorry for my bad English)
The $EXTIP check does seem to be unwarranted.
The $INTERFACE variable in the hotplug script is coming in from scripts such as /sbin/ifdown, which take the “interface” name from /etc/config/network. See for example /etc/hotplug.d/iface/00-netstate and then cat /var/state/network: the $INTERFACE is definitely getting passed as “lan”, “wan” etc. rather than the physical interface like eth0 or ppp0.
You are right Dean. I totally misunderstood it. Now I see that miniipnpd gets restarted for me too.
So either don’t do my suggested modification, or do it also on the other side:
in /usr/bin/iptables_removeall.sh from:
$IPTABLES -t nat -D PREROUTING -d $EXTIP -i $EXTIF -j MINIUPNPD
to:
$IPTABLES -t nat -D PREROUTING -i $EXTIF -j MINIUPNPD
Else your pre-routing table will fill up with several jumps to miniupnp table after a few reconnect, degrading the performance of the firewall.