Miniupnpd

This page contains information on how to configure the latest version of miniupnpd on Ubuntu.

Download source

# Step 1 Download the latest version of miniupnpd from http://miniupnp.free.fr
wget "http://miniupnp.free.fr/files/miniupnpd-2.3.7.tar.gz" -O miniupnpd-2.3.7.tar.gz

Prerequisite

# Install dev package for nft
apt-get install libnftnl-dev libmnl-dev

Configure/Make

# Untar and change directory 
tar zxfv miniupnpd-2.3.7.tar.gz
cd miniupnpd-2.3.7

# Configure with some parameters you find useful
./configure --ipv6 --igd2 --leasefile --vendorcfg --pcp-peer --portinuse --regex --uda-version=1.1 --firewall=nftables

# the nft_init.sh script included in the source will deny if using nft as default firewall remove the drop rule
# ufw status numbered will not show miniupnpd rules

sed -i '/drop/d' netfilter_nft/scripts/nft_init.sh

# run make
make

Testing miniupnpd

# to test if it is working
netfilter_nft/scripts/nft_init.sh
# start miniupnpd in debug mode
./miniupnpd -f /etc/miniupnpd/miniupnpd.conf -d

Testclient upnpc

# try to request a port using upnpc
upnpc-shared.exe -a 192.168.200.73 8080 12123 tcp

# this should show something like this
upnpc : miniupnpc library test client, version 2.2.3.
 (c) 2005-2022 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://192.168.200.2:40000/rootDesc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://192.168.200.2:40000/ctl/IPConn
Local LAN ip address : 192.168.200.73
ExternalIPAddress = 90.x.y.z
InternalIP:Port = 192.168.200.73:0
external 90.x.y.z:12123 TCP is redirected to internal 192.168.200.73:0 (duration=604800)

# remove the port using upnpc
upnpc-shared.exe -d 12123 tcp

upnpc : miniupnpc library test client, version 2.2.3.
 (c) 2005-2022 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://192.168.200.2:40000/rootDesc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://192.168.200.2:40000/ctl/IPConn
Local LAN ip address : 192.168.200.73
UPNP_DeletePortMapping() returned : 0

Trouble shooting

# If it does not work for some reason ensure the nft_init.sh script was executed by the /usr/libexec/miniupnpd-startstop-helper.sh.
# execute nft_display.sh 
/etc/miniupnpd/nft_display.sh

table inet filter {
        chain prerouting {
                type nat hook prerouting priority dstnat; policy accept;
                jump prerouting_miniupnpd
        }
}
table inet filter {
        chain postrouting {
                type nat hook postrouting priority srcnat; policy accept;
                jump postrouting_miniupnpd
        }
}
table inet filter {
        chain miniupnpd {
                iif "enp3s0" th dport 8080 @nh,128,32 0xc0a8c849 @nh,72,8 0x6 accept
        }
}

Configuration

# Set to static port otherwise random
port=40000
ipv6_disable=no
enable_natpmp=yes
enable_upnp=yes
min_lifetime=120
max_lifetime=86400
lease_file=/var/log/upnp.leases
friendly_name=home1
bitrate_up=100000000
bitrate_down=100000000
secure_mode=yes
system_uptime=yes
notify_interval=60
clean_ruleset_threshold=10
clean_ruleset_interval=600
uuid=78a2e571-b2e9-49b4-a0b2-5b8ed72a7d03
force_igd_desc_v1=no

# This will allow 192.168.200.0/24 to request external ports between 1024-65535 with internal ports between 1024-65535
allow 1024-65535 192.168.200.0/24 1024-65535
deny 0-65535 0.0.0.0/0 0-65535
listening_ip=enp1s0
ext_ifname=enp3s0

Xbox validation

# To validate the configuration works with an Xbox default settings.

# Start your Xbox it

# On the miniupnpd server you will see something similar to this in the upnp.leases file. Xbox uses UDP and default port 3074. In case of multiple Xboxes change additional Xbox to use a different port. By default it will suggest a random port. Adjust if needed.
# First row shows default settings
# Second row shows xbox with alternative port

# This should show up as open nat on your console

UDP:3074:192.168.200.87:3074:1721123058:Teredo 192.168.200.87:3074->3074 UDP
UDP:50090:192.168.200.77:50090:1721123858:Teredo 192.168.200.77:50090->50090 UDP

# nft chain miniupnpd 0x11 equals to UDP
        chain miniupnpd {
                iif "enp3s0" th dport 3074 @nh,128,32 0xc0a8c857 @nh,72,8 0x11 accept
                iif "enp3s0" th dport 50090 @nh,128,32 0xc0a8c84d @nh,72,8 0x11 accept
        }
# nft chain prerouting_miniupnpd notice that Xbox does 1-1 nat on external and internal port so make sure you use an external port that is not allocated for other use.

        chain prerouting_miniupnpd {
                iif "enp3s0" @nh,72,8 0x11 th dport 3074 dnat ip to 192.168.200.87:3074
                iif "enp3s0" @nh,72,8 0x11 th dport 50090 dnat ip to 192.168.200.77:50090
        }