-
Notifications
You must be signed in to change notification settings - Fork 442
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Router doesn't accept UPNP_AddPinhole due to strict IPv6 source address verification #731
Comments
That is probably a bug in miniupnpd that advertises itself on the local address and not the globally routable one. Or miniupnpc that should first try globally routable address and then fallback to local address. |
|
Thank you!
Could be! The first thing i tried was to hack the (client side)
Startup looks like this:
(The IPv4 warning is correct--it gets only a private IPv4 from DHCP, but gets two IPv6 ranges: one globally routable and one in the private ULA range, apparently)
The router is running TurrisOS, which is basically a OpenWRT distribution. The miniupnpd is extrememly new.
On the client i am building miniupnpc statically from source (latest master). i also tried with debian testing's version, 2.2.6, no difference. |
The scenario i'm also worried about here: what if there were multiple routable IPv6 addresses, and the goal was to create pinholes on all of them? The strict check effectively limits pinholing to the advertised IPv6 address per IGD. That is, unless the client is changed to make the |
I'm afraid this scenario is not supported by the UPnP IGD standard. |
@laanwj could you try with branch 731-ipv6-routable-address ? |
That's, awful. One practical example would be the
Sure, will try! |
So ? About UPnP IGD, it is supposed to address Internet <=> LAN issues. So it should use the public internet address. |
@laanwj have you been able to test ? |
Sorry! i've been distracted by PCP implementation issues and other things. Will get back to this, this week. Have to figure out how to actually build software myself for the router. |
Looks like it works! With that patch:
|
it looks great ;) |
i'm trying to use
UPNP_AddPinhole
to add IPv6 pinholes. However, this fails with606 (Action not authorized)
.The source of the problem is that the LAN interface has multiple IPv6 addresses:
upnpDiscover
andUPNP_GetValidIGD
give me anhttp://[fdbd:...]:5000/rootDesc.xml
URL for the router.However, i try to open a pinhole port on the
2a10:....
address, that is globally routable.Curious thing is that the router runs
miniupnpd
. So i checked theminiupnpd
source and the error 606 originates inPinholeVerification
, which checks (as far as i understand) that the source address of theAddPinhole
command is the same as the address that the pinhole is requested for. This failss the address mismatches, after all it's connecting from afdbd:..
address.The miniupnp API does not provide a way to set the requester address.
FWIW i've tried to hack UPNP_AddPinhole to connect using a socket that is already
bind()ed
to the correct IPv6 address. This appears to work as a workaround. But i feel there should be a way within the API to accomplish it.The text was updated successfully, but these errors were encountered: