pfSense

That's what the "Override WAN address" option does.

Thanks. So that's passed through as the ext_ip. I did some additional testing here and it seems -

- With a RFC1918 (or other reserved) address here, the daemon dies immediately
- With a random public address (1.1.1.1), the daemon starts, mappings are created according to the web interface, but no traffic passes

After a bit of digging, this is because of -

#pfctl -a miniupnpd -sr
pass in log quick on igb0.10 inet proto tcp from any to 192.168.20.100 port = 63000 flags S/SA keep state label "libminiupnpc" rtable 0

#pfctl -a miniupnpd -sn
rdr log quick on igb0.10 inet proto tcp from any to 1.1.1.1 port = 64000 keep state label "libminiupnpc" rtable 0 -> 192.168.20.100 port 63000

Which restricts all incoming traffic for the UPnP mapping on the WAN interface to the ext_ip. So even with the ext address configured properly, a double NAT setup will never work as the packets will never arrive on the WAN interface with the public address (because that gets NATed on outside router to the inside router WAN interface).

Even with ext_perform_stun (the other solution recommended), it will still break a double NAT setup.

As an aside, this behaviour of locking down the dst in the pf nat rule was not always the case. It is specifically due to -

https://github.com/miniupnp/miniupnp/issues/231
https://github.com/miniupnp/miniupnp/commit/53e81857252eb6504e878295c04e607a7c4c061e

CARP setups will also break unless the CARP address is public and configured as the "Override WAN Address"/ext_ip.

It seems that asuswrt-merlin made a good call to revert the change preventing private IPs from being external addresses in miniupnp, because this commit effectively breaks a lot of advanced NAT topologies.

I agree, the changes in miniupnpd are unnecessary and harmful to some use cases. They should at least provide an option to override the behavior rather than preventing it entirely.

But that is a change that needs to be made in miniupnpd -- Advocate for it there.

If we start reverting bits and pieces in the port that puts a lot of technical debt on us to maintain that indefinitely.

Ok, I opened an issue on the miniupnp tracker for this -

https://github.com/miniupnp/miniupnp/issues/433

There us a patch available to remove that behavior in miniupnpd that needs testing:
https://github.com/miniupnp/miniupnp/commit/3f04f7992c4e8f11c2a2f66e678d9e63c8103dea

Steve Wheeler wrote:

There us a patch available to remove that behavior in miniupnpd that needs testing:
https://github.com/miniupnp/miniupnp/commit/3f04f7992c4e8f11c2a2f66e678d9e63c8103dea

I tried Compiling this but didn't manage,
I'm willing to try it out for people, however I'm doing something wrong so its not working.

Keep getting the following error when I try, and I have tried cloning the repo's a few times.

I know I am doing something wrong, Just don't know what, so If someone perhaps wants to enlighten me I would be delighted to learn :D

make: "/tmp/thisistest/miniupnpd/Makefile" line 39: Could not find bsdmake.inc
make: "/tmp/thisistest/miniupnpd/Makefile" line 88: Malformed conditional ($(FWNAME) == "pf")
make: "/tmp/thisistest/miniupnpd/Makefile" line 160: warning: "which bash || which ksh" returned non-zero status
make: Fatal errors encountered -- cannot continue
make: stopped in /tmp/thisistest/miniupnpd

Thanks.