New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NAT-PMP will only accept default gateway IP as IGD #5502
Comments
Same issue. This is partially an issue with OPN\PFSense. If you send a NAT-PMP request to the default gateway and the default gateway is a CARP IP nothing happens. You need to send the NAT-PMP request to the actual LAN interface. https://redmine.pfsense.org/issues/13222 Other applications that have implemented UPnP don't seem to have any issues with UPnP (Parsec, various games and syncthing tested and confirmed to work on our network). I can see the response from PFSense to UPnP Searches: And it gets a response correctly
|
Further digging.
Tailscale's UPnP implementation explicitly ignores situations where the CARP IP (Gateway IP) is different from the response IP (The specific router's UPnP Response) |
The check of IP address went in via #2572, which was the first point where portmapping really worked. I suspect we can relax that check. |
There is a similar problem with openwrt's miniupnp, may I ask what command you used for port forwarding. The forwarding command I used didn't work. |
Packet Source: LAN interface |
Gateway devices operating as an HA pair w/VRRP or CARP may send UPnP replies from static addresses rather than the floating gateway address. This commit relaxes our source address verification such that we parse responses from non-gateway IPs, and re-point the UPnP root desc URL to the gateway IP. This ensures we are still interfacing with the gateway device (assuming L2 security intact), even though we got a root desc from a non-gateway address. This relaxed handling is required for ANY port mapping to work on certain OPNsense/pfsense distributions using CARP at the time of writing, as miniupnpd may only listen on the static, non-gateway interface address for PCP and PMP. Fixes #5502 Signed-off-by: Jordan Whited <jordan@tailscale.com>
Gateway devices operating as an HA pair w/VRRP or CARP may send UPnP replies from static addresses rather than the floating gateway address. This commit relaxes our source address verification such that we parse responses from non-gateway IPs, and re-point the UPnP root desc URL to the gateway IP. This ensures we are still interfacing with the gateway device (assuming L2 security intact), even though we got a root desc from a non-gateway address. This relaxed handling is required for ANY port mapping to work on certain OPNsense/pfsense distributions using CARP at the time of writing, as miniupnpd may only listen on the static, non-gateway interface address for PCP and PMP. Fixes #5502 Signed-off-by: Jordan Whited <jordan@tailscale.com>
Gateway devices operating as an HA pair w/VRRP or CARP may send UPnP replies from static addresses rather than the floating gateway address. This commit relaxes our source address verification such that we parse responses from non-gateway IPs, and re-point the UPnP root desc URL to the gateway IP. This ensures we are still interfacing with the gateway device (assuming L2 security intact), even though we got a root desc from a non-gateway address. This relaxed handling is required for ANY port mapping to work on certain OPNsense/pfsense distributions using CARP at the time of writing, as miniupnpd may only listen on the static, non-gateway interface address for PCP and PMP. Fixes tailscale#5502 Signed-off-by: Jordan Whited <jordan@tailscale.com>
NAT-PMP still fails with #6946 merged. |
What is the issue?
Tailscale clients could not detect the UPnP nor NAT-PMP capabilities of my OPNSense failover pair of routers. UPnP & NAT-PMP were enabled, and other devices could discover and use these services.
I eventually discovered that the IGD response from the currently-primary router was coming from its LAN address instead of the gateway IP, which is a virtual (floating) IP that can failover to the secondary router. Because of this, tailscale client seemed unable to discover UPnP or NAT-PMP.
I successfully worked around this issue by forwarding port 5351/udp from the gateway IP to the primary router's LAN address, which allowed the tailscale client to discover NAT-PMP (but not UPnP).
I expected tailscale to detect these capabilities, or expose configuration to override its (arguably reasonable) default behavior to only accept the system's default gateway as IGD.
Steps to reproduce
Are there any recent changes that introduced the issue?
Unclear if this is recent behavior, though PR #3202 seems relevant.
OS
Linux, macOS
OS version
Ubuntu 22.04, macOS 12.5
Tailscale version
1.28.0
Bug report
No response
The text was updated successfully, but these errors were encountered: