NAT-PMP will only accept default gateway IP as IGD

[joshbenner]

What is the issue?

Tailscale clients could not detect the UPnP nor NAT-PMP capabilities of my OPNSense failover pair of routers. UPnP & NAT-PMP were enabled, and other devices could discover and use these services.

I eventually discovered that the IGD response from the currently-primary router was coming from its LAN address instead of the gateway IP, which is a virtual (floating) IP that can failover to the secondary router. Because of this, tailscale client seemed unable to discover UPnP or NAT-PMP.

I successfully worked around this issue by forwarding port 5351/udp from the gateway IP to the primary router's LAN address, which allowed the tailscale client to discover NAT-PMP (but not UPnP).

I expected tailscale to detect these capabilities, or expose configuration to override its (arguably reasonable) default behavior to only accept the system's default gateway as IGD.

Steps to reproduce

1. Use OPNSense in failover pair with virtual IP as default gateway.
2. Enable UPnP & NAT-PMP in OPNSense.

Are there any recent changes that introduced the issue?

Unclear if this is recent behavior, though PR #3202 seems relevant.

OS

Linux, macOS

OS version

Ubuntu 22.04, macOS 12.5

Tailscale version

1.28.0

Bug report

No response

[StraightfaceStudios]

Same issue.

This is partially an issue with OPN\PFSense. If you send a NAT-PMP request to the default gateway and the default gateway is a CARP IP nothing happens. You need to send the NAT-PMP request to the actual LAN interface.

https://redmine.pfsense.org/issues/13222

Other applications that have implemented UPnP don't seem to have any issues with UPnP (Parsec, various games and syncthing tested and confirmed to work on our network). I can see the response from PFSense to UPnP Searches:
SRC: [USER] DST: [CARP GATEWAY]
M-SEARCH * HTTP/1.1
HOST: 239.255.255.250:1900

And it gets a response correctly

HTTP/1.1 200 OK CACHE-CONTROL: max-age=120 ST: uuid:837 USN: uuid:837 EXT: SERVER: FreeBSD/12.3-STABLE UPnP/1.1 MiniUPnPd/2.2.1 LOCATION: http://192.168.##.NONCARP:2189/rootDesc.xml OPT: "http://schemas.upnp.org/upnp/1/0/"; ns=01 01-NLS: 1662155185 BOOTID.UPNP.ORG: 1662155185 CONFIGID.UPNP.ORG: 1337
Parsec then uses the correct UPNP IP and maps addresses. Tailscale though appears to just send endless requests to NAT_PMP none of which get a response due to PFSense issue 13222

[StraightfaceStudios]

Further digging.

https://github.com/tailscale/tailscale/blob/5f6abcfa6f15cde7ab4dc4c94ec49b80e4639f8c/net/portmapper/upnp.go

	if ipp.Addr() != gw {
		return nil, fmt.Errorf("UPnP discovered root %q does not match gateway IP %v; ignoring UPnP",
			meta.Location, gw)
	}

Tailscale's UPnP implementation explicitly ignores situations where the CARP IP (Gateway IP) is different from the response IP (The specific router's UPnP Response)

[DentonGentry]

The check of IP address went in via #2572, which was the first point where portmapping really worked. I suspect we can relax that check.

[bigfoxtail]

What is the issue?

Tailscale clients could not detect the UPnP nor NAT-PMP capabilities of my OPNSense failover pair of routers. UPnP & NAT-PMP were enabled, and other devices could discover and use these services.

I eventually discovered that the IGD response from the currently-primary router was coming from its LAN address instead of the gateway IP, which is a virtual (floating) IP that can failover to the secondary router. Because of this, tailscale client seemed unable to discover UPnP or NAT-PMP.

I successfully worked around this issue by forwarding port 5351/udp from the gateway IP to the primary router's LAN address, which allowed the tailscale client to discover NAT-PMP (but not UPnP).

I expected tailscale to detect these capabilities, or expose configuration to override its (arguably reasonable) default behavior to only accept the system's default gateway as IGD.

Steps to reproduce

1. Use OPNSense in failover pair with virtual IP as default gateway.
2. Enable UPnP & NAT-PMP in OPNSense.

Are there any recent changes that introduced the issue?

Unclear if this is recent behavior, though PR #3202 seems relevant.

OS

Linux, macOS

OS version

Ubuntu 22.04, macOS 12.5

Tailscale version

1.28.0

Bug report

No response

There is a similar problem with openwrt's miniupnp, may I ask what command you used for port forwarding. The forwarding command I used didn't work.

[StraightfaceStudios]

Packet Source: LAN interface
Packet Destination: UDP | Gateway IP (192.168.1.1 or whatever) | Port 5351
Forward: LAN IP (192.168.1.2 or whatever) | Port 5351