0

I have a Debian router, and I'd like to set up Full Cone NAT.

I'm using nftables and miniupnpd.

My current config (Restricted Cone NAT):

table inet nat {
    chain postrouting {
        type nat hook postrouting priority srcnat;
        ip saddr { 10.2.0.0/16 } oif "ens18" masquerade
    }
}

enable_natpmp=yes
enable_upnp=yes
postrouting_miniupnpd
secure_mode=yes
system_uptime=yes
uuid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
force_igd_desc_v1=no
listening_ip=vlan0128 vlan0015 vlan0081
ext_ifname=ens18

I have seen this similar question but I'm not sure if I should follow the answers since I'm not using iptables

Improve this question
6
  • What is your exact Linux distribution? Some details in an answer might depend on it.
    – A.B
    Commented Mar 30 at 21:39
  • Debian 12 (bookworm)
    – 94230
    Commented Mar 30 at 21:42
  • While searching a bit, it appears miniupnp on Debian 12 has a bug (within Debian setup) that might be fixable. Do you actually intend to use miniupnpd and clients that will do UPnP queries for it? Because your question is asked in a weird way: if UPnP manages opening ports, you shouldn't ask about how to configure nftables yourself. miniupnpd is supposed to do this (once the bug is worked around).
    – A.B
    Commented Mar 30 at 23:01
  • miniupnp “asks” nftables to open a port, correct? Basically, I want that port that is opened to operate as a Full Cone NAT. This is, to accept any incoming connection to that port and forward it to the host that requested, regardless of its origin.
    – 94230
    Commented Mar 30 at 23:41
  • I'm still not sure if you're asking to get Full Cone NAT handled without UPnP (as is the case in the linked Q/A that doesn't use UPnP anywhere) or have UPnP install, when requested, DNAT rules. Each DNAT rule behaves in itsef as a full cone NAT, contrary to the implicit return traffic handled by the conntrack lookup table (which behaves as a restricted cone NAT). I won't attempt to answer this question because it's not clear enough for me. What I'm sure about: the miniupnpd version 2.3.1-1 as shipped on Debian 12.5 is broken for its nftables backend.
    – A.B
    Commented Mar 31 at 0:23

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .