1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

UPnP / NAT-PMP Inactive Rules Cleaning removing active ports

Discussion in 'Tomato Firmware' started by Xero5, Nov 28, 2013.

  1. Xero5

    Xero5 Serious Server Member


    I normally use NAT-PMP. I understand based on on a few threads here that NAT-PMP works similarly to DHCP leases in that eventually the forward will expire and automatically be removed. However, I noticed NAT-PMP forwards that still exist days after the initial forward.

    So I turned on inactive rules cleaning. However, whenever the cleaning happens, all forwards, including active ones are removed.

    Is this normal behavior? I thought only inactive ports are closed by inactive rules cleaning, not all of them. This behavior also occurs when UPnP is enabled on bot Toastman and Shibby.

    Thank you.
  2. Toastman

    Toastman Super Moderator Staff Member Member

    That's not normal behaviour, and it doesn't happen here. You are saying that ALL current forwards that show in the table, are deleted by the expiry?

    I had about 50 forwards here a moment ago, I set it to expire when 10 rules were reached, and I see it has reduced the list to around 30-odd which are presumed currently active.

    How are you judging when a rule is active or inactive?
  3. Xero5

    Xero5 Serious Server Member

    Hi Toastman,

    Thank you for your reply and for helping to maintain such a wonderful firmware.

    I just use the network at home, so for the test I set the cleaning interval to the default 600 seconds and the threshold to 20 forward. I also opened up various other programs to create forwards which I then closed. I opened up Skype and started a remote Slingbox session to make sure the ports that these software forward are active. Within 11 minute all the forwards get deleted, including the forwards created by the Slingbox, Skype, and Back to my Mac.

    I am currently on an Asus RT-N16 using: tomato-K26USB-1.28.7503.4MIPSR2Toastman-RT-VLAN-VPN-NOCAT.trx
    Last edited: Nov 30, 2013
  4. Toastman

    Toastman Super Moderator Staff Member Member

    Sorry, I can't help you, because I never saw that happen before.
  5. Xero5

    Xero5 Serious Server Member

    How does inactive rules cleaning work? Does it check if there are active transfers or does it see if there is a program responding to the open port?
  6. koitsu

    koitsu Network Guru Member

  7. Xero5

    Xero5 Serious Server Member

    Thank you for the links. I read the documentation. An app using NAT-PMP makes a request and asks for a lifetime limit (how long it wants the port forwarded), before it expires. Half way until the limit, the app can ask for more time. So NAT-PMP seems to work like DHCP, instead it's the app (client) that requests how long a port forward should last, not the router (server).

    Perhaps the ports that are not deleting are caused apps that are requesting for very long lease times. I will test that and report back.

    [The fact that a lease exists for NAT-PMP really makes it way better than UPnP. The port forwards just clean themselves eventually, making inactive rules cleaning unnecessary.]
  8. Xero5

    Xero5 Serious Server Member

    I figured out the solution to the issue. The way inactive rules cleaning works is during the specified interval (defaulted to 600 seconds), the script checks to see if any data passed though that port. If any data passed, then that port is considered active and the port will remain open. If no data went though the port, the script considered the port dead and deletes it.

    Thus, I set inactive rules cleaning to occur every 43200 seconds (12 hours). This seems to have solved my problem.

Share This Page