tailscale: UPnP port map fails on Mikrotik CHR v7.10 with a UPnPError

What is the issue?

UPNP fails to map ports from a Mikrotik CHR using PnP fails with a UPnP error:

[tw@nuc ~]$ sudo tailscale debug portmap
gw=10.0.0.1; self=10.0.0.34
portmapper: [v1] UPnP reply {Location:http://10.0.0.1:2828/gateway.xml Server:RouterOS/7.7UPnP/1.0 MikroTik UPnP/1.0 USN:uuid:UUID-MIKROTIK-INTERNET-GATEWAY-DEVICE-::urn:schemas-upnp-org:device:InternetGatewayDevice:1}, "HTTP/1.1 200 OK\r\nCACHE-CONTROL: max-age=3600\r\nEXT: \r\nLOCATION: http://10.0.0.1:2828/gateway.xml\r\nSERVER: RouterOS/7.7UPnP/1.0 MikroTik UPnP/1.0\r\nST: urn:schemas-upnp-org:device:InternetGatewayDevice:1\r\nUSN: uuid:UUID-MIKROTIK-INTERNET-GATEWAY-DEVICE-::urn:schemas-upnp-org:device:InternetGatewayDevice:1\r\n\r\n"
portmapper: UPnP meta changed: {Location:http://10.0.0.1:2828/gateway.xml Server:RouterOS/7.7UPnP/1.0 MikroTik UPnP/1.0 USN:uuid:UUID-MIKROTIK-INTERNET-GATEWAY-DEVICE-::urn:schemas-upnp-org:device:InternetGatewayDevice:1}
portmapper: [v1] UPnP reply {Location:http://10.0.0.1:2828/gateway.xml Server:RouterOS/7.7UPnP/1.0 MikroTik UPnP/1.0 USN:uuid:UUID-MIKROTIK-INTERNET-GATEWAY-DEVICE-::urn:schemas-upnp-org:device:InternetGatewayDevice:1}, "HTTP/1.1 200 OK\r\nCACHE-CONTROL: max-age=3600\r\nEXT: \r\nLOCATION: http://10.0.0.1:2828/gateway.xml\r\nSERVER: RouterOS/7.7UPnP/1.0 MikroTik UPnP/1.0\r\nST: urn:schemas-upnp-org:device:InternetGatewayDevice:1\r\nUSN: uuid:UUID-MIKROTIK-INTERNET-GATEWAY-DEVICE-::urn:schemas-upnp-org:device:InternetGatewayDevice:1\r\n\r\n"
portmapper: [v1] UPnP reply {Location:http://10.0.0.1:2828/gateway.xml Server:RouterOS/7.7UPnP/1.0 MikroTik UPnP/1.0 USN:uuid:UUID-MIKROTIK-INTERNET-GATEWAY-DEVICE-::urn:schemas-upnp-org:device:InternetGatewayDevice:1}, "HTTP/1.1 200 OK\r\nCACHE-CONTROL: max-age=3600\r\nEXT: \r\nLOCATION: http://10.0.0.1:2828/gateway.xml\r\nSERVER: RouterOS/7.7UPnP/1.0 MikroTik UPnP/1.0\r\nST: urn:schemas-upnp-org:device:InternetGatewayDevice:1\r\nUSN: uuid:UUID-MIKROTIK-INTERNET-GATEWAY-DEVICE-::urn:schemas-upnp-org:device:InternetGatewayDevice:1\r\n\r\n"
Probe: {PCP:false PMP:false UPnP:true}
no mapping
portmapper: fetching http://10.0.0.1:2828/gateway.xml
portmapper: saw UPnP type WANIPConnection1 at http://10.0.0.1:2828/gateway.xml; MikroTik Router (MikroTik)
portmapper: getUPnPClient: *internetgateway2.WANIPConnection1, <nil>
portmapper: addAnyPortMapping: 5050, err="SOAP fault: UPnPError"
serveDebugPortmap: context done: context deadline exceeded

Steps to reproduce

No response

Are there any recent changes that introduced the issue?

No response

OS

Linux, macOS, Windows, Android

OS version

Archlinux

Tailscale version

1.42.0-dev20230524

Other software

No response

Bug report

BUG-ee4bbbf9cbe5d3499aea8dc1c3bb73ea626a554b7838ef8a0aa6b988964f7bf4-20230617120209Z-eae3a7b4231b6bf8

About this issue

Original URL
State: open
Created a year ago
Comments: 18 (9 by maintainers)

Commits related to this issue

net/portmap: add test of Mikrotik Root Desc XML. Unfortunately in the test we can't reproduce the failure seen in the real system ("SOAP fault: UPnPError") Updates https://github.com/tailscale/tails... — committed to tailscale/tailscale by DentonGentry 7 months ago
net/portmap: add test of Mikrotik Root Desc XML. Unfortunately in the test we can't reproduce the failure seen in the real system ("SOAP fault: UPnPError") Updates https://github.com/tailscale/tails... — committed to tailscale/tailscale by DentonGentry 7 months ago
net/portmap: add test of Mikrotik Root Desc XML. Unfortunately in the test we can't reproduce the failure seen in the real system ("SOAP fault: UPnPError") Updates https://github.com/tailscale/tails... — committed to tailscale/tailscale by DentonGentry 7 months ago
net/portmapper: be smarter about selecting a UPnP device Previously, we would select the first WANIPConnection2 (and related) client from the root device, without any additional checks. However, some... — committed to tailscale/tailscale by andrew-d 7 months ago
net/portmapper: be smarter about selecting a UPnP device Previously, we would select the first WANIPConnection2 (and related) client from the root device, without any additional checks. However, some... — committed to tailscale/tailscale by andrew-d 7 months ago
net/portmapper: be smarter about selecting a UPnP device Previously, we would select the first WANIPConnection2 (and related) client from the root device, without any additional checks. However, some... — committed to tailscale/tailscale by andrew-d 7 months ago
net/portmapper: be smarter about selecting a UPnP device Previously, we would select the first WANIPConnection2 (and related) client from the root device, without any additional checks. However, some... — committed to tailscale/tailscale by andrew-d 7 months ago
net/portmapper: be smarter about selecting a UPnP device Previously, we would select the first WANIPConnection2 (and related) client from the root device, without any additional checks. However, some... — committed to tailscale/tailscale by andrew-d 7 months ago
net/portmapper: be smarter about selecting a UPnP device Previously, we would select the first WANIPConnection2 (and related) client from the root device, without any additional checks. However, some... — committed to tailscale/tailscale by andrew-d 7 months ago
net/portmapper: be smarter about selecting a UPnP device Previously, we would select the first WANIPConnection2 (and related) client from the root device, without any additional checks. However, some... — committed to tailscale/tailscale by andrew-d 7 months ago
net/portmapper: be smarter about selecting a UPnP device Previously, we would select the first WANIPConnection2 (and related) client from the root device, without any additional checks. However, some... — committed to tailscale/tailscale by andrew-d 7 months ago

Most upvoted comments

Can do, I will have to replicate the exact conditions tonight when I get home, as my WANscape(ugh) has changed slightly

Reading over the patches, come to think of it, instead of selecting the first external gateway, wouldn’t it be better to add portmaps to all endpoints that are offered and externally reachable in the nodemap?

tylerjwatson on Dec 21, 2023

@tylerjwatson Great! Just confirmed that the changes in #10489 work for your Mikrotik; it was able to probe both URLs and pick the working one, then successfully obtain a portmapping. I left the log in the homedir as portmap.log, if you’re curious.

Once that PR is reviewed + merged, I’ll build an unstable release and leave another comment here, and it’ll end up in the stable release 1.58, which we’ll build sometime in early 2024.

Also: I really appreciate the help with debugging this; it was great. Folks like you are a maintainers’ dream–so thanks 😃

andrew-d on Dec 7, 2023