STUN or "whatever" server with GenieACS

Hello, first of all I want to thank you about your great work.

The question is I’m trying to get working STUN and Geniacs, to link CPE in a asimmetric NAT network. Stuntman server and genieacs are in the same server and I think that are working.
The problem is that CPE only show their private IP in wan port, not the “public” IP that is NATTING.
I have read about that STUN protocol is not enough for achieve this, and we need a TURN server.
Has anybody successfully achieved this, or it is “impossible”?Any clue?

Then network is a WISP, and the outer CPE is a Router (mikrotik/ubiquiti/cambium/…) that owes the “public” IP does NAT to internal wireless router (could be any TR069/cwmp capable device, as fritzbox,TPlink, cambium, etc…).

Thanks in advance,

S.Grau

The device should report the STUN server IP/hostname and the port reserved for it in the parameter UDPConnectionRequestAddress. Can you confirm that?

Other than that, try setting the option ‘UDP_CONNECTION_REQUEST_PORT’. It should be the same port that’s used by your STUN server. Here’s a relevant comment from the code:

When a device is NAT’ed, the UDP Connection Request must originate from
the same address and port used by the STUN server, in order to traverse
the firewall. This does require that the Genieacs NBI and STUN server
are allowed to bind to the same address and port. The STUN server needs
to open its UDP port with the SO_REUSEADDR option, allowing the NBI to
also bind to the same port.

Hello, thanks about the response, I’m triyng the stuntman-server but there is no --reuseaddr option in the config file (I’ve tried in the CLI command and it throws --reuseradr is not available), genieACS has the UDP_CONNECTION_REQUEST_PORT configured.
This option should be configured in compile time?

Best regards,

S. Grau

Finally I’ve found that I have a old version of stuntman server, now I have the newest version, but still not working.
I wrote to device’s support (tp-link) because the device looks like doesn’t inform correctly, ( I can’t find the strings InternetGatewayDevice.ManagementServer.UDPConnectionRequestAddress, InternetGatewayDevice.ManagementServer.STUNEnable in genieacs GUI.)

I’ll keep in touch.

Thank you very much

Hello again, I have been received a TXT file from tplink, with all the TR98 parameters that informs the device.
I think that there is some non “standart” params. Please, can you tell the way to inform Genieacs, about the template that the manufacturer sends?

I’m unable to attach the txt file, and don’t want to write a very laaaaarge e-mail :wink:

Thank you in advance,

S. Grau

You can’t tell GenieACS to use a different param for the UDP connection request address, if that’s what you mean.

Hello again, TPlink says that : InternetGatewayDevice.ManagementServer.UDPConnectionRequestAddress it’s a parameter they inform, but I’m unable to see it in devices parameter list, is there anything I can do?

all the list of the node management server is:

What can I do?

Thanx a lot!!

Genie doesn’t automatically fetch all available parameters. Try refreshing ‘InternetGatewayDevice.ManagementServer’.

Perfect!!! now I have all the parameters list, but is there some way to do this automatically??

Thanx again!!!

Hi there, trying to send a request from GenieACS to a router with OpenWRT and easycwmp via STUN through NAT, but unable to do it. Seems like GenieACS is using correct info from the field “UDPConnectionRequestAddress”, but, as you can see from the screenshot, it’s hanging out by a timeout without actually doing anything. Maybe someone has a hint?

Ive a similar problem, but I couldnt figure it out yet.


The stun server looks okay, but the Genieacs seems to not bound the right IP:port to communicate the device through NAT.

image

So, I dont know if Im missing something.

Is this parameter right?


@zaidka Can you help us, please ? :slight_smile:

Might this be related to this part from the spec:

The ACS MUST send UDP Connection Request messages from the same source IP address and port as the STUN server.

Check out this thread for some context: https://github.com/genieacs/genieacs/pull/217

So as far as I can tell, you have two options:

1- Install the STUN service the same server where Genie is installed and configure Genie to bind to the same source port as the STUN service. To allow two processes to bind to the same port you need your STUN software to support SO_REUSEADDR. To configure the source port that Genie binds to, use the config ‘cwmp.udpConnectionRequestPort’ v1.2 or ‘UDP_CONNECTION_REQUEST_PORT’ in v1.1.

2- Use this particular STUN server implementation: https://sourceforge.net/projects/stun/. This implements a special relay feature (the ‘-m’ flag) that I haven’t seen implemented elsewhere. With this it’s not necessary for STUN and Genie to be on the same server (and none of that port reuse business). But as jselbie commented in the thread linked above, it’s prone to DOS attacks.

1 Like

well in the example above, the cwmp.udpConnectionRequestPort was already set to 3478 (stun default port)
I did install the stunman and runned as decribe with --reuseaddr.

OK got that working, the problem was the primaryinterface option on stunman server.
Thanks :slight_smile:

Hi, please share correct command to run "stunserver – ". I’ve tried just “stunserver --reuseaddr” and it wasn’t successful (