# This is the UPNP configuration file

# WAN network interface
ext_ifname={{ wan_interface }}
{% if wan_ip is vyos_defined %}
# If the WAN interface has several IP addresses, you
# can specify the one to use below
{%     for addr in wan_ip %}
ext_ip={{ addr }}
{%     endfor  %}
{% endif %}

# LAN network interfaces IPs / networks
{% if listen is vyos_defined %}
# There can be multiple listening IPs for SSDP traffic, in that case
# use multiple 'listening_ip=...' lines, one for each network interface.
# It can be IP address or network interface name (ie. "eth0")
# It is mandatory to use the network interface name in order to enable IPv6
# HTTP is available on all interfaces.
# When MULTIPLE_EXTERNAL_IP is enabled, the external IP
# address associated with the subnet follows. For example:
#  listening_ip=192.168.0.1/24 88.22.44.13
{%     for addr in listen %}
{%         if addr | is_ipv4  %}
listening_ip={{ addr }}
{%         elif addr | is_ipv6  %}
ipv6_listening_ip={{ addr }}
{%         else %}
listening_ip={{ addr }}
{%         endif  %}
{%     endfor  %}
{% endif %}

# CAUTION: mixing up WAN and LAN interfaces may introduce security risks!
# Be sure to assign the correct interfaces to LAN and WAN and consider
# implementing UPnP permission rules at the bottom of this configuration file

# Port for HTTP (descriptions and SOAP) traffic. Set to 0 for autoselect.
#http_port=0
# Port for HTTPS. Set to 0 for autoselect (default)
#https_port=0

# Path to the UNIX socket used to communicate with MiniSSDPd
# If running, MiniSSDPd will manage M-SEARCH answering.
# default is /var/run/minissdpd.sock
#minissdpdsocket=/var/run/minissdpd.sock

{% if nat_pmp is vyos_defined %}
# Enable NAT-PMP support (default is no)
enable_natpmp=yes
{% endif %}

# Enable UPNP support (default is yes)
enable_upnp=yes

{% if pcp_lifetime is vyos_defined %}
# PCP
# Configure the minimum and maximum lifetime of a port mapping in seconds
# 120s and 86400s (24h) are suggested values from PCP-base
{%     if pcp_lifetime.max is vyos_defined %}
max_lifetime={{ pcp_lifetime.max }}
{%     endif %}
{%     if pcp_lifetime.min is vyos_defined %}
min_lifetime={{ pcp_lifetime.min }}
{%     endif %}
{% endif %}


# To enable the next few runtime options, see compile time
# ENABLE_MANUFACTURER_INFO_CONFIGURATION (config.h)

{% if friendly_name is vyos_defined %}
# Name of this service, default is "`uname -s` router"
friendly_name={{ friendly_name }}
{% endif  %}

# Manufacturer name, default is "`uname -s`"
manufacturer_name=VyOS

# Manufacturer URL, default is URL of OS vendor
manufacturer_url=https://vyos.io/

# Model name, default is "`uname -s` router"
model_name=VyOS Router Model

# Model description, default is "`uname -s` router"
model_description=Vyos open source enterprise router/firewall operating system

# Model URL, default is URL of OS vendor
model_url=https://vyos.io/

{% if secure_mode is vyos_defined %}
# Secure Mode, UPnP clients can only add mappings to their own IP
secure_mode=yes
{% else %}
# Secure Mode, UPnP clients can only add mappings to their own IP
secure_mode=no
{% endif %}

{% if presentation_url is vyos_defined %}
# Default presentation URL is HTTP address on port 80
# If set to an empty string, no presentationURL element will appear
# in the XML description of the device, which prevents MS Windows
# from displaying an icon in the "Network Connections" panel.
#presentation_url= {{ presentation_url }}
{% endif %}

# Report system uptime instead of daemon uptime
system_uptime=yes

# Unused rules cleaning.
# never remove any rule before this threshold for the number
# of redirections is exceeded. default to 20
clean_ruleset_threshold=10
# Clean process work interval in seconds. default to 0 (disabled).
# a 600 seconds (10 minutes) interval makes sense
clean_ruleset_interval=600

# Anchor name in pf (default is miniupnpd)
# Something wrong with this option "anchor", comment it out
#   vyos@r14# miniupnpd -vv -f /run/upnp/miniupnp.conf
#   invalid option in file /run/upnp/miniupnp.conf line 74 : anchor=VyOS
#anchor=VyOS

uuid={{ uuid }}

# Lease file location
lease_file=/config/upnp.leases

# Daemon's serial and model number when reporting to clients
# (in XML description)
#serial=12345678
#model_number=1

{% if rule is vyos_defined %}
# UPnP permission rules
# (allow|deny) (external port range) IP/mask (internal port range)
# A port range is <min port>-<max port> or <port> if there is only
# one port in the range.
# IP/mask format must be nnn.nnn.nnn.nnn/nn
# It is advised to only allow redirection of port >= 1024
# and end the rule set with "deny 0-65535 0.0.0.0/0 0-65535"
# The following default ruleset allows specific LAN side IP addresses
# to request only ephemeral ports. It is recommended that users
# modify the IP ranges to match their own internal networks, and
# also consider implementing network-specific restrictions
# CAUTION: failure to enforce any rules may permit insecure requests to be made!
{%     for rule, config in rule.items() %}
{%         if config.disable is not vyos_defined %}
{{ config.action }} {{ config.external_port_range }} {{ config.ip }}{{ '/32' if '/' not in config.ip else '' }} {{ config.internal_port_range }}
{%         endif %}
{%     endfor %}
{% endif %}

{% if stun is vyos_defined %}
# WAN interface must have public IP address. Otherwise it is behind NAT
# and port forwarding is impossible. In some cases WAN interface can be
# behind unrestricted NAT 1:1 when all incoming traffic is NAT-ed and
# routed to WAN interfaces without any filtering. In this cases miniupnpd
# needs to know public IP address and it can be learnt by asking external
# server via STUN protocol. Following option enable retrieving external
# public IP address from STUN server and detection of NAT type. You need
# to specify also external STUN server in stun_host option below.
# This option is disabled by default.
ext_perform_stun=yes
# Specify STUN server, either hostname or IP address
# Some public STUN servers:
#  stun.stunprotocol.org
#  stun.sipgate.net
#  stun.xten.com
#  stun.l.google.com (on non standard port 19302)
ext_stun_host={{ stun.host }}
# Specify STUN UDP port, by default it is standard port 3478.
ext_stun_port={{ stun.port }}
{% endif %}