Centralize discussion around turning the natpmp
setting to on by default.
UPnP used to be turned on by default. It was turned off by default following numerous vulnerabilities found in miniupnpc. We recently got rid of the miniupnpc dependency by dropping the UPnP feature (https://github.com/bitcoin/bitcoin/pull/31130). In addition we implemented PCP with NAT-PMP fallback in house (https://github.com/bitcoin/bitcoin/pull/30043), safer protocols enabling the same NAT traversal feature to end users.
We have unit tests for our in-house implementation of PCP/NAT-PMP on the way (https://github.com/bitcoin/bitcoin/pull/31022). Once we also have fuzzing coverage then it becomes reasonable to consider potentially enabling the feature by default. The upside of turning this feature on by default is, if most ISP default provided router support it by default, a much more diverse P2P network. The downside is an increased attack surface: a vulnerability affecting only listening nodes would now also expose people’s node at home.
Compatibility matrix of our PCP/NAT-PMP support. If your router at home is not included in this list please consider testing and let me know the result. See below for testing instructions.
Router | PCP support | NAT-PMP fallback support | Is PCP/NAT-PMP support enabled by default on the router? |
---|---|---|---|
Verizon default-provided router | :x: | ✅ | ✅ |
Spectrum’s “WIFI 6E router” | ✅ | N/A | :x: |
CR1000A (Verizon FIOS) | :x: | ✅ | ✅ |
Arcadyan PRV3399B-B-LT (aka Livebox Fibra) | :x: | ? (did not fall back to NAT-PMP) | :x: (but UPnP is) |
Astound | ? | ? | ? |
Archer AX3000 Pro | :x: | ✅ | ✅ |
Archer AC1750 | :x: | ✅ | ✅ |
Archer AX1800 | :x: | ✅ | ✅ |
Unify Cloud Gateway Ultra | ✅ | N/A | :x: |
Huawy Echolife HG8145V5 | :x: | :x: | ? |
JCO4032 | :x: | ? (only tested with ipv6) | :x: |
FRITZ!Box 7530 AX | ✅ | N/A | :x: |
OPNSense | ✅ | N/A | :x: |
openwrt | ✅ | N/A | ? |
protonVPN port forwarding | :x: | ✅ | :x: |
Testing instructions
- Download the latest Bitcoin Core v29.0 release candidate
- Start
bitcoind
on any network with thenatpmp
flag - Spot the lines mentioning “PCP”, “NAT-PMP”, “natpmp” or “port mapping”. The lines will show directly on startup, no need to wait for IBD or whatnot. The process can be stopped after seeing these logs.
- Check if the port was successfully mapped, check if it worked immediately with PCP or if NAT-PMP fallback was necessary
- (optional) in case of failure, check if you need to manually enable PCP support in your router’s configuration
- (optional) in case of success, you could check if the node is publicly reachable for good measure
- Stop
bitcoind