fix: self-healing NAT mappings with request deduplication #3367

lidel · 2025-08-16T03:07:41Z

This PR makes NAT port mappings self-healing after router restarts.
It also adds bunch of tests and eliminates duplicate mapping requests that occur on node start.

Changes

1. Automatic NAT recovery after router restart

Router restarts can cause UPnP (SOAP) services to change their listening ports, leading to "connection refused" errors that permanently break port mappings.
This is the problem described in #3224 (comment) (cc @sukunrt @MarcoPolo)

We had Kubo users impacted this since forever, impacting their ability to provide data:

This PR implements automatic NAT rediscovery that detects consecutive connection failures, triggers rediscovery after 3 failures, and restores all existing port mappings on the new NAT instance.

FWIW I've tested it extensively in my own LAN – see "Demo" at the end.

IIUC this

2. Port mapping deduplication

This is something I've discovered while testing (1), so also fixed it in this PR.

Multiple libp2p transports sharing the same port (TCP, QUIC, WebTransport, WebRTC-direct) were causing duplicate NAT mapping requests. The fix adds deduplication in NAT.AddMapping() that checks if mapping already exists before making NAT API calls.

In case of Kubo IPFS node:

Before: 10 (5 TCP + 5 UDP) mapping attempts for the same port
After: 2 (1 TCP + 1 UDP) mapping attempt (visible at 04:14:06 in the demo)

Demo

The following log shows automatic NAT recovery in action. The router's UPnP service (miniupnpd) restarts and changes its SOAP/HTTP endpoint from port 45251 to a different port, causing "connection refused" errors. After 3 consecutive failures, go-libp2p automatically rediscovers the NAT and restores all mappings:

$ export GOLOG_LOG_LEVEL="error,nat=debug"
$ ipfs daemon
Initializing daemon...
Kubo version: 0.37.0-dev-710953446-dirty
Repo version: 16
System version: amd64/linux
Golang version: go1.25.0
PeerID: 12D3KooWAFYEQLmxbY5xowmqMAFADRbwRDQiSM1cfbmphdHKbhex
Swarm listening on 127.0.0.1:4001 (TCP+UDP)
Swarm listening on 172.17.0.1:4001 (TCP+UDP)
Swarm listening on 172.18.0.1:4001 (TCP+UDP)
Swarm listening on 192.168.1.102:4001 (TCP+UDP)
Swarm listening on [::1]:4001 (TCP+UDP)
Run 'ipfs id' to inspect announced and discovered multiaddrs of this node.
RPC API server listening on /ip4/127.0.0.1/tcp/5001
WebUI: http://127.0.0.1:5001/webui
Gateway server listening on /ip4/127.0.0.1/tcp/8080
Daemon is ready
2025-08-16T04:14:06.558+0200	INFO	nat	nat/nat.go:67	DiscoverGateway address:192.168.1.1
2025-08-16T04:14:06.559+0200	INFO	nat	nat/nat.go:172	Starting maintenance of port mapping: tcp/4001
2025-08-16T04:14:06.559+0200	DEBUG	nat	nat/nat.go:281	Attempting port map: tcp/4001
2025-08-16T04:14:06.668+0200	DEBUG	nat	nat/nat.go:298	NAT port mapping established: tcp 4001 -> 16174
2025-08-16T04:14:06.668+0200	INFO	nat	nat/nat.go:172	Starting maintenance of port mapping: udp/4001
2025-08-16T04:14:06.668+0200	DEBUG	nat	nat/nat.go:281	Attempting port map: udp/4001
2025-08-16T04:14:06.954+0200	DEBUG	nat	nat/nat.go:298	NAT port mapping established: udp 4001 -> 16174
2025-08-16T04:14:26.559+0200	DEBUG	nat	nat/nat.go:281	Attempting port map: tcp/4001
2025-08-16T04:14:26.567+0200	DEBUG	nat	nat/nat.go:298	NAT port mapping established: tcp 4001 -> 16174
2025-08-16T04:14:26.568+0200	DEBUG	nat	nat/nat.go:281	Attempting port map: udp/4001
2025-08-16T04:14:26.573+0200	DEBUG	nat	nat/nat.go:298	NAT port mapping established: udp 4001 -> 16174
2025-08-16T04:14:46.574+0200	DEBUG	nat	nat/nat.go:281	Attempting port map: tcp/4001
2025-08-16T04:14:46.580+0200	DEBUG	nat	nat/nat.go:298	NAT port mapping established: tcp 4001 -> 16174
2025-08-16T04:14:46.580+0200	DEBUG	nat	nat/nat.go:281	Attempting port map: udp/4001
2025-08-16T04:14:46.585+0200	DEBUG	nat	nat/nat.go:298	NAT port mapping established: udp 4001 -> 16174
2025-08-16T04:15:06.586+0200	DEBUG	nat	nat/nat.go:281	Attempting port map: tcp/4001
2025-08-16T04:15:06.596+0200	DEBUG	nat	nat/nat.go:298	NAT port mapping established: tcp 4001 -> 16174
2025-08-16T04:15:06.596+0200	DEBUG	nat	nat/nat.go:281	Attempting port map: udp/4001
2025-08-16T04:15:06.601+0200	DEBUG	nat	nat/nat.go:298	NAT port mapping established: udp 4001 -> 16174
2025-08-16T04:15:26.601+0200	DEBUG	nat	nat/nat.go:281	Attempting port map: udp/4001
2025-08-16T04:15:26.607+0200	DEBUG	nat	nat/nat.go:298	NAT port mapping established: udp 4001 -> 16174
2025-08-16T04:15:26.607+0200	DEBUG	nat	nat/nat.go:281	Attempting port map: tcp/4001
2025-08-16T04:15:26.612+0200	DEBUG	nat	nat/nat.go:298	NAT port mapping established: tcp 4001 -> 16174
2025-08-16T04:15:46.613+0200	DEBUG	nat	nat/nat.go:281	Attempting port map: tcp/4001
2025-08-16T04:16:16.616+0200	WARN	nat	nat/nat.go:326	NAT port mapping failed: protocol=tcp internal_port=4001 external_port=0
2025-08-16T04:16:16.616+0200	DEBUG	nat	nat/nat.go:281	Attempting port map: udp/4001
2025-08-16T04:16:16.616+0200	WARN	nat	nat/nat.go:326	NAT port mapping failed: protocol=udp internal_port=4001 external_port=0
2025-08-16T04:16:36.617+0200	DEBUG	nat	nat/nat.go:281	Attempting port map: tcp/4001
2025-08-16T04:16:36.617+0200	WARN	nat	nat/nat.go:326	NAT port mapping failed: protocol=tcp internal_port=4001 external_port=0
2025-08-16T04:16:36.617+0200	DEBUG	nat	nat/nat.go:281	Attempting port map: udp/4001
2025-08-16T04:16:36.618+0200	WARN	nat	nat/nat.go:326	NAT port mapping failed: protocol=udp internal_port=4001 external_port=0
2025-08-16T04:17:16.619+0200	DEBUG	nat	nat/nat.go:281	Attempting port map: tcp/4001
2025-08-16T04:17:16.619+0200	WARN	nat	nat/nat.go:326	NAT port mapping failed: protocol=tcp internal_port=4001 external_port=0
2025-08-16T04:17:16.619+0200	DEBUG	nat	nat/nat.go:281	Attempting port map: udp/4001
2025-08-16T04:17:16.620+0200	WARN	nat	nat/nat.go:326	NAT port mapping failed: protocol=udp internal_port=4001 external_port=0
2025-08-16T04:17:36.621+0200	DEBUG	nat	nat/nat.go:281	Attempting port map: tcp/4001
2025-08-16T04:17:36.654+0200	WARN	nat	nat/nat.go:304	NAT port mapping failed: protocol=tcp internal_port=4001 error="goupnp: error performing SOAP HTTP request: Post \"http://192.168.1.1:45251/ctl/IPConn\": dial tcp 192.168.1.1:45251: connect: connection refused"
2025-08-16T04:17:36.654+0200	DEBUG	nat	nat/nat.go:281	Attempting port map: udp/4001
2025-08-16T04:17:36.678+0200	WARN	nat	nat/nat.go:304	NAT port mapping failed: protocol=udp internal_port=4001 error="goupnp: error performing SOAP HTTP request: Post \"http://192.168.1.1:45251/ctl/IPConn\": dial tcp 192.168.1.1:45251: connect: connection refused"
2025-08-16T04:17:56.678+0200	DEBUG	nat	nat/nat.go:281	Attempting port map: tcp/4001
2025-08-16T04:17:56.694+0200	WARN	nat	nat/nat.go:304	NAT port mapping failed: protocol=tcp internal_port=4001 error="goupnp: error performing SOAP HTTP request: Post \"http://192.168.1.1:45251/ctl/IPConn\": dial tcp 192.168.1.1:45251: connect: connection refused"
2025-08-16T04:17:56.694+0200	DEBUG	nat	nat/nat.go:281	Attempting port map: udp/4001
2025-08-16T04:17:56.694+0200	INFO	nat	nat/nat.go:332	NAT rediscovery triggered due to repeated connection failures
2025-08-16T04:17:56.715+0200	WARN	nat	nat/nat.go:304	NAT port mapping failed: protocol=udp internal_port=4001 error="goupnp: error performing SOAP HTTP request: Post \"http://192.168.1.1:45251/ctl/IPConn\": dial tcp 192.168.1.1:45251: connect: connection refused"
2025-08-16T04:18:00.824+0200	DEBUG	nat	nat/nat.go:281	Attempting port map: tcp/4001
2025-08-16T04:18:00.930+0200	DEBUG	nat	nat/nat.go:298	NAT port mapping established: tcp 4001 -> 65008
2025-08-16T04:18:00.930+0200	INFO	nat	nat/nat.go:367	NAT mapping restored after rediscovery: tcp 4001 -> 65008
2025-08-16T04:18:00.930+0200	DEBUG	nat	nat/nat.go:281	Attempting port map: udp/4001
2025-08-16T04:18:01.223+0200	DEBUG	nat	nat/nat.go:298	NAT port mapping established: udp 4001 -> 65008
2025-08-16T04:18:01.223+0200	INFO	nat	nat/nat.go:367	NAT mapping restored after rediscovery: udp 4001 -> 65008
2025-08-16T04:18:01.223+0200	INFO	nat	nat/nat.go:372	NAT rediscovery successful
2025-08-16T04:18:16.716+0200	DEBUG	nat	nat/nat.go:281	Attempting port map: tcp/4001
2025-08-16T04:18:16.722+0200	DEBUG	nat	nat/nat.go:298	NAT port mapping established: tcp 4001 -> 65008
2025-08-16T04:18:16.722+0200	DEBUG	nat	nat/nat.go:281	Attempting port map: udp/4001
2025-08-16T04:18:16.726+0200	DEBUG	nat	nat/nat.go:298	NAT port mapping established: udp 4001 -> 65008
2025-08-16T04:18:36.728+0200	DEBUG	nat	nat/nat.go:281	Attempting port map: udp/4001
2025-08-16T04:18:36.734+0200	DEBUG	nat	nat/nat.go:298	NAT port mapping established: udp 4001 -> 65008
2025-08-16T04:18:36.734+0200	DEBUG	nat	nat/nat.go:281	Attempting port map: tcp/4001
2025-08-16T04:18:36.742+0200	DEBUG	nat	nat/nat.go:298	NAT port mapping established: tcp 4001 -> 65008
^C
Received interrupt signal, shutting down...
(Hit ctrl-c again to force-shutdown the daemon.)
2025-08-16T04:18:45.085+0200	INFO	nat	nat/nat.go:196	Stopping maintenance of port mapping: tcp/4001
2025-08-16T04:18:45.097+0200	INFO	nat	nat/nat.go:196	Stopping maintenance of port mapping: udp/4001
ipfs daemon  14.25s user 3.83s system 6% cpu 4:43.00 total

Key moments in the log:

04:14:06: Initial NAT discovery succeeds, only 2 mapping attempts (deduplication working)
04:15:46: Router restarts, UPnP service begins failing
04:17:36: Connection refused errors indicate UPnP port changed from :45251
04:17:56: After 3rd failure, automatic rediscovery triggered
04:18:00: NAT rediscovered, mappings restored with new external port 65008
04:18:45: Clean shutdown removes all mappings

Without this fix, the connection refused errors would continue indefinitely, requiring manual daemon restart.

lidel · 2025-09-02T16:06:56Z

@MarcoPolo @sukunrt I've resolved the conflicts (d4ac0de) caused by the grand log refactor that landed in master.

Would it be possible to review this bugfix and ship in the next go-libp2p? 🙏

MarcoPolo · 2025-09-02T16:53:55Z

Yep! I'll take a look this week :)

p2p/net/nat/nat.go

MarcoPolo

minor nits. Looks good. Thanks for this and for testing it!

p2p/net/nat/nat.go

p2p/net/nat/nat_test.go

MarcoPolo · 2025-09-04T04:44:58Z

I’ll deal with the conflicts and merge tomorrow

Router restarts can cause UPnP/NAT-PMP services to change their listening ports, leading to connection refused errors. This fix implements automatic NAT rediscovery when consecutive connection failures are detected, restoring all existing port mappings on the new NAT instance. See #3224 (comment) for details on the router behavior that motivated this fix.

Multiple libp2p transports can share the same port (TCP, QUIC, WebTransport, WebRTC-direct), causing duplicate AddMapping calls for the same protocol/port combination. This fix adds deduplication in NAT.AddMapping to prevent redundant NAT device operations and reduce log spam.

lthibault · 2025-10-21T18:59:44Z

Is self-healing NAT a planned feature for Rust?

Happy to begin working on a port if there's interest.

mishmosh · 2025-10-30T05:08:03Z

@jxs might be able to comment on how self-healing NAT fits into rust-libp2p plans.

lidel requested a review from sukunrt August 16, 2025 03:07

lidel mentioned this pull request Aug 16, 2025

Release 0.38 ipfs/kubo#10884

Closed

49 tasks

lidel marked this pull request as ready for review August 16, 2025 03:22

lidel mentioned this pull request Aug 16, 2025

bug: failed to establish port mapping: goupnp: error performing SOAP HTTP request after LAN (upnp) router restart ipfs/kubo#9759

Closed

3 tasks

MarcoPolo self-requested a review August 25, 2025 21:01

lidel mentioned this pull request Sep 2, 2025

IPFS doesn't reestablish UPnP mapping after router reboot ipfs/kubo#8963

Closed

3 tasks

MarcoPolo reviewed Sep 3, 2025

View reviewed changes

p2p/net/nat/nat.go Show resolved Hide resolved

MarcoPolo approved these changes Sep 3, 2025

View reviewed changes

p2p/net/nat/nat.go Outdated Show resolved Hide resolved

p2p/net/nat/nat_test.go Show resolved Hide resolved

MarcoPolo force-pushed the fix-heal-nat-mappings branch 2 times, most recently from 5f61fa8 to d59d597 Compare September 3, 2025 21:50

MarcoPolo force-pushed the fix-heal-nat-mappings branch from d59d597 to c916a49 Compare September 4, 2025 17:29

lidel and others added 2 commits September 4, 2025 10:31

Skip mdns tests on macOS in CI

ff8b509

MarcoPolo force-pushed the fix-heal-nat-mappings branch from c916a49 to ff8b509 Compare September 4, 2025 17:31

MarcoPolo merged commit 3ecae66 into master Sep 4, 2025
11 checks passed

lidel mentioned this pull request Jul 22, 2025

Kubo users can more directly control which data is advertised — IPFS/2025 ipshipyard/roadmaps#8

Open

lidel mentioned this pull request Oct 1, 2025

Release 0.39 ipfs/kubo#10946

Open

65 tasks

lidel mentioned this pull request Oct 24, 2025

fix: go-libp2p v0.44 with self-healing UPnP port mappings ipfs/kubo#11032

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix: self-healing NAT mappings with request deduplication #3367

fix: self-healing NAT mappings with request deduplication #3367

Uh oh!

lidel commented Aug 16, 2025 •

edited

Loading

Uh oh!

lidel commented Sep 2, 2025 •

edited

Loading

Uh oh!

MarcoPolo commented Sep 2, 2025 via email

Uh oh!

Uh oh!

MarcoPolo left a comment

Uh oh!

Uh oh!

Uh oh!

MarcoPolo commented Sep 4, 2025

Uh oh!

Uh oh!

lthibault commented Oct 21, 2025 •

edited

Loading

Uh oh!

mishmosh commented Oct 30, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

fix: self-healing NAT mappings with request deduplication #3367

fix: self-healing NAT mappings with request deduplication #3367

Uh oh!

Conversation

lidel commented Aug 16, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

1. Automatic NAT recovery after router restart

2. Port mapping deduplication

Demo

Uh oh!

lidel commented Sep 2, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

MarcoPolo commented Sep 2, 2025 via email

Uh oh!

Uh oh!

MarcoPolo left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

MarcoPolo commented Sep 4, 2025

Uh oh!

Uh oh!

lthibault commented Oct 21, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

mishmosh commented Oct 30, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

lidel commented Aug 16, 2025 •

edited

Loading

lidel commented Sep 2, 2025 •

edited

Loading

lthibault commented Oct 21, 2025 •

edited

Loading