Help configuring miniupnpd

Klingon · February 26, 2018, 8:31am

Hi,

According to documentation found here https://wiki.openwrt.org/doc/uci/miniupnpd in my config file I have:

config perm_rule
        option comment 'DesktopPC'
        option int_addr '192.168.1.116/24'
        option action 'deny'
        option ext_ports '0-65535'
        option int_ports '0-65535'

Miniupnpd should be "disabled" for my DesktopPC, but that's not true, checking file:

/tmp/upnp.leases

I could see upnpd redirecting ports to my DesktopPC.
Do I have to change something more? What I'm doing wrong?

Thanks a lot,

anon57995562 · February 26, 2018, 9:36am

This wiki page is more current...

https://openwrt.org/docs/user-guide/services/miniupnpd

Klingon · February 26, 2018, 10:03am

Thanks @jwoods I'll check it!!!

mj5030 · February 26, 2018, 2:33pm

Did you delete any prior redirects after applying the rule? Did you restart miniupnpd and the firewall after applying the rule as well?

Klingon · February 26, 2018, 3:14pm

Yes, I did it.
Maybe is because the netmask (use 32 instead of 24), now I'm trying

JW0914 · February 26, 2018, 3:23pm

/32 is not a valid netmask for IP subnet blocks, as /32 is the broadcast netmask.

You may already know this, but if not, UPnP is a massive security risk and is never recommended for utilization on WAN facing routers.

Only certain devices/services require port redirects, and the specific ports for specific devices/services which need redirects can either be found on the device's/service's website or PortForward.com

Klingon · February 26, 2018, 3:36pm

Maybe the /32 Netmask is for pointing a single machine in UPnP? Maybe using mask /24 gets acces to rest of the network 192.168.1.0 (it's just my own theory).

Yes, thanks @JW0914 I know is not secure, I only want to use it in one device (XBox One), that's the reason I want to block UpnP from my DesktopPC/Rest of Network.

JW0914 · February 26, 2018, 3:52pm

Where are you getting a /32 [255.255.255.255] netmask from, as it is a broadcast netmask (i.e. it's not device specific)

UPnP is not just insecure, it's a massive security risk... while multiple explanations can be found via your search engine of choice, this one in particular is quite informative.

An Alert Wrap has been added to the miniUPnPd wiki

The ports required for Xbox Live redirects are publicly available on Xbox's support site, as well as PortForward.com... you're willing to make your router less secure over taking ~5min to add the required port redirects?

#

   ##::[[---  LEDE WAN Firewall Config  ---]]::##

####################################################
           ##----- NAT Redirects -----##
####################################################

    # Xbox Live #
#---------------------------------------------------
config redirect
    option  target          'DNAT'
    option  family          'ipv4'
    option  proto           'udp'
    option  src             'WAN'
    option  src_dport       88
    option  dest            'LAN'
    option  dest_ip         192.168.1.2
    option  dest_port       88
    option  name            'Allow Xbox Live (88) -> Xbox One'

config redirect
    option  target          'DNAT'
    option  family          'ipv4'
    option  proto           'tcp udp'
    option  src             'WAN'
    option  src_dport       3074
    option  dest            'LAN'
    option  dest_ip         192.168.1.2
    option  dest_port       3074
    option  name            'Allow Xbox Live (3074) -> Xbox One'

config redirect
    option  target          'DNAT'
    option  family          'ipv4'
    option  proto           'udp'
    option  src             'WAN'
    option  src_dport       500
    option  dest            'LAN'
    option  dest_ip         192.168.1.2
    option  dest_port       500
    option  name            'Allow Xbox Live (500) -> Xbox One'

config redirect
    option  target          'DNAT'
    option  family          'ipv4'
    option  proto           'udp'
    option  src             'WAN'
    option  src_dport       3544
    option  dest            'LAN'
    option  dest_ip         192.168.1.2
    option  dest_port       3544
    option  name            'Allow Xbox Live (3544) -> Xbox One'

config redirect
    option  target          'DNAT'
    option  family          'ipv4'
    option  proto           'udp'
    option  src             'WAN'
    option  src_dport       4500
    option  dest            'LAN'
    option  dest_ip         192.168.1.2
    option  dest_port       4500
    option  name            'Allow Xbox Live (4500) -> Xbox One'

Klingon · February 26, 2018, 4:04pm

Yes, I understand is not secure, but just for curiosity there should be one way to point Upnp to a single IP/Device and block the rest of network?

JW0914 · February 26, 2018, 4:05pm

Since you refuse to read, best of luck =]

Klingon · February 26, 2018, 4:08pm

It's not the fact of refusing anything, I really aprecciate your help @JW0914 , but for curiosity/fun it should be posible.

JW0914 · February 26, 2018, 4:10pm

What exactly is the purpose of asking for help, being provided said help, then refusing to read the help provided? I didn't provide a link to Stack Exchange for you to ignore it then request to be told the same information provided in that link.

Again, best of luck, as I don't have the patience =]

Klingon · February 26, 2018, 4:13pm

Sorry for bothering you my friend.

mj5030 · February 26, 2018, 6:06pm

Yeah there is Klingon. Here's my config:

config perm_rule
	option comment 'Allow PS4'
	option ext_ports '0-65535'
	option int_ports '0-65535'
	option action 'allow'
	option int_addr '192.168.1.x/24'

config perm_rule
	option action 'deny'
	option ext_ports '0-65535'
	option int_addr '0.0.0.0/0'
	option int_ports '0-65535'
	option comment 'Deny UPnP Requests'

config upnpd 'config'
	option download '1024'
	option upload '512'
	option internal_iface 'lan'
	option port '5000'
	option upnp_lease_file '/var/upnp.leases'
	option enabled '1'
	option uuid 'x'

192.168.1.x/24 is the static IP Address of your Xbox outside the DHCP range. Make sure you have Secure Mode enabled. This means that only the IP asks for the port forwarded will be forwarded to (i.e. 192.168.1.10 can't ask for 192.168.1.20). Any other devices on your LAN will not receive a port forward when asked through UPnP.

As far as security goes, at this point it is highly unlikely your Xbox has or will get malware on it, so not much need to worry in that aspect. As far as flash request goes on your PC's via UPnP, well those are blocked because they're IP is not that of your Xbox, as we are blocking all other IP's from requesting. Yes, packets can be spoofed, but even if they are spoofed to open ports to your Xbox's IP, what will this accomplish? Most likely nothing. At this point in order to open ports via UPnP to your PC if malware is on it, the malware has to either break in to the router and switch the address reserved for your Xbox with your PC. Highly unlikely. Or spoof the PC's MAC Address to the Xbox's Mac Address and acquire the Xbox's IP. If the malware is smart enough to do this, it is possible it could have a built in mechanism as well to check for any port forwards and could spoof to any device that has an open port available to it and dynamically change the malicious service to run on that port as well. Regardless, if UPnP is enabled or disabled.

There are security risks when any port is opened by either forwarding or UPnP. The key is to do what you can to mitigate the risks and be vigilant and cautious when it comes to opening files and visiting sites on your PC. This UPnP setup is much more secure because the Xbox device is the only one that can request a forward via UPnP. In general, gaming consoles, when running stock firmware without homebrew and modifications, do not present a risk of malicious programs infecting them or services being exploited remotely. Thus, it's safe for them to be allowed UPnP request.

Consoles generally have a list of what ports need forwarding for smooth operation. However, I have seen my share of games that require certain ports outside the typically used ports to function without hiccups. With different games and gaming manufacturers using different ports it is hard to keep up with all the different ports you need to forward for a specific game to run smoothly online.

JW0914 · February 26, 2018, 10:51pm

UPnP has never been, and will never be, a secure option to choose (as mentioned numerous times above, a simple Google search would demonstrate the massive security risk UPnP is, as well as show that enabling secure mode does not mitigate the risks), and choosing to utilize UPnP over forwarding a handful of ports is just lazy when it's easy enough to find what ports need to be redirected for any device or service (Xbox Live requires 5). 99% of consumer devices and services do not require port redirects...

So call me an idiot, but to purposefully punch exploitable holes in your WAN router's firewall over a handful of devices requiring redirects lacks common sense...

mj5030 · February 27, 2018, 2:07am

The OP was asking if it's possible to make it so only one device is able to make UPnP request while all others can not. I answered his question. If you "do not have the patience," kindly click the back button. Thank you very much!

P.S. As you stated about "taking the time to read things", follow your own advice as well. Because I never said secure mode alone mitigates risk. I said that secure mode in conjunction with having only one device able to make UPnP request mitgates a bit of risk when that device is a console.

Klingon · February 27, 2018, 9:46am

Thanks for your help @mj5030 I will try it!!!