Until recently, I’ve been using the official 17.01 release build on my TP-Link TL-WDR4300 router with miniupnp installed on it. Everything worked great, until I’ve decided to switch to the latest 17.01 code that I pulled from git and built locally. That’s when I started getting a flood of denied SSDP packets coming through LEDE’s wan firewall and miniupnp writing periodically (every 15 seconds or so) the messages about ignored upnp requests from 2 of my SetTopBoxes connected to my ISP’s router:
...
Thu May 4 20:17:46 2017 daemon.warn miniupnpd[5122]: SSDP packet sender 192.168.1.102:1900 not from a LAN, ignoring <- repeated 10 times
Thu May 4 20:17:59 2017 daemon.warn miniupnpd[5122]: SSDP packet sender 192.168.1.101:1900 not from a LAN, ignoring <- repeated 10 times
Thu May 4 20:18:16 2017 daemon.warn miniupnpd[5122]: SSDP packet sender 192.168.1.102:1900 not from a LAN, ignoring <- repeated 10 times
...
While miniupnp is properly doing its job to only serve lan requests, I’m wondering how those requests were able to get through the wan firewall?
When I turn miniupnp off, the only difference in iptables are the MINIUPNP redirects opened for upnp clients from lan. Port 1900 is definitely closed on wan, and
Here is my layout:
+-------------+ +----------------------+
Internet <------+ ISP Router | <-----+ LEDE with miniupnp |
| 192.168.1.1 | | wan: 192.168.1.2/24 |
+--+-----+----+ | lan: 192.168.11.1/24 |
^ ^ +----------------------+
| |
+--------+-----+--------+
| STB1: 192.168.1.101 |
| STB2: 192.168.1.102 |
+-----------------------+
Configuration:
/etc/config/upnpd:
config upnpd config
option enable_natpmp 1
option enable_upnp 1
option secure_mode 1
option log_output 0
option external_iface wan
option internal_iface lan
option port 5000
option upnp_lease_file /var/upnp.leases
config perm_rule
option action allow
option ext_ports 1024-65535
option int_addr 192.168.11.1/24
option int_ports 1024-65535
option comment 'Allow high ports'
config perm_rule
option action deny
option ext_ports 0-65535
option int_addr 0.0.0.0/0
option int_ports 0-65535
option comment 'Default deny'
/etc/config/firewall:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option disable_ipv6 '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option family 'ipv4'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ah'
option src 'wan'
option dest 'lan'
option proto 'ah'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-esp'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option proto 'udp'
option src_port '500'
option dest_port '500'
option target 'ACCEPT'
config redirect
option name 'Divert-DNS'
option src 'lan'
option proto 'tcpudp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
config redirect
option name 'Forward-HTTPS'
option src 'wan'
option src_dport '443'
option proto 'tcp'
option dest 'lan'
option dest_ip '192.168.11.XXX'
option target 'DNAT'
config redirect
option name 'Forward-Steam'
option src 'wan'
option src_dport '27015'
option proto 'tcpudp'
option family 'ipv4'
option dest 'lan'
option dest_ip '192.168.11.XXX'
option target 'DNAT'
config include
option path '/etc/firewall.user'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'