UPnP/miniupnpd in 2024

After reading this thread:

https://forum.openwrt.org/t/tutorial-how-to-add-a-device-to-dmz-on-openwrt/190247

I started to do some more reading about port forwarding for game consoles. I have a situation where 2 XBoxes will be behind the same router, which seems to require the use of UPnP for proper connectivity in games like Destiny (with P2P multiplayer).

Most of the OpenWrt documentation on UPnP seems to be ancient so it would be nice if someone can weigh in on current vulnerabilities, and also verify/clarify my reading of the existing documentation.

In the miniupnpd documentation there is a section about rules:

https://openwrt.org/docs/guide-user/firewall/upnp/miniupnpd#config_perm_rule

If I'm understanding this correctly, I can configure specific rules, similar to what I would use for port forwarding, that lock down what UPnP is allowed to do. So for my case with a pair of XBoxes, I could give them both static addresses and then use this to deny all UPnP access except the ports needed by the XBox network and Destiny for those two client addresses? Are there still vulnerabilities in that situation that are not obvious (making the assumption that the XBoxes themselves are not compromised)?

Thank you for posting this. I'm curious if someone has more updated info regarding UPnP.

Regarding the solution, you're right, it seems that you just need to remove the default "Allow all high ports" with the 0.0.0.0/0 and just add 2 new rules that are exactly the same, only with the IP address of each Xbox instead of 0.0.0.0/0

You also need to setup a static IP in Network > DHCP and DNS > Static Leases for each Xbox console

No one has any additional input on the risks of UPnP when set up as suggested?

I'll add a bit of what I know, although I don't use upnp and wouldn't recommend it.

The original upnp implementations would allow a device to request ports to be opened/forwarded to any address that they specified. This meant that a compromised computer could, in theory, poke holes in the router's firewall and have that traffic forwarded to any other device on the network. This obviously presents a major attack vector within a network that could silently compromise many other hosts.

Later implementations have theoretically addressed this by only allowing port-forwarding of traffic to the host that actually makes the request. In Ubiquiti's EdgeMax line of routers, this is known a upnp2. Per the link above, that would be the "secure mode" option in OpenWrt's implementation.

However, even with the upnp2/secure mode configuration, it still presents a risk insofar as a compromised host could still open ports to itself, allowing remote access for data access or other remote execution attacks.

Presumably, if the int_address is configured to point to only the host(s) that explicitly should have upnp enabled (such as a game console), this significantly limits the potential attack surfaces. This still assumes that the game console or other device will only open ports for legitimate purposes (i.e. the host itself is not compromised and the app is trustworthy)... after all, a rogue app could still serve as a springboard to gain entry into the network via the allowed upnp host(s). And, in fact, it doesn't have to be a rogue app, per-se... it could be a legit app that happens to have a security vulnerability.

With all that said, I personally recommend manual port forwarding, and only when necessary. I'd avoid upnp because, by its nature, it does things silently and without the explicit knowledge of the network administrator, raising the risk of compromises (even with port fowarding, the "legit app with a vulnerability" scenario could still be a liability, but at least the network admin would have knowingly opened the port rather than being surprised by the fact that a ports was opened).

That's my opinion, though... it's all a balance of security vs convenience, and that calculation is different for each person.

Thank you for those insights!

That all makes a lot of sense. I'd rather avoid using it altogether, but it seems to be a necessary evil if you want to allow two XBoxes (or presumably two PS5s) to play online games behind the same router.

That seems to be true, as there is not much definitive info on which ports need to be forwarded in those specific scenarios.

Technically, you could run UPnP, start the game consoles and see what ports they forward when they are both on. Then you could manually forward those ports to each console and turn off UPnP.

However, it's not guaranteed that this will work and the ports needed would be the same after the next reboot.