XBOX 360 - DHCP and Manual Lease not working

I suggest to use upnp with appropriate ACLs to only allow the xboxes to open ports as needed.

2 Likes

@JW0914 Those posts are over five years old. miniupnpd has matured a lot since then, and, more importantly, on OpenWrt there are ACL's (as @jow points out). I actually knew this. I do know that with two Xboxes you are not guaranteed as to what ports you're going to get. With OpenWrt you can enable UPnP just for the XBoxes which solves the problem of suddenly allowing general purpose devices (and or uber-risky IoT devices) to use UPnP). And of course if you worry some game is going to open ports on the XBox to do nefarious things, then really you shouldn't be using an XBox.

Oh and miniupnpd in OpenWrt is configured to restrict UPnP to opening ports on the device that originated the requests (there are implementations of UPnP that didn't make that essential so a device could open ports to another device).

1 Like

UPnP, even with ACLs, is still not a secure service to run, as UPnP, by definition, will always be a security risk. This is not my opinion, but the consensus of most, if not all, InfoSec researchers.

As to the age of the post, you must be unfamiliar with StackExchange... it's not a forum, it's an answer site. You clearly didn't take the time to review Rapid7's white paper, let alone bother to google something like "UPnP Security Flaw", or something as simple as "UPnP Safe"... perhaps some due diligence should be considered.

Furthermore, this is directly from the maintainer of miniupnpd's site:

Security

UPnP implementations are potentially subject to security breaches. Badly implemented or configured UPnP IGDs are vulnerable. Security researcher HD Moore did a good work to reveal vulnerabilities in existing implementations : Security Flaws in Universal Plug and Play (PDF). A common problem is to let SSDP or HTTP/SOAP ports open to the internet : they should be only reachable from the LAN.

In the past, several vulnerabilities have been found in MiniUPnPd, so it is very important to update your code to the last version.

Good stuff, I'll be giving this a shot tonight and will report back.

Btw, I just learned that UPnP was enabled by default on my LEDE installation, since it imposes so many risks shouldn't it be set to OFF by default on new LEDE releases? Just wondering.

2018-08-07_10-17-01

Right click and open on a new tab to view full-size.
2018-08-07_10-25-02

But the service was never started... Hence why 'Start UPnP and NAT-PMP service' is not ticked. Therefore, it's not ON by default.

Again, you're linking 5-6 year old information. I've had this discussion with you a few months ago regarding UPnP, ACLs, and consoles. Please, reread my previous argument in that thread. Provide to me a relevant exploit or proof of concept that counters my opinion. Stop calling people lazy, when you yourself are being lazy by not providing that information and just telling people to Google stuff. Thank you kindly!

Here's the original thread:

1 Like

I'm not going to argue with you over utilizing UPnP, as I've provided you with numerous ways to show UPnP is a security risk (including the maintainer of miniupnpd)... you can lead a horse to water, but you can't force it to drink.

  • Don't you find it a bit odd there's not a single link with anyone stating UPnP is not a security risk to utilize, but I digress.

By the way, Einstein publish his Theory of General Relativity in 1916... 102 years ago. Time does not make an answer irrelevant, facts to the contrary do.

Well it's kind of difficult to use multiple consoles of the same type without UPnP on the same network. There are risks to everything and most services that run. However, understanding and mitigating those risks is the best defense. In this case ACLs along with secure mode are mitigating most of these risks, and people understand that there are risks associated with running UPnP. But what other solutions are there? The Xbox One multiple consoles article was designed for Activision. But, the world of games do not revolve around Call of Duty....

1 Like

Unlike the rules of physics, the rules of code in software can be modified and changed...

As I stated in a prior post, there's actually quite a few ways it can be done on the router without UPnP, however what I don't know is whether any of those ways are either efficient or capable of being done on OpenWrt, hence why I stated "You're likely going to need to do some research in the OpenWrt wikis and via Google, unless someone who does know chimes in."

Not familiar with spoofing or MITM?

I digress, as you're clearly looking for an argument, facts be damned.

I've covered that as well in my previous thread. Please reread.

But the service was never started... Hence why 'Start UPnP and NAT-PMP service' is not ticked. Therefore, it's not ON by default.

True, missed it, perhaps there should be just one check box (Enabled = Start Service).
Thank you.

Ok guys, noob here, couldn't get none of the options above to work...

  1. Reserved the IP address:
    WiFi

  2. Forwarded the ports:
    Forwarding

  3. Rebooted XBOX and tried:
    TestXBOX

  4. Checked the WiFi settings and it still displays this:
    XBOX-IP

Then I scraped the port forwarding settings and tried UPnP.

  1. Turned ON UPnP service, rebooted router and then rebooted the XBOX:
    UPnP

  2. Still the same outcome on the XBOX, failed the tests and an invalid IP address acquired.

Would be great to know what I'm doing wrong, btw, never had any issues with my previous D-LINK router running stock firmware so the XBOX is working good.

Thank you

From your screenshot you are not actually getting a DHCP address from the router on your XBox. Do you have DHCP enabled on your wifi network? Is anything else using wifi (i.e. is it just the XBox or is this the only wireless device so far?) Do you perhaps have MAC whitelisting enabled but have not whitelisted the XBox (it's not on by default, so if it is, you would know).

@Cereal-Killa In 'Interfaces' and then going into the LAN you wireless is attached to, have you enabled the DHCP server? Issue doesn't look like you're getting as far as UPnP issues.

@Cereal-Killa alternatively are you using a more restrictive firewall on the LAN than the default and haven't allowed DHCP to connect to the router?

Yes, DHCP enabled, I have computers, laptops, cell phones and tablets at home, none exhibit any issue except for the XBOX.

I have no MAC address white-listing in place.

Correct, DCHP enabled under LAN interface. Btw, the XBOX did not redirect any port when I had UPnP ON.

I have my firewall using default settings from the firmware on all interfaces, never played with it.

Thank you

I HAVE THE CURE, believe ir or not, no forwarding or UPnP was required:

CHANGE WIFI FROM N TO LEGACY, 54Mbps....

Did that and XBOX worked like a charm, I read it somewhere else and decided to try it out.

Now what am I going to do about this glitch, sticking to 54Mbs just for the XBOX to go online kinda sucks so if I can't get any other solution I might have to run a network cable to the console.

Ah, I was literally about to ask if the XBox was actually getting a wifi association...

Anyway, I'd recommend a wired connection for better gaming (less lag, helps chat if you use, more bandwidth; all in all wired is the way to go if you have the option).

Also you really ought to do one of port forwarding or UPnP (if you have only one XBox and you know what you're doing portforwarding is preferred from a security perspective (however for noobs IMO it's not necessarily better to do mess with the firewall); rather than two or more (I question the veracity of the two port setup); from what I remember XBox is a real PITA with multiple consoles for port forwarding without UPnP, and varies from game to game, plus various aspects of the core XBox system assume the ability to use arbitrary ports when in two (or more) console mode)).