@Cereal-Killa In 'Interfaces' and then going into the LAN you wireless is attached to, have you enabled the DHCP server? Issue doesn't look like you're getting as far as UPnP issues.
@Cereal-Killa alternatively are you using a more restrictive firewall on the LAN than the default and haven't allowed DHCP to connect to the router?
Yes, DHCP enabled, I have computers, laptops, cell phones and tablets at home, none exhibit any issue except for the XBOX.
I have no MAC address white-listing in place.
Correct, DCHP enabled under LAN interface. Btw, the XBOX did not redirect any port when I had UPnP ON.
I have my firewall using default settings from the firmware on all interfaces, never played with it.
Thank you
I HAVE THE CURE, believe ir or not, no forwarding or UPnP was required:
CHANGE WIFI FROM N TO LEGACY, 54Mbps....
Did that and XBOX worked like a charm, I read it somewhere else and decided to try it out.
Now what am I going to do about this glitch, sticking to 54Mbs just for the XBOX to go online kinda sucks so if I can't get any other solution I might have to run a network cable to the console.
Ah, I was literally about to ask if the XBox was actually getting a wifi association...
Anyway, I'd recommend a wired connection for better gaming (less lag, helps chat if you use, more bandwidth; all in all wired is the way to go if you have the option).
Also you really ought to do one of port forwarding or UPnP (if you have only one XBox and you know what you're doing portforwarding is preferred from a security perspective (however for noobs IMO it's not necessarily better to do mess with the firewall); rather than two or more (I question the veracity of the two port setup); from what I remember XBox is a real PITA with multiple consoles for port forwarding without UPnP, and varies from game to game, plus various aspects of the core XBox system assume the ability to use arbitrary ports when in two (or more) console mode)).
@mj5030 thanks for linking to that old thread. I tried to respond to JW using email but it doesn't seem to have gotten into the forum.
Yep, I will restore those port-forwarding rules I had in place now as per @JW0914 suggestion and run a cable to the console in order to restore the WiFi back to 'N' mode and that should be enough.
I really appreciate all the effort from everyone here on helping me getting this solved, hopefully someday someone will figure out what causes the 360 to not work on LEDE in 'N' mode.
1 Like
To email, click on the user's name, then click on "Message"
Sorry, not referring to doing a PM, referring to responding to my email (i.e. in my email INBOX received via SMTP where I receive notifications from the forum) and have the result appear on the forum -- it's supposed to be possible, but didn't work for me.
@Cereal-Killa how old is your XBox wireless? (i.e. is it in fact 'n', or 'pre-final n', or something like that?) IIRC 'legacy' mode (vs setting b/g vs b/g/n or g/n) is actually wrt to some other wireless settings that older 'n' may not support. Could be wrong on that, but if memory serves....
I have the latest version (XBOX 360 S 4GB) with built-in wireless N adapter, before LEDE it used to work fine on my previous router, I had a D-Link DGL 4500 for a long time.
What you said makes sense, I also thought Legacy would offer B, G and N depending on the hardware, beats me why the XBOX is picky with wireless "N".
Without actually opening my console I googled for the latest slim wifi module specs and then realized there are a few of them, here are the specs of two of them:
[JW0914] JW0914 https://forum.openwrt.org/u/jw0914 JW
https://forum.openwrt.org/u/jw0914
August 7cshoredaniel: Those posts are over five years old. miniupnpd has matured a lot since then, and, more importantly, on OpenWrt there are ACL'sUPnP, even with ACLs, is still not a secure service to run, as UPnP, by
definition, will always be a security risk. This is not my opinion, but
the consensus of most, if not all, InfoSec researchers.
Let's break this apart.
-
Who are you defining as an 'Infosec researcher' ? Every random Joe
who things they know something about security and just repeats current
wisdom? Or those who are actually thoughtful and talk about relative
risk vs benefit in a coherent fashion (rather than what I perceive as a
large segment of an attitude that taken to it's logical extreme reads
(in my opinion) as: 'we should all live in Faraday cages and disconnect
from the internet'). -
Actual data on who who thing UPnP is not ideal because of lack of
authentication (which is in my view the only argument that is still true
today (hence my comment about the age of the StackExchange post, see
below) vs. those who believe it's otherwise a problem (e.g. due to
implementation-specific flaws that are ancient and presumably
well-solved by now (or evidence that current versions of code still
contain the horrible implementations that caused the whole hate-on for
UPnP). -
What is your definition of secure? Is it a definition that is
practical, or is one that makes you one of 'we all should live in
Faraday cages...' brand of 'security expert'?
As to the age of the post, you must be unfamiliar with StackExchange...
it's not a forum, it's an answer site. You clearly didn't take the time
to review Rapid7's white paper, let alone bother to google something
like "UPnP Security Flaw
https://www.google.com/search?safe=off&source=hp&ei=XptpW96cIpDisAXbvJQI&q=upnp+security+flaw&btnK=Google+Search&oq=upnp+security+flaw&gs_l=psy-ab.3..0i22i30.1130.5880..6047...1.0..1.347.2761.9j11j1j1......0....1..gws-wiz.....0..0j35i39j0i131j0i13j0i13i30.QfnnDZY-MnQ",
or something as simple as "UPnP Safe
https://www.google.com/search?safe=off&ei=t5tpW6LnKMKWsAX2gb2oCQ&q=UPnP+Safe&oq=UPnP+Safe&gs_l=psy-ab.12..35i39j0i20i263j0j0i22i30l6.73362.76358..79789...0.0..0.349.1330.0j8j0j1......0....1..gws-wiz.......0i71j0i67j0i131j0i131i20i264j0i20i264.4ZrSiDd42KE"...
perhaps some due diligence should be considered.
Actually I looked into UPnP before the above StackExchange post, and
the truth is, that post was wrong even at that time, in the sense that
it was talking about years-old complaints in vendor routers. Even at
that time it was not relevant to OpenWrt.
And quite frankly if you're worrying about MITM or spoofing on your LAN,
you might as well go live in cave with Faraday et al, because you won't
be able to function in the modern world, especially as a relatively
normal person.
Do I think UPnP is ideal? Hell no. Do I think it's basically devil
spawn like your 'majority of Infosec researchers'. Nope.
The truth is that avoiding UPnP, at least OpenWrt's implementation,
doesn't significantly increase your risk of problems due to compromised
hosts on your LAN, as if one has compromised a LAN host, there are
plenty of other ways to get traffic back into the LAN, so the only
relevant exploits are remote exploits.
Furthermore, this is directly from the maintainer of miniupnpd's site:
Security/UPnP implementations are potentially subject to security breaches./
Badly implemented or configured UPnP IGDs are vulnerable. Security
researcher HD Moore did a good work to reveal vulnerabilities in
existing implementations : Security Flaws in Universal Plug and Play
(PDF)
https://information.rapid7.com/rs/411-NAK-970/images/SecurityFlawsUPnP%20(1).pdf.
A common problem is to let SSDP or HTTP/SOAP ports open to the internet
: they should be only reachable from the LAN.
Well yeah, that's what a firewall is for. And at least in OpenWrt the
default firewall takes of that. Actually better is to only listen on
local interfaces so even if the firewall is borked, the external traffic
still has no open service to reach. What's your point? We're not
running ancient versions of miniupnpd or a misconfigured firewall?
In the past, several vulnerabilities have been found in MiniUPnPd, so it
is very important to update your code to the last version.
Which is very old news, and AFAIK OpenWrt has been find for several
releases in terms of miniupnpd version. Prove me wrong with actual
data, not just aspersions from pre-2010/2011 versions of miniupnpd if
you want to be credible, please. And more to point, for current
OpenWrt, what's the last 3-5 year vulnerability history of miniupnpd?
Like I said, the arguments about UPnP sound like religion to me, because
it takes ancient data and hasn't updated as software and situation has
updated.
1 Like
As I stated before, I'm not going to argue about the fact UPnP is a security risk... but hey, don't take infosec researchers at companies like Rapid7's word for it, the maintainer of miniupnpd also says UPnP and miniupnpd is a security risk. I don't know what it is with people being shown fact based information and then believing those facts are opinions and their opinions are facts.
When the maintainer of the software says the software is a security risk (2017.05.26), and you and others want to argue it's not, that's asinine and beyond imbecilic idiocy.
- As I stated before, if one carries the opinion of UPnP not being a security risk, then please, where's the white papers, write-ups, security analysis by infosec researchers, etc. stating/demonstrating it's not? If one is to believe such a thing, then one must confront the fact there isn't anything supporting their opinion, with all whitepapers and peer reviewed research stating the complete opposite.
Regardless, this conversation has exceeded my patience, as I don't have time to bother with anyone who believes facts equal opinions and opinions equal facts.- If you and others believe so strongly UPnP is not a security risk, then author a white paper demonstrating how it's not and submit it to be peer reviewed by infosec researchers and experts.
1 Like
An article from 2013 in which Rapid7's whitepaper is mentioned: https://www.csoonline.com/article/2132858/data-protection/device-makers-blamed-for-consumer-risk-from-upnp-flaws.html
Bottom line, non-updated software is the issue.
And I have said that it's not ideal just that there are uses for it, and in certain cases it's the better/only choice.
2 Likes
[JW0914] JW0914 https://forum.openwrt.org/u/jw0914 JW
https://forum.openwrt.org/u/jw0914
August 8As I stated before, I'm not going to argue about the fact UPnP is a
security risk... but hey, don't take infosec researchers at companies
Because you can't. Prove me wrong without giving outdated information .
like Rapid7's word for it, the /maintainer/ of |miniupnpd| also says
As stated, that is
- very old
- not applicable to OpenWrt's situation for at least three releases
Rapid7 (and other research) was talking about the deplorable situation
of consumer routers in general, and not about OpenWrt specifically
and that is years old data. In general if you'd asked me at the
time if a random user should or should not user UPnP on a random router,
the answer would be a resounding no, because of the situation. Since I
lack current data and you have failed to provide it, I lack the
information to assess the current situation, and search engines all
provide old hits, not current data, which leads me to believe there
hasn't been updated information, just rehash of outdated information.
It's entirely likely that router companies, at least for new products
(i.e. at least the last three years) have most likely corrected the
issues that lead to to the advisory seven years ago.
Prove current data supports the same conclusion.
UPnP and |miniupnpd|is a security risk. I don't know what it is with
That notice was put in place many years ago, in response to Radid7 and
such, to remind people that bugs get fixed, especially security bugs,
and to be responsible and update
The author did not say miniupnpd is iredeemable, they said there
have been issues in the past now fixed and (paraphrasing) 'for the
love of Mike, update!.'
people being shown fact based information and then believing those facts
are opinions and their opinions are facts.
I'm not speaking opinion, I am speaking facts. You are expressing and
opinion based old data. You have not addressed new information, nor
addressed the actual arguments I have made, only ignore them as 'mere
opinion', without presenting current data. Probably because you have
none. Prove me wrong.
When the maintainer of the software says the software is a security
risk, and you and others want to argue it's not, that's asinine and
beyond imbecilic idiocy.
You clearly don't know how to read an advisory to a forceful note to
downstream users to bleeding update already, when it doesn't suit your
opinion.
It's great that you want to present you interpretations as 'facts',
but you have NOT presented actual data in response to my points.
Nor have you made an actual case, rather than an vague appeal to the
'majority of InfoSec researchers', or 'Rapid7's' years old study of the
situation at the time. Again *demonstrate a current threat, please.
Name-calling is all well and good, but it is not data. Prove me wrong.
I keep saying that because you are presenting out of date information as
the basis of your opinion and applying rhetoric to ignore the fact you
have no current thread information on which to base your argument.
Demonstrate you're not just repeating common beliefs and actually have
real information.
1 Like
[JW0914] JW0914 https://forum.openwrt.org/u/jw0914 JW
https://forum.openwrt.org/u/jw0914
August 7mj5030: Well it's kind of difficult to use multiple consoles of the same type without UPnP on the same network.As I stated in a prior post, there's actually quite a few ways it can be
done on the router without UPnP, however what I don't know is whether
any of those ways are either efficient or capable of being done on
OpenWrt, hence why I stated "/You're likely going to need to do some
research in the OpenWrt wikis https://openwrt.org/docs/start and via
Google, unless someone who does know chimes in./"
And as you said you've not actually used them yourself, so really you
statement should read: "there's theoretically quite a few ways...Whether
they work well or not on any routing device or not is an open question."
Come back when you've had a good gaming experience on both consoles
having done what you describe, otherwise you're speaking without actual
practical knowledge of the situation. (Apologies, if you saw my
original of this reply for my turn of phrase which was excessive).
Show me gamers who are happy with this solution and then we'll talk.
cshoredaniel: Oh and miniupnpd in OpenWrt is configured to restrict UPnP to opening ports on the device that originated the requestsNot familiar with spoofing or MITM?
As I've said elsewhere if you're worried about spoofing or MITM on your
LAN you've got bigger problems than UPnP. There's a point at which
distrusting even your own networks makes 'getting stuff done',
particularly for those for whom dealing with the network is not their
full time job, is simply going to suck too much time and energy. It's
not lazy it's that there is a whole lot more to life than dealing with
tech that's supposed to make life easier. Heck even developers
generally have a lot more they want to do then worry about every detail
of everything they do with tech due to time constrains. One has to pick
and choose where one spends time (and presumably have time for leisure
and not just be a workaholic, which isn't healthy either).
mj5030: By the way, Einstein publish his Theory of General Relativity in 1916... 102 years ago. Time does not make an answer irrelevant, facts to the contrary do. Unlike the rules of physics, the rules of code in software can be modified and changed... By the way, Einstein publish his Theory of General Relativity in 1916... 102 years ago. Time does not make an answer irrelevant, facts to the contrary do.I digress, as you're clearly looking for an argument, facts be damned.
I'd say that's you, but I digress myself.
1 Like
This topic is increasingly drifting offtopic into a general UPnP yes/no debate. Since the recent arguments do not really touch the OP question anymore I'd suggest to end the discussion here.
I think it has been made very clear that using UPnP has security downsides as it essentially allows unauthenticated LAN devices to poke holes into the firewall. This can be restricted to some extend by applying strict ACLs.
Not using UPnP in the first place and configuring static port forwards is another option.
2 Likes
@jow Sorry. Got sucked in by the knee-jerk hate-on for UPnP by @JW0914. It'd be nice if the was a bot or something that pointed to you a statement like your most recent post when UPnP is mentioned, or something useful like that so that folk appreciate that, UPnP is preferred to be avoided, can be somewhat mitigated, make your own choice, and religion the moment someone mentions the word UPnP is best avoided too.
1 Like