UPnP issues

[Gregtotheizzo]

I've had silly UPnP issues for a while now and just thought I was doing something wrong.

I tested UPnP from my QNAP which failed on the latest stock AC-68U firmware so I updated to Merlins 360.60 beta 2 build.

Other things seems to be great however I'm still having the same UPnP issues.

Below is the error from the QNAP diagnostics.

Any help is great appreciated.



--- NAT PMP Diagnostics ------
initnatpmp() returned 0 (SUCCESS)
using gateway : 192.168.1.1
sendpublicaddressrequest returned 2 (SUCCESS)
readnatpmpresponseorretry returned -7 (FAILED)
------ UPnP Diagnostics ------
upnpc : miniupnpc library test client. (c) 2006-2011 Thomas Bernard
Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
desc: http://192.168.1.1:60343/rootDesc.xml
st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

 

[alex1236hk]

There is indeed upnp issue on merlin build (in my knowledge, after 380.58 on ac68u), even try roll back to stock, problem still exists. Prove it should be a Asus issue.
Sometimes the upnp switched to nat-pmp itselfs, and program which doesn't support nat-pmp (eg. Rainbow 6 siege) will not work. But program which support nat-pmp (Skype, qbittorrent) will still work fine. No idea why the router is switching itselfs.)

 

[Gregtotheizzo]

There is indeed upnp issue on merlin build (in my knowledge, after 380.58 on ac68u), even try roll back to stock, problem still exists. Prove it should be a Asus issue.
Sometimes the upnp switched to nat-pmp itselfs, and program which doesn't support nat-pmp (eg. Rainbow 6 siege) will not work. But program which support nat-pmp (Skype, qbittorrent) will still work fine. No idea why the router is switching itselfs.)

Ok great

Not that it doesn't work but that it's a known issue or ignored issue.

Would putting the qnap on DMZ help or still no? Not to 'pass' the UPnP test but just to be able to access externally?

 

[alex1236hk]

Ok great

Not that it doesn't work but that it's a known issue or ignored issue.

Would putting the qnap on DMZ help or still no? Not to 'pass' the UPnP test but just to be able to access externally?

I personally wouldn't use DMZ, too danger for the entire network. So, I think it is an open issue for asus. Should be a problem(bug?) of ASUSwrt.

 

[Gregtotheizzo]

I personally wouldn't use DMZ, too danger for the entire network. So, I think it is an open issue for asus. Should be a problem(bug?) of ASUSwrt.

Would you happen to know if this bug also exist in DD-WRT?

 

[RMerlin]

QNAP's UPNP support seems to be either broken, or very picky. I could never get it to work either with the routers provided by Bell, so it's not specific to Asuswrt. Actually, I can't remember the last time I saw a router that worked properly with QNAP...

Just manually forward the necessary ports. No need to use a DMZ for that, there's only a handful of ports needed, depending on what you need to make available WAN-side.

 

[Gregtotheizzo]

QNAP's UPNP support seems to be either broken, or very picky. I could never get it to work either with the routers provided by Bell, so it's not specific to Asuswrt. Actually, I can't remember the last time I saw a router that worked properly with QNAP...

Just manually forward the necessary ports. No need to use a DMZ for that, there's only a handful of ports needed, depending on what you need to make available WAN-side.

It's the 8080/8081 just always seems to seem 'closed' even though they're open and forwarded in the port forward log but the page is unavailable.

Other ports ssh I have to different devices work so just always weird the qnap always had the issue.

Thanks for the quick responses and amazing work with your builds.

 

[RMerlin]

It's the 8080/8081 just always seems to seem 'closed' even though they're open and forwarded in the port forward log but the page is unavailable.

Maybe it's your ISP or their modem doing something funny (8080 might be filtered for "security purposes", as it's often used by web proxies). Try opening a different port (for example, 18080), and forward it to your NAS's 8080.

 

[alex1236hk]

Would you happen to know if this bug also exist in DD-WRT?

No, just personally do not want to flash ddwrt any more. Hate ddwrt's interface.

 

[yorgi]

I've had silly UPnP issues for a while now and just thought I was doing something wrong.

I tested UPnP from my QNAP which failed on the latest stock AC-68U firmware so I updated to Merlins 360.60 beta 2 build.

Other things seems to be great however I'm still having the same UPnP issues.

Below is the error from the QNAP diagnostics.

Any help is great appreciated.



--- NAT PMP Diagnostics ------
initnatpmp() returned 0 (SUCCESS)
using gateway : 192.168.1.1
sendpublicaddressrequest returned 2 (SUCCESS)
readnatpmpresponseorretry returned -7 (FAILED)
------ UPnP Diagnostics ------
upnpc : miniupnpc library test client. (c) 2006-2011 Thomas Bernard
Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
desc: http://192.168.1.1:60343/rootDesc.xml
st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

I would not use UPNP, manually configure your clients.
UPNP is really a security risk and I don't understand why routers still incorporate this feature.

 

[mstombs]

I would not use UPNP, manually configure your clients.
UPNP is really a security risk and I don't understand why routers still incorporate this feature.

Don't believe everything Steve Gibson says - Asuswrt uses sensible secure options provided by miniupnpd, such as no low port nos or ability to change port forwards for other clients, I don't know how this can be exploited. It may be these restrictions caused the problem above. If you have a compromised client on your LAN, it doesn't need upnp to talk to its friends on the dark web!

 

[eddiez]

I would not use UPNP, manually configure your clients.
UPNP is really a security risk and I don't understand why routers still incorporate this feature.

Every open port is a potential security risk. uPnP is no exception to that.

 

[sfx2000]

I would not use UPNP, manually configure your clients.
UPNP is really a security risk and I don't understand why routers still incorporate this feature.

uPNP by itself - there were some security issues on some versions, but generally those have been addressed (now whether those upstream changes are pulled in, that's another story).

The concern that many have with uPNP, is that it does have potential to open holes in the firewall, and the trust then is transferred to the application requesting the port - and because uPNP is not an authenticated service, this makes security oriented folks a bit nervous...

NAT-PMP (which is similar) has similar issues in that regard...

 

[Gregtotheizzo]

uPNP by itself - there were some security issues on some versions, but generally those have been addressed (now whether those upstream changes are pulled in, that's another story).

The concern that many have with uPNP, is that it does have potential to open holes in the firewall, and the trust then is transferred to the application requesting the port - and because uPNP is not an authenticated service, this makes security oriented folks a bit nervous...

NAT-PMP (which is similar) has similar issues in that regard...

What do I do with SSL?

change ASUS HTTPS management to 8443 and forward 443 to QNAP?

'MYQNAPCLOUD' DDNS service seems to only work when I forward 443 to the QNAP.

Maybe I'm confused or my understanding is incorrect.

 

[sfx2000]

One should not be opening up the Router to remote admin - that would solve a lot of your problems...

 

[Gregtotheizzo]

One should not be opening up the Router to remote admin - that would solve a lot of your problems...

Girlfriend works from home and with the current nat issues SSH and the management page are flipping flopping when they want to be open..

Sometimes I have to reboot it remotely so it's easiest for me from work.

 

[L&LD]

Girlfriend works from home and with the current nat issues SSH and the management page are flipping flopping when they want to be open..

Sometimes I have to reboot it remotely so it's easiest for me from work.

A text message to the GF asking here to power down the router and then power it up is simple too.

 

[Gregtotheizzo]

A text message to the GF asking here to power down the router and then power it up is simple too.

Then I have RPis on wifi that sometimes doent auto reconnect and it becomes a nightmare

Just never seen a router having to be reboot multiple times a week due to NAT/UPnP issues

 

[L&LD]

Then I have RPis on wifi that sometimes doent auto reconnect and it becomes a nightmare

Just never seen a router having to be reboot multiple times a week due to NAT/UPnP issues

How does rebooting via the gui and your GF rebooting the router change how the RPi's connect (or not)?

Have you performed a full reset to factory defaults and then manually and minimally configure the router to secure it and connect to your ISP on your currently installed firmware?

http://www.snbforums.com/threads/no...l-and-manual-configuration.27115/#post-205573

 

[Gregtotheizzo]

How does rebooting via the gui and your GF rebooting the router change how the RPi's connect (or not)?

Have you performed a full reset to factory defaults and then manually and minimally configure the router to secure it and connect to your ISP on your currently installed firmware?

http://www.snbforums.com/threads/no...l-and-manual-configuration.27115/#post-205573

Yea