OPEN NAT vs Port Forwarding

[SilentStorm]

Does anyone know the difference between the OPEN NAT section and the Port Forwarding section on the ASUS GT ROG AC2900?

I thought they were the same... Is the OPEN Nat just meant for gaming?

 

[ColinTaylor]

Looking at this it appears to be just a set of preset forwarding rules for games.

 

[MarkyPancake]

Port forwarding for multiple games and gaming devices is too much faff. I just let UPnP handle it. Plus, UPnP in Asus/Merlin firmware allows multiple devices to get an Open NAT when they're being used simultaneously, which is something you cannot achieve with manual port forwarding.

 

[eibgrad]

UPnP definitely makes things more convenient. But like most conveniences, it usually comes at the price of security. IIRC, wasn't too long ago, some routers were inadvertently allowing UPnP from the internet side of the WAN! But even if the vulnerability was corrected, the idea of allowing devices to manage *your* primary router's firewall comes w/ some risk. What's to stop some rogue IOT device from doing the same? Use of UPnP requires a certain amount of trust between the router and the LAN devices. And depending on how you've configured your network, I'm not always sure that trust is warranted.

Caveat emptor.

 

[MarkyPancake]

I understand the security concerns, but I manage and monitor the devices on our home network, so the convenience of UPnP outweighs this for me. With multiple gaming consoles from different manufacturers, port forwarding just isn't practical for our environment.

 

[eibgrad]

I understand the security concerns, but I manage and monitor the devices on our home network, so the convenience of UPnP outweighs this for me. With multiple gaming consoles from different manufacturers, port forwarding just isn't practical for our environment.

Understood. I'd probably feel a bit more comfortable w/ UPnP if it at least allowed you to limit the service to specific LAN devices, ones you trust. But AFAIK, the most you can do is control the port range. Other than that, seems it's anything goes.

 

[eibgrad]

Can't help but wonder if you could simply add firewall rules to limit the LAN devices that can access the UPnP port (1900) based on source IP.

iptables -I INPUT -i br0 -p udp --dport 1900 -j REJECT
iptables -I INPUT -i br0 -p udp --dport 1900 -s 192.168.1.100 -j ACCEPT
iptables -I INPUT -i br0 -p udp --dport 1900 -s 192.168.1.200 -j ACCEPT
...

Or based on MAC address.

iptables -I INPUT -i br0 -p udp --dport 1900 -j REJECT
iptables -I INPUT -i br0 -p udp --dport 1900 -m mac --mac-source 70:64:1a:6d:05:81 -j ACCEPT
iptables -I INPUT -i br0 -p udp --dport 1900 -m mac --mac-source fa:1b:07:e3:c6:38 -j ACCEPT
...

 

[ColinTaylor]

Can't help but wonder if you could simply add firewall rules to limit the LAN devices that can access the UPnP port (1900) based on source IP.

iptables -I INPUT -i br0 -p udp --dport 1900 -j REJECT
iptables -I INPUT -i br0 -p udp --dport 1900 -s 192.168.1.100 -j ACCEPT
iptables -I INPUT -i br0 -p udp --dport 1900 -s 192.168.1.200 -j ACCEPT
...

Or based on MAC address.

iptables -I INPUT -i br0 -p udp --dport 1900 -j REJECT
iptables -I INPUT -i br0 -p udp --dport 1900 -m mac --mac-source 70:64:1a:6d:05:81 -j ACCEPT
iptables -I INPUT -i br0 -p udp --dport 1900 -m mac --mac-source fa:1b:07:e3:c6:38 -j ACCEPT
...

I guess that would work. Alternatively you could use a upnp.postconf script to change the allow/deny rules in the config file.

EDIT: Similar question/solution here: http://www.snbforums.com/threads/upnp-for-2-devices-only.68447/