[RT-AX86U] Merlin 386.1 - Unable to completely disable upnp

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

DiscoSi

Occasional Visitor
Hi,

I've recently upgraded from a RT-AC86U to RT-AX86U. No matter what I've tried I can't seem to get upnp to switch off, it's off in the web interface but I still get entries showing in UPNP, NAT-PMP and PCP forwards under port forwarding. I've never had this with my AC86U, it just seems to be on the AX86U that upnp isn't being turned off by the setting in the web interface.

I've done a WPS reset and then wiped jffs and factory reset.

I've tried editing /etc/upnp/config to:

Code:
enable_upnp=no
enable_natpmp=no

and NVRAM setting:

Code:
upnp_enable=0
wan0_upnp_enable=0
wan1_upnp_enable=0
wan_upnp_enable=0
wl0_wmf_ucast_upnp=0
wl1_wmf_ucast_upnp=0
wl_wmf_ucast_upnp=0

I've done nvram commit also to they should stick.

If I stop the unpnp service and delete /tmp/upnp.leases the entries all return if I restart the upnp service again. For now I've left the service disabled which stops the upnp mappings coming back but as soon as I reboot, they come back again as the upnp service is started up again.

Like I said, I've never had to do anything other than set upnp to off in the web interface on my RT-AC86U.

Has anyone else has this happen? Really appreciate the help :)

DiscoSi.
 
Last edited:

iJorgen

Occasional Visitor
I have the same experience. My Xbox suddenly showed OpenNAT in games and was listed under "Port Forwarding", but not using uPNP or configured Port Forwarding.
 

DiscoSi

Occasional Visitor
Something can't be right here can it?

uPnp Enable is set to NO in the interface, yet I'm seeing 2 ports opened up under port forwarding and checking via SSH I get:
I
Code:
iptables --list-rules

-A FUPNP -d 192.168.1.xxx/32 -p tcp -m tcp --dport xxxx -j ACCEPT
-A FUPNP -d 192.168.1.xxx/32 -p tcp -m tcp --dport xxxx -j ACCEPT

I've xx'ed out the specifics BUT that's 2 holes punched in the firewall from the inside with uPnP disabled? That shouldn't be possible should it? I've confirmed that the ports are open and the services open from the outside too.... that's kinda scary isn't it? We should be worried here... right?

I'm hoping someone with a bit more knowledge could take a look at this as I only know just about enough to be dangerous lol!

But unless I've got this all wrong, it appears that with uPnP disabled from the web interface it's possible for devices on the inside to open ports in the firewall, how is that happening?

DiscoSi
 

eibgrad

Very Senior Member
When you have UPnP enabled, the miniupnpd daemon/service will normally be listed in the process list.

Code:
ps | grep [m]iniupnpd

If you disable it, and after a reboot, does it still show it running (because it shouldn't)?
 

DiscoSi

Occasional Visitor
Yes, the miniupnpd process is running before and after a reboot with the upnp setting switched off in the interface. I've switched upnp on, rebooted, then switched it off and applied the setting. This is the syslog when I applied it:

Code:
Feb  6 10:03:39 miniupnpd[4859]: shutting down MiniUPnPd
Feb  6 10:03:39 miniupnpd[18479]: HTTP listening on port 53967
Feb  6 10:03:39 miniupnpd[18479]: Listening for NAT-PMP/PCP traffic on port 5351

It looks like upnp stops as instructed but is restarting again?

The port forwards are cleared briefly but return again after a short time.

DiscoSi
 

DiscoSi

Occasional Visitor
No that's off but thanks for the suggestion as I hadn't checked it before.

When I get a bit of time later I'm going to revert back to stock firmware and see if its the same. I'm also going to put my AC86U back to test this as well for my own sanity to check I'm not doing something really daft!

I had manual port forwarding set up on the AC86U and always kept upnp off with no issues. The main reason I keep it off is that I have a couple of devices on my network that will try and open ports if upnp is on despite it being off in their settings (Dlink webcam). I'd only noticed the issue on my new ax86u by accident as I was about to start setting up the manual port forwarding when I saw a load on entries in the upnp list even though it was turned off.
 

DiscoSi

Occasional Visitor
I've been able to confirm that this bug exists in the stock firmware on the RT-AX86U also. Basically the uPnP service cannot be disabled via the web interface.

I've rolled back to Version 3.0.0.4.384.9283 and done a nuclear reset having already tested on Merlin 386.1 after the same reset.

With the uPnP feature switched off in the web interface and the router rebooted, the uPnP process is still running:

Code:
ps | grep pnp
1506 xxxx      2944 S    miniupnpd -f /etc/upnp/config

Using the upnp client on an ubuntu machine connected to the router I can scan and get a response as well as request a port forward. This SHOULDN'T be possible and to my mind is a pretty scary security flaw if the owner of an RT-AX86U isn't vigilant.

Code:
upnpc -a 192.168.50.252 222 2222 TCP
upnpc : miniupnpc library test client, version 2.1.
(c) 2005-2019 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
desc: http://192.168.50.1:37450/rootDesc.xml
st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://192.168.50.1:37450/ctl/IPConn
Local LAN ip address : 192.168.50.252
ExternalIPAddress = xxxx
InternalIP:Port = 192.168.50.252:222
external xxxx:2222 TCP is redirected to internal 192.168.50.252:222 (duration=0)

The current mitigation is to manually stop the upnp process via a shell login, you need to do this BEFORE any device has created a rule and I'm unsure as yet if it will remain disabled if any other actions cause the firewall or wan to restart as these likely call the upnp service also:

Code:
service stop_upnp
 
Last edited:

eibgrad

Very Senior Member
The problem (or limitation) of that mitigtion, however, is if the UPnP server has already established port forwards. Unless you're sure it deletes them once stopped.

And yeah, it is a bit worrisome. I don't even use UPnP, at all. Just don't like the idea of processes opening ports behind my back.

And it's good to let @RMerlin know when you've found a bug.
 

DiscoSi

Occasional Visitor
Good point on the rules remaining, they do so the the upnp service needs to be shut down before anything has created a rule. I've edited my message above to reflect that. What's the best way to alert Merlin?
 

KevTech

Very Senior Member
Are you disabling UPnP in both places that have UPnP?
1. USB Application > Servers Center > Media Server
2. WAN > Internet Connection
 

DiscoSi

Occasional Visitor
Yes. I think the upnp in relation to media servers isn't quite the same thing though, but it's disabled there also anyway.
 

iJorgen

Occasional Visitor
I took a quick look at the code....it looks like enabling GeForceNow (AX86U and GT-AC2900) also enables miniupnpd. Does this apply to your config?

This was interesting... The setting "Enable GeForce NOW QoS UPnP control" seems to be enabled by default, even if not using QoS.

firefox_83xEZ62B9b.png


When I disabled it, the following two lines showed up in the log:

Code:
Feb  7 08:21:31 rc_service: httpd 1547:notify_rc restart_upnp;
Feb  7 08:21:31 miniupnpd[2227]: shutting down MiniUPnPd

...and that seemed to solve the problem why ports were opened. Thanks!! :)
 

DiscoSi

Occasional Visitor
Great find, thanks @john9527, I can also confirm that switching off the geforce now upnp as well does turn off the upnp service. If either one are on though it keeps running. This should be a lot clearer!!

I've had a read through the user guide for the AX86U on the Asus website and it makes no mention of this either, not an RTFM moment :)

Thanks for the help everyone :)
 
Last edited:

john9527

Part of the Furniture
Or maybe when you turn it off in one place (why is it in multiple places anyway), then turn it off in all automatically.
A bit more complicated than that since it's a one-way dependency. GeForce requires Upnp turned on, Upnp on does not require GeForce turned on. So you need to check the order they are activated and keep the current and previous states of upnp to make sure it's set correctly as the options change.
 

eclp

Senior Member
I cannot find this setting on my device (AX88U). Does the GeForce setting only exist on certain model series and what exactly does it do? Sorry, two questions.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top