UPnP - enable per device?

[ERamseth2]

I'm in the process of moving (back) from a homebrew pfsense router to an RT-AX86U with Asuswrt-Merlin (went the other way because my older RT-AC3200 didn't have the horsepower to do firewalling/filtering and still serve up my gigabit fiber connection at full speed... also for fun?).

So far the only thing I've come across that there isn't an equivalent of is allowing upnp access on a per-device basis. Is this possible in Asuswrt (or Asuswrt-merlin)?

FWIW in pfsense I can turn on UPnP, set the default behavior to deny port mapping capability, then add devices (mostly gaming consoles) to an access list that allows only those devices to utilize UPnP to set up port forwards.

PS. not trying to start a holy war between routing solutions
PPS. I searched the forums plenty and found nothing about the existence (or non existence) of this functionality

 

[ColinTaylor]

You would have to use a upnp.postconf script to modify the router's auto-generated config (/etc/upnp/config).

Custom config files

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

UPNP for 2 devices only

I currently have 2 playstation consoles in my home network behind traditional NAT using Merlin FW. The issues arises with certain multiplayer games (Call of Duty) that require an "OPEN" nat type for proper matchmaking, lobby gameplay, etc. I would like to avoid placing both consoles in the DMZ...

www.snbforums.com

 

[ERamseth2]

Thanks. Just what I was looking for.

 

[Paliv]

I had not considered this an option before, thanks @ColinTaylor !

 

[ColinTaylor]

I had not considered this an option before, thanks @ColinTaylor !

Here's a more generic example than the one in the other thread:

/jffs/scripts/upnp.postconf

#!/bin/sh

CONFIG=$1
source /usr/sbin/helper.sh

pc_delete "allow " $CONFIG      # Remove existing rule first

# Insert new rules in reverse order:
#                              external     allowed      internal
#                                 ports     clients      ports
pc_insert "max_lifetime" "allow 1-65535 192.168.1.102/32 1-65535" $CONFIG
pc_insert "max_lifetime" "allow 1-65535 192.168.1.101/32 1-65535" $CONFIG
pc_insert "max_lifetime" "allow 1-65535 192.168.1.100/32 1-65535" $CONFIG

 

[ZANGIEF]

By tweaking the script example and adding ext_ip,
I was able to allow UPnP only for certain clients in a double NAT environment.
Thanks @ColinTaylor and this thread.

#!/bin/sh

CONFIG=$1
source /usr/sbin/helper.sh

pc_delete "allow " $CONFIG      # Remove existing rule first
pc_delete "ext_ip=" $CONFIG     # Remove ext_ip if existing

# Insert new rules in reverse order:
#                                  external     allowed      internal
#                                     ports     clients      ports
pc_insert "presentation_url" "allow 1-65535 192.168.0.100/32 1024-65535" $CONFIG
...

# Append public IP
pc_append "ext_ip=My public IP" $CONFIG

 

[ColinTaylor]

Glad you got it to work @ZANGIEF. I had to think why I chose to insert the allow line above max_lifetime rather than somewhere like presentation_url. The reason was to preserve the precedence of the rules created in WAN - Virtual Server / Port Forwarding. Those ports are created as deny rules just below the presentation_url entry. By placing the new allow rule above all the deny rules you create a logical conflict. In practice it doesn't make any difference because a UPnP port mapping request for an existing forwarded port will initially be accepted by miniupnpd and then immediately be denied when it finds the conflict in the nat table.

 

[ZANGIEF]

@ColinTaylor
Thanks for the explanation.
When I compared the example script and /tmp/etc/upnp/config, I was a bit curious about the different lines inserting "allow", but now the mystery is solved.