1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

what happens if I disable UPnP?

Discussion in 'ASUS Wireless' started by horizonbrave, Nov 3, 2018.

Tags:
  1. horizonbrave

    horizonbrave Occasional Visitor

    Joined:
    Sep 25, 2018
    Messages:
    15
    Hi,
    I read everywhere that it's a big secuiry hazard!
    So please if disable will I be still able to use:
    - my email program
    - torrent client
    - skype (or other communicaion app)
    - gaming console (nintentdo or sony)
    - nzbget
    - other programs that I might have forgotten
    ?

    If not, is it all about finding what ports these programs use and then port-forward them?
    Is there another elegant solution to that will let me keep upnp switched on with the devices I trust? (but it still seems dangerous to me!).

    Thanks for input :)
     
  2. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    8,548
    Location:
    UK
    Personally I leave it enabled because I regard the risk as practically non-existent in my particular environment and it makes things easier for me. I wouldn't consider enabling it in a business environment or on a network that I didn't completely control.

    Most of UPnP's bad reputation comes from an issue many years ago where some routers were exposing the service to the WAN. Asus routers never did that AFAIK. The other issue people worry about is the ability of a client to forward ports to a client other than itself. UPnP's "Secure mode" fixed this problem.

    Without UPnP enabled things like torrents and multiplayer gaming won't work properly unless you manually identify and forward all the ports required. This ends up being a bigger security risk IMHO because now you have to open up all ports that you might need and they're left open permanently rather than just when they're needed (and if the client's IP address changes that's another problem).

    Some people don't use applications that need port forwarding so there's no reason for them to have it enabled. Other's just like to micromanage everything on their network.

    You can always check what port forwarding rules are active by looking on the router at System Log > Port Forwarding.
     
    horizonbrave likes this.
  3. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,384
    Location:
    Canada
    Torrent: you will have to manually forward a port used by your torrent client (meaning if the client uses a random port, you will have to settle on a specific one).

    Game consoles might have issues if you play online games - you will have to see the documentation of the games you play.

    Skype also forwards ports using UPNP however I'm unsure what's the impact of not using UPNP (since I know Skype can work without it).
     
    horizonbrave likes this.
  4. Squall Leonhart

    Squall Leonhart Regular Contributor

    Joined:
    Apr 3, 2018
    Messages:
    69
    These units are not affected by the upnp exploit
     
  5. agilani

    agilani Senior Member

    Joined:
    Nov 30, 2012
    Messages:
    457
    upnp is the exploit :)

    Basically upnp allows devices on your network to open incoming connections to your home to allow the device to function correctly.

    Allow incoming camera connections
    Allow incoming gaming connections
    Allow incoming plex or media connections
    Did you know that minecraft opens up upnp ports to the outside (i sure didn't and was pretty pissed about it)


    and the list goes on....

    One could argue that most of the devices have not been really hardened or tested and/or most of these devices have exploits.

    Disabling upnp may decrease the security threat...but will break a lot of apps/devices native functionality.


    Best bet would be to look a the forwarding table on your router and see which devices are already using incoming connections and decide if you want to leave it.

    If you decide to turn it off, you can always enable manual port forwarding for statically addressed devices. You'd need to find which ports the device needs. The xbox for example needed a whole bunch of them.
     
  6. Squall Leonhart

    Squall Leonhart Regular Contributor

    Joined:
    Apr 3, 2018
    Messages:
    69
    no it isn't.
     
  7. hasarouter

    hasarouter Occasional Visitor

    Joined:
    Nov 5, 2018
    Messages:
    14
    I have upnp off, so far chromecast and sonos work without issues, though I remember reading online chromecast requires upnp

    Skype works fine too, as do messengers, eg telegram.
     
  8. agilani

    agilani Senior Member

    Joined:
    Nov 30, 2012
    Messages:
    457
  9. sm00thpapa

    sm00thpapa Very Senior Member

    Joined:
    Nov 24, 2012
    Messages:
    1,748
    Been using UPNP on for over 10 years with no security issues. With or with out if some one wants to hack you they will.
     
    Darcy likes this.
  10. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,024
    Location:
    San Diego, CA
    Most of the security issues around uPNP are due to implementation, not the protocol itself...
     
  11. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,024
    Location:
    San Diego, CA
    Yep...

    static port forwards keep the port open all the time, uPNP/NAT-PMP only keep the ports open as long as needed...
     
  12. umarmung

    umarmung Senior Member

    Joined:
    Apr 21, 2018
    Messages:
    245
    UPnP automatically pokes holes in your firewall so that you don't have to do it manually.

    For a given residential user, it's just the flick of a checkbox in your router's interface. So, just test it. The default should be disabled due to extremely strong security concerns from bugs in common implementations and the loss of control over which services are doing it.

    You may find the only practical improvement in poking holes in your firewall at all comes from having an open port for Bittorrent, which can work without such a port but is often much faster with it.

    So, if all you want to do is open one port to one Bittorrent machine, disabling UPnP is more than worth it, if you know how to use router and client networking interfaces to manually port forward.

    If you really know what you are doing and have the equipment for it, you can create VLAN networks for receiving UPnP services and isolate these clients from the rest of your devices. But this is way beyond typical consumers and you would need a SOHO/enterprise or custom firmware router to do it, e.g. Ubiquiti, pfsense, Peplink, Cisco, Mikrotik, DD-WRT.
     
    Last edited: Nov 12, 2018
    OzarkEdge likes this.
  13. agilani

    agilani Senior Member

    Joined:
    Nov 30, 2012
    Messages:
    457
    I will respectfully disagree. When guests come over, do you give them keys to come and go as they please to your house? Are you prepared for the big party they throw at your house while you are at work? Did they have the foresight to lock the door so your pets don't get out? Did they close the door to make sure people don't just wander in? While the guests threw a big party, did they supervise everything/everyone to make sure the party attendees didn't go into other rooms in the house and your drawers?

    upnp is fundamentally insecure.

    In my house over eight devices regularly open up holes to the outside. Many of these devices have been proven to be insecure and have been hacked publicly. Why for the love of everything good, would i want to allow them to have a party in my house?

    and i have removed almost all IOT wifi devices form my network and switched to zwave/zigbee devices.

    With upnp, the security of the worst device is in effect the security of your home network.

    Just to be clear though, disabling upnp doesn't miraculously fix security. But disabling it doesn't allow every device that comes on your home network to blatantly control the front door either.

    The protocol has no autnentication, authorization, and was developed with complete disregard for any basic security protocols.

    Best thing is to look at the port forwarding table and see what is using upnp in your network and if you are comfortable with it.

    http://192.168.1.1/Main_IPTStatus_Content.asp
     
    Last edited: Nov 12, 2018
  14. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,384
    Location:
    Canada
    A proper UPNP implementation (like supported by miniupnpd) would only allow a device to forward a port to itself. In that regard, that visitor device is no more a security risk if it forward a UPNP port than it already is by being able to establish an outbound connection anywhere outside of your network. Keep in mind that an outbound connection can also receive inbound data, just as if the port had been forwarded.

    That's why @sfx2000 says the issue lies in the implementation, not in UPNP itself. Too many UPNP implementations are flawed, allowing for instance a client to forward a port to another IP address within your LAN. Those are the real problems.
     
  15. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,384
    Location:
    Canada
    It's important to understand that UPNP does not open a hole in your firewall. It forwards a specific port to a specific LAN IP. In a properly secured UPnP implementation, that IP can only be the same as the device asking for the forward, so it cannot compromise other devices within your LAN any further than they already can be by having a foreign client within your LAN.
     
    sfx2000 likes this.
  16. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,384
    Location:
    Canada
    This is what happens with an Asuswrt router when trying to forward a port to someone else within my LAN:

    Code:
    [email protected]:~$ upnpc -a 192.168.10.199 9999 9999 tcp 3600
    upnpc : miniupnpc library test client. (c) 2005-2014 Thomas Bernard
    Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
    for more information.
    List of UPNP devices found on the network :
     desc: http://192.168.10.1:47639/rootDesc.xml
     st: urn:schemas-upnp-org:device:InternetGatewayDevice:1
    
    Found valid IGD : http://192.168.10.1:47639/ctl/IPConn
    Local LAN ip address : 192.168.10.106
    ExternalIPAddress = 23.x.y.z
    AddPortMapping(9999, 9999, 192.168.10.199) failed with code 718 (ConflictInMappingEntry)
    GetSpecificPortMappingEntry() failed with code 714 (NoSuchEntryInArray)
    

    Only a forward to myself is allowed:
    Code:
    [email protected]:~$ upnpc -a 192.168.10.106 9999 9999 tcp 3600
    upnpc : miniupnpc library test client. (c) 2005-2014 Thomas Bernard
    Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
    for more information.
    List of UPNP devices found on the network :
     desc: http://192.168.10.1:47639/rootDesc.xml
     st: urn:schemas-upnp-org:device:InternetGatewayDevice:1
    
    Found valid IGD : http://192.168.10.1:47639/ctl/IPConn
    Local LAN ip address : 192.168.10.106
    ExternalIPAddress = 23.x.y.z
    InternalIP:Port = 192.168.10.106:9999
    external 23.x.y.z:9999 TCP is redirected to internal 192.168.10.106:9999 (duration=3600)
    
     
    Last edited: Nov 12, 2018
  17. OzarkEdge

    OzarkEdge Very Senior Member

    Joined:
    Feb 14, 2018
    Messages:
    1,268
    Location:
    USA
    Do you mean the UPnP implementation by the router or by the host device on the LAN?

    And, is UPnP enabled by default in Asuswrt-Merlin? I suspect so.

    OE
     
  18. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,384
    Location:
    Canada
    By the router.

    Yes.
     
    OzarkEdge likes this.
  19. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,024
    Location:
    San Diego, CA
    exactly - proper implementation, even with miniupnpd generally works -- Even on the FreeBSD based pfSense...

    Code:
    [email protected]:~$ upnpc -a 192.168.1.20 9999 9999 tcp 3600
    upnpc : miniupnpc library test client. (c) 2005-2014 Thomas Bernard
    Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
    for more information.
    List of UPNP devices found on the network :
     desc: http://192.168.1.1:2189/rootDesc.xml
     st: urn:schemas-upnp-org:device:InternetGatewayDevice:1
    
    Found valid IGD : http://192.168.1.1:2189/ctl/IPConn
    Local LAN ip address : 192.168.1.20
    ExternalIPAddress = 68.a.b.c
    InternalIP:Port = 192.168.1.20:9999
    external 68.a.b.c:9999 TCP is redirected to internal 192.168.1.20:9999 (duration=3600)
    

    Screen Shot 2018-11-12 at 3.39.04 PM.png
     
  20. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,024
    Location:
    San Diego, CA
    Exactly - and then it's the device that is attempting to port forward, and security thereof - and that's out of the scope of uPNP

    I get it, there are folks that do worry about "automated" actions that change firewall rules - whether it's uPNP, or scripts like Fail2Ban or sshguard, just naming a couple...

    If you have a device, whether it is a gaming console, web camera, thermostat, doorbell, or even a coffee pot - one must look at the security on that endpoint as well...

    SPI firewalls and NAT do a lot of good things, and uPNP can help with the user experience, but still - one has to do some level of digital hygiene... OS's might be hardened to some degree (some more than others), but it's also the applications that run on the OS/Device...

    Practice safe hex at the end of the day...