Skip to content

Instantly share code, notes, and snippets.

@ammgws

ammgws/upnper4dont.md

Forked from plembo/upnper4dont.md
Created September 2, 2021 11:50
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ammgws/caa1bcc85260e43f30132bd93f1a204c to your computer and use it in GitHub Desktop.
Save ammgws/caa1bcc85260e43f30132bd93f1a204c to your computer and use it in GitHub Desktop.
Download ZIP
UPnP with EdgeRouter: Don't do it!
Raw
upnper4dont.md

Want to configure UPnP on EdgeRouter-4?

Don't do it!

Introduction

As a former sysadmin that once helped ride herd over around 1,000 servers, of which around 10% were Internet-facing, I've never been a fan of autoconfiguation when it comes to punching holes through the firewall. I've seen the tripwire logs, and it's sobering.

The Problem

So enabling UPnP on my EdgeRouter-4 wasn't something I had on the roadmap, but when I ran into difficulty getting DLNA to work on the default VLAN, I thought it was worth looking into (never mind that, as I later learned, having UPnP turned on wasn't going make a bit of difference on my local network: another reason that mastering theory should always come before practice).

Documentation

I was surprised that there wasn't a clearly written, up-to-date, guide among the official doc on ui.com, thus requiring me (and every other user) to wade into the Internet swamp of bad advice for answers.

I did eventually consult the official EdgeOS User Guide, but as usual the info there was woefully incomplete: basically content to provide a walk through of the router's UPnP Wizard, without ever mentioning EdgeOS's support for the newer (and preferred) UPnP2 protocol that cannot be enabled with the wizard.

These are the most useful articles from the UI Community that I found:

UPnP vs UPnP2: What's the difference?

upnp2 documentation

Enable upnp2 on Edgemax lite

Procedure

This is the basic procedure to follow for enabling UPnP2 on an EdgeRouter. The example commands below assume the EdgeRouter-4 defaults where eth0 is the WAN port, and eth1 is for the LAN.

  1. If you have already set up upnp with the wizard, get onto the router and delete that first:
$ configure
# delete service upnp
# commit
# save
# exit
  1. Now enable and configure UPnP2 for the default LAN:
$ configure
# set service upnp2 listen-on eth1
# set service upnp2 wan eth0
# set service upnp2 secure-mode enable
# set service upnp2 nat-pmp enable
# commit
# save
# exit

If you have multiple LAN (or VLAN) interfaces, you can add them using additional listen-on commands.

  1. Confirm all the things with:
$ show upnp2 rules
  1. Read these articles and think again about whether it might be better to disable UPnP2 (and UPnP) altogether:

Dan Goodin. "UPnP flaw exposes millions of network devices to attacks over the Internet". Ars Technica, 11 June 2020.

Jenny List. "UPnP, Vulnerability as a Feature that just won't die". Hackaday, 14 January 2019.

  1. If you decide, as I did, that the risks associated with UPnP significantly outweigh the benefits, then you can easily disable it by deleting:
$ configure
# delete service upnp2
# commit
# save
# exit
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment