As a former sysadmin that once helped ride herd over around 1,000 servers, of which around 10% were Internet-facing, I've never been a fan of autoconfiguation when it comes to punching holes through the firewall. I've seen the tripwire logs, and it's sobering.
So enabling UPnP on my EdgeRouter-4 wasn't something I had on the roadmap, but when I ran into difficulty getting DLNA to work on the default VLAN, I thought it was worth looking into (never mind that, as I later learned, having UPnP turned on wasn't going make a bit of difference on my local network: another reason that mastering theory should always come before practice).
I was surprised that there wasn't a clearly written, up-to-date, guide among the official doc on ui.com, thus requiring me (and every other user) to wade into the Internet swamp of bad advice for answers.
I did eventually consult the official EdgeOS User Guide, but as usual the info there was woefully incomplete: basically content to provide a walk through of the router's UPnP Wizard, without ever mentioning EdgeOS's support for the newer (and preferred) UPnP2 protocol that cannot be enabled with the wizard.
These are the most useful articles from the UI Community that I found:
UPnP vs UPnP2: What's the difference?
This is the basic procedure to follow for enabling UPnP2 on an EdgeRouter. The example commands below assume the EdgeRouter-4 defaults where eth0 is the WAN port, and eth1 is for the LAN.
- If you have already set up upnp with the wizard, get onto the router and delete that first:
$ configure
# delete service upnp
# commit
# save
# exit
- Now enable and configure UPnP2 for the default LAN:
$ configure
# set service upnp2 listen-on eth1
# set service upnp2 wan eth0
# set service upnp2 secure-mode enable
# set service upnp2 nat-pmp enable
# commit
# save
# exit
If you have multiple LAN (or VLAN) interfaces, you can add them using additional listen-on
commands.
- Confirm all the things with:
$ show upnp2 rules
- Read these articles and think again about whether it might be better to disable UPnP2 (and UPnP) altogether:
Dan Goodin. "UPnP flaw exposes millions of network devices to attacks over the Internet". Ars Technica, 11 June 2020.
Jenny List. "UPnP, Vulnerability as a Feature that just won't die". Hackaday, 14 January 2019.
- If you decide, as I did, that the risks associated with UPnP significantly outweigh the benefits, then you can easily disable it by deleting:
$ configure
# delete service upnp2
# commit
# save
# exit
It might surprise some, but I'd much rather be running something simpler and cheaper like the TP-Link TL-R605, whose hardware is adequate for 1 Gb/s and does 802.1Q VLANS, which is all I really need outside the lab.