Any reason upnp is disabled by default?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message
Duxa
DD-WRT User


Joined: 16 Aug 2013
Posts: 100

PostPosted: Fri Dec 09, 2016 0:22    Post subject: Any reason upnp is disabled by default? Reply with quote
Wondering if I missed something... has a vulnerability been discovered in upnp? Seems like it should be on by default considering how many devices use it these days.

Is there a security concern turning it on?
Sponsor
<Kong>
DD-WRT Guru


Joined: 15 Dec 2010
Posts: 4339
Location: Germany

PostPosted: Fri Dec 09, 2016 6:48    Post subject: Re: Any reason upnp is disabled by default? Reply with quote
Duxa wrote:
Wondering if I missed something... has a vulnerability been discovered in upnp? Seems like it should be on by default considering how many devices use it these days.



And you all want them to open up ports like the want to, then it is time to buy a chinese router with chinese firmware this way you give away control to others.

_________________
KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
ddaniel51
DD-WRT Guru


Joined: 19 Feb 2013
Posts: 1382

PostPosted: Fri Dec 09, 2016 8:14    Post subject: Reply with quote
My bandwidth monitoring software will not work with it enabled. The in house network runs fine without it.
_________________
Segment 1 R9000 10Gb LAN, 1Gb ISP BS
Test Bed R9000 10Gb LAN
Wired AP 1 R9000 10Gb LAN
Wired AP 2 R9000 1Gb LAN
Wired AP 3 R9000 1Gb LAN
Test Bed R7800 1Gb LAN OpenWRT Kong
download1.dd-wrt.com/dd-wrtv2/downloads/betas/ (Brain Slayer)
www.desipro.de/openwrt/ (Kong's)
YAMon usage-
www.monitoring.com/manualInstall.php
James2k
DD-WRT Guru


Joined: 23 Oct 2011
Posts: 549

PostPosted: Fri Dec 09, 2016 9:48    Post subject: Reply with quote
Anything to opens IPv4 TCP/UDP ports at will is a problem these days, given the potential malware/botnet angle as of late. Its a security risk because any application with uPnP support could expose a service to the outside without your knowledge. This application could be a normal piece of software or malicious, but unless you monitoring the uPnP port forward table, how would you know?

Most home routers with the stock firmware will have it enabled by default for convenience, because often it's needed for console gaming (IPv4 only) and such, Netgear, Linksys and the like probably don't want people calling them up saying they can't get online etc, or their NAT type is preventing them from doing things, some of the implementations of uPnP in the stock firmware can be total crap as well.

Having it disabled by default is a good idea, most of the users running DD-WRT are likely to be a little but more knowledgeable and technically minded hence they understand what it is and also can enable it if they wish, knowing the risks.

I would always manually port forward and use port triggering for something like games consoles. That way you know what ports are potentially open on your network.

Fortunately, IPv6 somewhat removes the whole NAT/port forward issue, but IPv6 itself brings its own security concerns with having a proper firewall and such configured.

Bottom line, keep it disabled, manually port forward, one less thing to worry about in terms of router security.

_________________
James

Main router:

Netgear R7000 overclocked to 1.2GHz - DD-WRT v3.0-r35965M kongac

IPv6 6in4 (HE.net), OpenVPN (with PBR and split tunnelling), Entware, dnsmasq with ipset

Easy ipset support for the R7000

VPN speed: Download: 77.96 Mbps Upload: 5.00 Mbps (AES-128-CBC HMAC-SHA1)

Yes you can get 50 Mbps+ with OpenVPN on a R7000 if you configure it properly!

Previous routers:

ASUS RT-N66U - The Dark Knight
WNR2000v3 - Bought on the cheap for someone else, neutered crap
WNR3500Lv1 - First venture into the DD-WRT world
Duxa
DD-WRT User


Joined: 16 Aug 2013
Posts: 100

PostPosted: Fri Dec 09, 2016 23:23    Post subject: Reply with quote
Thanks for the replies. Is it possible to only enable upnp for certain MACs or certain IPs?

I mainly need it to be able to use home automation apps on our phones from outside the house. Its not clear which ports to forward for the apps to work so I dont think manually port forwarding is a thing I can do.
James2k
DD-WRT Guru


Joined: 23 Oct 2011
Posts: 549

PostPosted: Sat Dec 10, 2016 10:09    Post subject: Reply with quote
Nope, not possible.

The ports should be documented somewhere, if not, you can always ask the manufacturer for the information, if its a range of ports this is achievable through port range or triggering, compared to port forwarding to a specific LAN client.

As I said, if you explicitly need it, enable it, but the reasons above highlight why its disabled by default.

_________________
James

Main router:

Netgear R7000 overclocked to 1.2GHz - DD-WRT v3.0-r35965M kongac

IPv6 6in4 (HE.net), OpenVPN (with PBR and split tunnelling), Entware, dnsmasq with ipset

Easy ipset support for the R7000

VPN speed: Download: 77.96 Mbps Upload: 5.00 Mbps (AES-128-CBC HMAC-SHA1)

Yes you can get 50 Mbps+ with OpenVPN on a R7000 if you configure it properly!

Previous routers:

ASUS RT-N66U - The Dark Knight
WNR2000v3 - Bought on the cheap for someone else, neutered crap
WNR3500Lv1 - First venture into the DD-WRT world
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum