Posted: Fri Dec 09, 2016 0:22 Post subject: Any reason upnp is disabled by default?
Wondering if I missed something... has a vulnerability been discovered in upnp? Seems like it should be on by default considering how many devices use it these days.
Posted: Fri Dec 09, 2016 6:48 Post subject: Re: Any reason upnp is disabled by default?
Duxa wrote:
Wondering if I missed something... has a vulnerability been discovered in upnp? Seems like it should be on by default considering how many devices use it these days.
And you all want them to open up ports like the want to, then it is time to buy a chinese router with chinese firmware this way you give away control to others. _________________ KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
My bandwidth monitoring software will not work with it enabled. The in house network runs fine without it. _________________ Segment 1 XR700 10Gb LAN, 1Gb WAN ISP BS
Wired AP 1 Unifi Wifi 6 LR US 1Gb LAN
Wired AP 2 Unifi Wifi 6 LR US 1Gb LAN
Wired AP 3 Unifi Wifi 6 LR US 1Gb LAN
Syslog Services Asustor 7110T NAS 10GB
NetGear XS716T 10GB Switch
download1.dd-wrt.com/dd-wrtv2/downloads/betas/ (Brain Slayer)
YAMon https://usage-monitoring.com/index.php
Anything to opens IPv4 TCP/UDP ports at will is a problem these days, given the potential malware/botnet angle as of late. Its a security risk because any application with uPnP support could expose a service to the outside without your knowledge. This application could be a normal piece of software or malicious, but unless you monitoring the uPnP port forward table, how would you know?
Most home routers with the stock firmware will have it enabled by default for convenience, because often it's needed for console gaming (IPv4 only) and such, Netgear, Linksys and the like probably don't want people calling them up saying they can't get online etc, or their NAT type is preventing them from doing things, some of the implementations of uPnP in the stock firmware can be total crap as well.
Having it disabled by default is a good idea, most of the users running DD-WRT are likely to be a little but more knowledgeable and technically minded hence they understand what it is and also can enable it if they wish, knowing the risks.
I would always manually port forward and use port triggering for something like games consoles. That way you know what ports are potentially open on your network.
Fortunately, IPv6 somewhat removes the whole NAT/port forward issue, but IPv6 itself brings its own security concerns with having a proper firewall and such configured.
Bottom line, keep it disabled, manually port forward, one less thing to worry about in terms of router security. _________________ James
Main router:
Netgear R7000 overclocked to 1.2GHz - DD-WRT v3.0-r35965M kongac
IPv6 6in4 (HE.net), OpenVPN (with PBR and split tunnelling), Entware, dnsmasq with ipset
Thanks for the replies. Is it possible to only enable upnp for certain MACs or certain IPs?
I mainly need it to be able to use home automation apps on our phones from outside the house. Its not clear which ports to forward for the apps to work so I dont think manually port forwarding is a thing I can do.
The ports should be documented somewhere, if not, you can always ask the manufacturer for the information, if its a range of ports this is achievable through port range or triggering, compared to port forwarding to a specific LAN client.
As I said, if you explicitly need it, enable it, but the reasons above highlight why its disabled by default. _________________ James
Main router:
Netgear R7000 overclocked to 1.2GHz - DD-WRT v3.0-r35965M kongac
IPv6 6in4 (HE.net), OpenVPN (with PBR and split tunnelling), Entware, dnsmasq with ipset