Posted: Fri Jun 04, 2021 15:19 Post subject: Blocking traffic
Is there a way I can block all INBOUND WAN traffic to one local LAN IP address (all protocols) with the exception of a single TCP port (used for Plex). I do not want to impact local LAN traffic to that device.
The reason is that the device (a NAS server) is seeing, and blocking, a significant about of what appear to be UDP hits and I’d like to shut them down. _________________ Linksys WRT3200ACM
VersionDD-WRT v3.0-r50500 std (10/13/22)
Kernel VersionLinux 4.9.330 #3466 SMP Thu Oct 13 02:01:23 +07 2022 armv7l
Linksys RE9000 Extender (WiFi attached)
OpenVPN with PBR: ExpressVPN
Devices: Sonos, Apple, QNAP, Laserjet other
I finally was able to catch what I think are the hits on my NAS, could someone suggest what blocks I need to keep these from coming into the interface at all?
So, a little more information. The device with 192.168.1.11, which is on the subnet of the ISP router in front of my DD-WRT router is an Nvidia Shield streaming box, not on the subnet of the DD-WRT device.
Any clue what the shield may be trying? _________________ Linksys WRT3200ACM
VersionDD-WRT v3.0-r50500 std (10/13/22)
Kernel VersionLinux 4.9.330 #3466 SMP Thu Oct 13 02:01:23 +07 2022 armv7l
Linksys RE9000 Extender (WiFi attached)
OpenVPN with PBR: ExpressVPN
Devices: Sonos, Apple, QNAP, Laserjet other
Joined: 08 May 2018 Posts: 14242 Location: Texas, USA
Posted: Sat Jun 05, 2021 4:49 Post subject:
I'm pretty sure sniffing on the 192.168.1.0/24 network with Wireshark will tell you exactly what those packets are, *but* that is UPnP/SSDP broadcast, if I am not mistaken. I do not enable either on anything.
I'm pretty sure sniffing on the 192.168.1.0/24 network with Wireshark will tell you exactly what those packets are, *but* that is UPnP/SSDP broadcast, if I am not mistaken. I do not enable either on anything.
Thanks … I have both networks shut down for a clean start and will figure out how to disable UPnP and SSDP on my 192.168.42.0/24 DD-WRT subnet once I bring everything back online, unfortunately I am unable to disable it on the ISP 192.168.1.0/24 subnet (not having access to that router interface).
Since I’m down for now, can you point me to the right settings? Thanks again! _________________ Linksys WRT3200ACM
VersionDD-WRT v3.0-r50500 std (10/13/22)
Kernel VersionLinux 4.9.330 #3466 SMP Thu Oct 13 02:01:23 +07 2022 armv7l
Linksys RE9000 Extender (WiFi attached)
OpenVPN with PBR: ExpressVPN
Devices: Sonos, Apple, QNAP, Laserjet other
Joined: 08 May 2018 Posts: 14242 Location: Texas, USA
Posted: Sat Jun 05, 2021 16:09 Post subject:
It's your Nvidia Shield device that is sending out UPnP broadcasts, is what it looks like. I don't know how you don't have access to your ISP router's interface, you should. On DD-WRT, click on NAT/QoS, then UPnP. It is usually disabled by default, so that should not be the issue. I would contact whoever you need to for getting the login credentials on your ISP gear and check it; Are you running Plex on the Nvidia Shield device? If so, it's a matter of turning off local network discovery:
It's your Nvidia Shield device that is sending out UPnP broadcasts, is what it looks like. I don't know how you don't have access to your ISP router's interface, you should. On DD-WRT, click on NAT/QoS, then UPnP. It is usually disabled by default, so that should not be the issue. I would contact whoever you need to for getting the login credentials on your ISP gear and check it; Are you running Plex on the Nvidia Shield device? If so, it's a matter of turning off local network discovery:
I really wish M$ and all these IoT devices wouldn't have this crap turned on by default.
Thanks…. I am running Plex CLIENT on the Nvidia. Plex SERVER is on a NAS off the 192.168.42.0/24 subnet.
SADLY, the local island ISP where I am now does not permit end-user access to their routers. I may just move the shield to the other subnet, but that may need occasionally using VPN passthru tunnels…. _________________ Linksys WRT3200ACM
VersionDD-WRT v3.0-r50500 std (10/13/22)
Kernel VersionLinux 4.9.330 #3466 SMP Thu Oct 13 02:01:23 +07 2022 armv7l
Linksys RE9000 Extender (WiFi attached)
OpenVPN with PBR: ExpressVPN
Devices: Sonos, Apple, QNAP, Laserjet other
UPnP is built on multicasting and an ISP cannot forward this on to "the Internet" because all backbone providers filter this out - even if the ISP is stupid enough to actually rebroadcast multicast traffic from end users to their internal network (and still have a functioning network which for an ISP of any size would be impossible) their backbones would ignore it.
I also wish the IoT people would have this crap shut off by default.
However, I wish 1000 times more than that, that people would stop with the chicken-little scare tactics that this traffic "is dangerous" or a security hole. Why are we seeing people freaking out about seeing this traffic on their network in the first place? Oh yeah, it's because they followed some half-azzed guide on the Internet to fire up wireshark and don't know anything about networking.
If your gateway router to the Internet is configured to ignore UPnP traffic, then there is no security hole. Unless of course you deliberately drop malware on to your internal network but if you do that, you have a lot worse problems than UPnP. The security hole aspect is some SOHO routers on the market by default will respond and follow directives from UPnP devices to open port forwards, and the answer is simple - don't use crappy routers to connect to the Internet.
Joined: 16 Nov 2015 Posts: 6445 Location: UK, London, just across the river..
Posted: Sun Jun 06, 2021 8:25 Post subject:
tedm than you are free to turn upnp on and enjoy life...even if you get 100000$ router ....its not a cool idea to have it ON...and nope not all ISP are decent and filter traffic, like it should, or the general users neither...and we here all using DDWRT just because its not a crap, like the stock firmware is...and cannot afford 5 number price routers...that could be crap too...as well, people very often have a bad internet hygiene and get some malwares at some point...so upnp is not a clever idea to be used, unless there is a need for it and people understand pros'n cons of it......
Same as ICMP...been blocked or not the eternal debate... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Sun Jun 06, 2021 11:25; edited 1 time in total
Joined: 08 May 2018 Posts: 14242 Location: Texas, USA
Posted: Sun Jun 06, 2021 11:19 Post subject:
I'd really like to see proof of this. Do you want to know why? Internet printing. IoT. You name it. Please show me now uPnP and multicast and a lot of other things are *not* forwarded out to the internet, oh wise one. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
