Posted: Wed Dec 15, 2021 16:47 Post subject: UPnP ports stay open
Hi everybody, I hope this is the right section for this topic.
I own a wrt1900acs v2 with build 44715. I have several gaming console at home and for this reason I am taking advantage of the UPnP features. It works fine, but I have noticed that some ports are not closed once the console is off, others instead are.
For example, I have two Xbox and when I boot them, the "base" port entry shows up in the UPnP list, to then disappear as soon as the console is off. This doesn't happen for COD DemonwarePortMapping port, which stay open and every time I boot the game, the UPnP service open a new 3075 port with a random wan port.
The Demonware port is not the only one to staying open, even the Playstation 4 9308 UDP stay open.
I thought that UPnP was keeping ports open only when in use, is this a bug or it is the intended behaviour for some kind of ports?
See this screenshot. Is it the same as the UI on 44715? The answer is pretty obvious. The fact remains that uPnP is a huge security hole and risk.
Sorry, but this doesn't help here. UPnP is the only solution to get network translation working fine for several devices. I am not running a bank here, not concerned about top level security.
Joined: 08 May 2018 Posts: 14221 Location: Texas, USA
Posted: Wed Dec 15, 2021 18:39 Post subject:
So, deleting all port forwards button doesn't work, is that what you're saying? Clearing all port forwards on startup, either? Might help to be a little more precise in your answers... _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
So, deleting all port forwards button doesn't work, is that what you're saying? Clearing all port forwards on startup, either? Might help to be a little more precise in your answers...
That button works, but would be a manual process to do every time I switch device. And clearing on startup I guess it refers to router startup, so every reboot?
Would be good to see those ports disappear as the device gets disconnected, as it happens for some of them.
Joined: 08 May 2018 Posts: 14221 Location: Texas, USA
Posted: Wed Dec 15, 2021 18:56 Post subject:
I guess someone needs to write a patch to automatically do this... I don't recall if this is the same situation in most all stock firmware implementations of uPnP or not. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
For what I read, apparently other stock firmwares have some kind of lease time likeDHCP. But I have noticed something strange here: As I said I have more than one Xbox and the problem is with Demonware service. So, when I cleared up the ports the first Xbox I booted up with COD, asked UPnP to open port 3075, for LAN and WAN. NAT was open, everything OK here.
When I started the second Xbox, the 3075 was still reserved in the UPnP entries by the first Xbox (even though it was switched off hours earlier), then UPnP open a 3075 LAN port with a random WAN port (see pics above). This made for the same game getting moderate NAT.
So far nothing really new, but the interesting thing is that, when I start COD on the first Xbox, the old entry in the list (3075->3075) gets replaced and put at the bottom of the list as newest entry, but still with 3075->3075, resulting in Open NAT again.
This, as you can see from the pics, doesn't happen when the forward is towards a WAN port which differs from the 3075, UPnP in this case add a new port forwarding, with another WAN port, polluting with stuck entries the UPnP list.
If this is not intended, then a new patch should make the UPnP overwrite the port forward based on device IP and LAN port. As for now I think it replaces entries if and only if they are exactly the same (WAN port && LAN port).