What's new

minmiupnpd[3989]: No allowed eport for NAT-PMP 49592 tcp->192.168.1.12:443

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

pusb87

Regular Contributor
Can anyone shed some light/insight/resolution to this message i am seeing repeatedly in my system log

miniupnpd[3989]: No allowed eport for NAT-PMP 49592 tcp->192.168.1.12:443

This only seems to have happened recently and as far as i can recall i have not made any changes either to devices or firmware.

This occurs on an RT-AC86U using Merlin 384.12

IP 192.168.1.12 is a WD MyCloud Home ( NAS type device) which I have had for over a year and seems to function normally.

TIA for any help
 
Investigate your NAS. It looks like it's trying open the remote access port for HTTPS. The router's default UPnP settings won't allow this, hence the error message. Looks like the external port is 49592 which should be OK, but the internal port of 443 is not allowed.
 
Last edited:
Investigate your NAS. It looks like it's trying open the remote access port for HTTPS. The router's default UPnP settings won't allow this, hence the error message.
unfortunatley WD do not provide any configuration dashboard and there is little i can do in that respect.

are there any settings in merlin firmware i should check/change ?
 
Unfortunately WD do not provide any configuration dashboard and there is little i can do in that respect.
As far as I can see from the manual WD expects you to configure it through the mobile app. Maybe try that.

https://support-en.wd.com/app/answers/detail/a_id/2392

EDIT: Reading this it sounds like you can't manually select the connection type! Do you want to access/sync your NAS over the internet?

are there any settings in merlin firmware i should check/change ?
What do you have set for the UPNP allowed internal and external port ranges? (WAN - Internet Connection) The maximum port number for each should be 65535.
 
Last edited:
By default, Asuswrt-Merlin will refuse to forward privileged ports (ports below 1024), for security reason. To be able to forward port 443, you will need to adjust the minimum port allowed, on the WAN page.
 
I had to use port trigger instead just to get the sync to work so I didn't have to open the lower ports
 
THnaks for all the replys
As far as I can see from the manual WD expects you to configure it through the mobile app. Maybe try that.

Yes, I have scoured the WD support and forums and i am aware of that but i dont really want to install the mobile app, first i would never use it and secondly because i belive it triggers a firmware update at the moment, which i dont want to do becuase many, many users are complaining about the newer firmware.
What do you have set for the UPNP allowed internal and external port ranges? (WAN - Internet Connection) The maximum port number for each should be 65535.

upload_2019-9-6_16-3-14.png


These are my settings...I have temporarily set secure UPNP mode to NO and have not seen the message since...time will tell.
Would generally the recommned setting be to enable secure mode ?

Do you want to access/sync your NAS over the internet?
No, just over my LAN

By default, Asuswrt-Merlin will refuse to forward privileged ports (ports below 1024), for security reason. To be able to forward port 443, you will need to adjust the minimum port allowed, on the WAN page.
OK so i could change the lower external UPNP port to 443 to prevent the message, ...is their any inherent security risks in doing so, I preume default is 1024 for a good reason ?

I had to use port trigger instead just to get the sync to work so I didn't have to open the lower ports

Syncing of my files on my PC seems to work just fine as it is

thanks to every one who has responded....
 
These are my settings...I have temporarily set secure UPNP mode to NO and have not seen the message since...time will tell.
Would generally the recommend setting be to enable secure mode ?
I would normally recommend that secure mode is enabled because it prevents (potentially malicious) clients from forwarding ports to devices other than themselves (your NAS in this case). So to be safe check what port forwarding rules have been setup on your router (System Log - Port Forwarding).
 
I would normally recommend that secure mode is enabled because it prevents (potentially malicious) clients from forwarding ports to devices other than themselves (your NAS in this case). So to be safe check what port forwarding rules have been setup on your router (System Log - Port Forwarding).
Yes, Id assume secure mode enabled would be recommended, and wrt port forwarding rules I have none !
upload_2019-9-6_16-41-54.png


does that mean im probably OK at the moment leaving secure mode at disabled
 
OK so i could change the lower external UPNP port to 443 to prevent the message, ...is their any inherent security risks in doing so, I presume default is 1024 for a good reason ?
The external lower port number is already set at 1, it's the internal port number that it is objecting to. Most "servers" traditionally use ports below 1024, e.g. web servers, DNS, email, etc. I guess by restricting UPnP's ability to forward to these services you're preventing accidentally (or maliciously) exposing "LAN only" servers to the internet.

does that mean im probably OK at the moment leaving secure mode at disabled
Personally I'd switch back to secure mode and see if the message reappears. Hopefully it won't.

If you still have the error message try this: 1) turn off UPnP on the router, b) shutdown and power off the NAS, c) power on the NAS and wait for it to fully boot up, d) turn on UPnP on the router.

My interpretation of the WD documents is if it can't detect a UPnP server at boot it will fall back to either Proxy Relay or Local Area Network.
 
Last edited:
@ColinTaylor

Ok, many thanks for your help so far...and you spotted my deliberate mistake re external port :oops:

I am away soon for the w/e so will try your suggestions on Monday
 
OK so i could change the lower external UPNP port to 443 to prevent the message, ...is their any inherent security risks in doing so, I preume default is 1024 for a good reason ?

It will ensure that a rogue client won't be able to redirect some critical service ports like SSH without you knowing. To be honest, it's not a major issue in a home environment, but it could be in a business environment. For instance, you might not want your internal mail server (on port 25/587) to be redirected or open to the world without you knowing it. Or SMB network shares.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top