What's new

[RT-AX86U] Merlin 386.1 - Unable to completely disable upnp

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

DiscoSi

Occasional Visitor
Hi,

I've recently upgraded from a RT-AC86U to RT-AX86U. No matter what I've tried I can't seem to get upnp to switch off, it's off in the web interface but I still get entries showing in UPNP, NAT-PMP and PCP forwards under port forwarding. I've never had this with my AC86U, it just seems to be on the AX86U that upnp isn't being turned off by the setting in the web interface.

I've done a WPS reset and then wiped jffs and factory reset.

I've tried editing /etc/upnp/config to:

Code:
enable_upnp=no
enable_natpmp=no

and NVRAM setting:

Code:
upnp_enable=0
wan0_upnp_enable=0
wan1_upnp_enable=0
wan_upnp_enable=0
wl0_wmf_ucast_upnp=0
wl1_wmf_ucast_upnp=0
wl_wmf_ucast_upnp=0

I've done nvram commit also to they should stick.

If I stop the unpnp service and delete /tmp/upnp.leases the entries all return if I restart the upnp service again. For now I've left the service disabled which stops the upnp mappings coming back but as soon as I reboot, they come back again as the upnp service is started up again.

Like I said, I've never had to do anything other than set upnp to off in the web interface on my RT-AC86U.

Has anyone else has this happen? Really appreciate the help :)

DiscoSi.
 
Last edited:
I have the same experience. My Xbox suddenly showed OpenNAT in games and was listed under "Port Forwarding", but not using uPNP or configured Port Forwarding.
 
Something can't be right here can it?

uPnp Enable is set to NO in the interface, yet I'm seeing 2 ports opened up under port forwarding and checking via SSH I get:
I
Code:
iptables --list-rules

-A FUPNP -d 192.168.1.xxx/32 -p tcp -m tcp --dport xxxx -j ACCEPT
-A FUPNP -d 192.168.1.xxx/32 -p tcp -m tcp --dport xxxx -j ACCEPT

I've xx'ed out the specifics BUT that's 2 holes punched in the firewall from the inside with uPnP disabled? That shouldn't be possible should it? I've confirmed that the ports are open and the services open from the outside too.... that's kinda scary isn't it? We should be worried here... right?

I'm hoping someone with a bit more knowledge could take a look at this as I only know just about enough to be dangerous lol!

But unless I've got this all wrong, it appears that with uPnP disabled from the web interface it's possible for devices on the inside to open ports in the firewall, how is that happening?

DiscoSi
 
When you have UPnP enabled, the miniupnpd daemon/service will normally be listed in the process list.

Code:
ps | grep [m]iniupnpd

If you disable it, and after a reboot, does it still show it running (because it shouldn't)?
 
Yes, the miniupnpd process is running before and after a reboot with the upnp setting switched off in the interface. I've switched upnp on, rebooted, then switched it off and applied the setting. This is the syslog when I applied it:

Code:
Feb  6 10:03:39 miniupnpd[4859]: shutting down MiniUPnPd
Feb  6 10:03:39 miniupnpd[18479]: HTTP listening on port 53967
Feb  6 10:03:39 miniupnpd[18479]: Listening for NAT-PMP/PCP traffic on port 5351

It looks like upnp stops as instructed but is restarting again?

The port forwards are cleared briefly but return again after a short time.

DiscoSi
 
No that's off but thanks for the suggestion as I hadn't checked it before.

When I get a bit of time later I'm going to revert back to stock firmware and see if its the same. I'm also going to put my AC86U back to test this as well for my own sanity to check I'm not doing something really daft!

I had manual port forwarding set up on the AC86U and always kept upnp off with no issues. The main reason I keep it off is that I have a couple of devices on my network that will try and open ports if upnp is on despite it being off in their settings (Dlink webcam). I'd only noticed the issue on my new ax86u by accident as I was about to start setting up the manual port forwarding when I saw a load on entries in the upnp list even though it was turned off.
 
I've been able to confirm that this bug exists in the stock firmware on the RT-AX86U also. Basically the uPnP service cannot be disabled via the web interface.

I've rolled back to Version 3.0.0.4.384.9283 and done a nuclear reset having already tested on Merlin 386.1 after the same reset.

With the uPnP feature switched off in the web interface and the router rebooted, the uPnP process is still running:

Code:
ps | grep pnp
1506 xxxx      2944 S    miniupnpd -f /etc/upnp/config

Using the upnp client on an ubuntu machine connected to the router I can scan and get a response as well as request a port forward. This SHOULDN'T be possible and to my mind is a pretty scary security flaw if the owner of an RT-AX86U isn't vigilant.

Code:
upnpc -a 192.168.50.252 222 2222 TCP
upnpc : miniupnpc library test client, version 2.1.
(c) 2005-2019 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
desc: http://192.168.50.1:37450/rootDesc.xml
st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://192.168.50.1:37450/ctl/IPConn
Local LAN ip address : 192.168.50.252
ExternalIPAddress = xxxx
InternalIP:Port = 192.168.50.252:222
external xxxx:2222 TCP is redirected to internal 192.168.50.252:222 (duration=0)

The current mitigation is to manually stop the upnp process via a shell login, you need to do this BEFORE any device has created a rule and I'm unsure as yet if it will remain disabled if any other actions cause the firewall or wan to restart as these likely call the upnp service also:

Code:
service stop_upnp
 
Last edited:
The problem (or limitation) of that mitigtion, however, is if the UPnP server has already established port forwards. Unless you're sure it deletes them once stopped.

And yeah, it is a bit worrisome. I don't even use UPnP, at all. Just don't like the idea of processes opening ports behind my back.

And it's good to let @RMerlin know when you've found a bug.
 
Good point on the rules remaining, they do so the the upnp service needs to be shut down before anything has created a rule. I've edited my message above to reflect that. What's the best way to alert Merlin?
 
Are you disabling UPnP in both places that have UPnP?
1. USB Application > Servers Center > Media Server
2. WAN > Internet Connection
 
Yes. I think the upnp in relation to media servers isn't quite the same thing though, but it's disabled there also anyway.
 
I took a quick look at the code....it looks like enabling GeForceNow (AX86U and GT-AC2900) also enables miniupnpd. Does this apply to your config?

This was interesting... The setting "Enable GeForce NOW QoS UPnP control" seems to be enabled by default, even if not using QoS.

firefox_83xEZ62B9b.png


When I disabled it, the following two lines showed up in the log:

Code:
Feb  7 08:21:31 rc_service: httpd 1547:notify_rc restart_upnp;
Feb  7 08:21:31 miniupnpd[2227]: shutting down MiniUPnPd

...and that seemed to solve the problem why ports were opened. Thanks!! :)
 
Great find, thanks @john9527, I can also confirm that switching off the geforce now upnp as well does turn off the upnp service. If either one are on though it keeps running. This should be a lot clearer!!

I've had a read through the user guide for the AX86U on the Asus website and it makes no mention of this either, not an RTFM moment :)

Thanks for the help everyone :)
 
Last edited:
Or maybe when you turn it off in one place (why is it in multiple places anyway), then turn it off in all automatically.
A bit more complicated than that since it's a one-way dependency. GeForce requires Upnp turned on, Upnp on does not require GeForce turned on. So you need to check the order they are activated and keep the current and previous states of upnp to make sure it's set correctly as the options change.
 
I cannot find this setting on my device (AX88U). Does the GeForce setting only exist on certain model series and what exactly does it do? Sorry, two questions.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top