UPnP: Only allow certain clients possible?

[Badlandz]

How can I enable UPnP for only certain IPs on my LAN? Basically, I want to allow for multiple gaming consoles to access UPnP but deny it for everything else. Port Forwarding/Triggering/DMZ is not really an option, as it seems UPnP must be enabled to allow for Open NATs on multiple consoles in the same game.

 

[mstombs]

The firmware uses miniupnpd to provide upnp services, this is highly customizable see the source documentation for the config file

https://github.com/miniupnp/miniupnp/blob/master/miniupnpd/miniupnpd.conf#L131

And you can add/change/replace the conf file in the firmware

https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files

 

[Badlandz]

The firmware uses miniupnpd to provide upnp services, this is highly customizable see the source documentation for the config file

https://github.com/miniupnp/miniupnp/blob/master/miniupnpd/miniupnpd.conf#L131

And you can add/change/replace the conf file in the firmware

https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files

Thanks for pointing me in the right direction.
I think I found the config file for upnp located in: /tmp/etc/upnp
Is this the file that needs copied and altered to /jffs/configs/upnp

I am only concerned about the last few lines:

current:
allow 1024-65535 192.168.1.1/255.255.255.0 1-65535
min_lifetime=120
max_lifetime=86400

deny 0-65535 0.0.0.0/0 0-65535

Will changing it to this allow only ips 192.168.1.3 to 192.168.1.6?
allow 1024-65535 192.168.1.3 1-65535
allow 1024-65535 192.168.1.4 1-65535
allow 1024-65535 192.168.1.5 1-65535
allow 1024-65535 192.168.1.6 1-65535
min_lifetime=120
max_lifetime=86400

deny 0-65535 0.0.0.0/0 0-65535

 

[Badlandz]

What is the nvram variable: vts_upnplist=

When I use the command: nvram show | grep upnp
I get:

vts_upnplist=
upnp_max_lifetime=86400
upnp_ssdp_interval=60
upnp_clean=1
upnp_clean_interval=600
upnp_port=0
upnp_min_port_int=1024
size: 44803 bytes (20733 left)
wan0_upnp_enable=1
wan1_upnp_enable=1
wan_upnp_enable=1
upnp_max_port_int=65535
upnp_clean_threshold=20
upnp_min_port_ext=1
upnp_enable=1
upnp_max_port_ext=65535
upnp_min_lifetime=120
upnp_secure=1
upnp_mnp=1

Is there any way to set specific ips allowed for upnp via nvram?

 

[RMerlin]

What is the nvram variable: vts_upnplist=

Probably a leftover from before Asus switched to miniupnpd. Nothing uses it in the firmware.

 

[Badlandz]

Thanks to all involved with this project; RMerlin and co.
I was able to achieve this via the jffs/configs overide feature.

 

[mstombs]

Thanks for pointing me in the right direction.
I think I found the config file for upnp located in: /tmp/etc/upnp
Is this the file that needs copied and altered to /jffs/configs/upnp

I see the documentation in a bit brief the upnp config file is called "config" in a folder called upnp, looks like you need to experiment with jffs replacements!

I am only concerned about the last few lines:

current:
allow 1024-65535 192.168.1.1/255.255.255.0 1-65535
min_lifetime=120
max_lifetime=86400

deny 0-65535 0.0.0.0/0 0-65535

Will changing it to this allow only ips 192.168.1.3 to 192.168.1.6?
allow 1024-65535 192.168.1.3 1-65535
allow 1024-65535 192.168.1.4 1-65535
allow 1024-65535 192.168.1.5 1-65535
allow 1024-65535 192.168.1.6 1-65535
min_lifetime=120
max_lifetime=86400

deny 0-65535 0.0.0.0/0 0-65535

The documentation suggests you need to add netmask, unless miniupnp automatically defaults to 255.255.255.255 which should mean just the one IP, I can't see how you can group just the ones you want in one line.

I can remember encouraging Tomato devs to switch to miniupnp years ago, it was much more flexible than proprietary versions!

 

[Badlandz]

I see the documentation in a bit brief the upnp config file is called "config" in a folder called upnp, looks like you need to experiment with jffs replacements!



The documentation suggests you need to add netmask, unless miniupnp automatically defaults to 255.255.255.255 which should mean just the one IP, I can't see how you can group just the ones you want in one line.

I can remember encouraging Tomato devs to switch to miniupnp years ago, it was much more flexible than proprietary versions!

Yes, the config file was located in the path: /tmp/etc/upnp/

I did not use one line, I added a seperate allow rule for each ip with no netmask.

It is quite possible I did something wrong and noted the comment under UPnP permission rules states: CAUTION: failure to enforce any rules may permit insecure requests to be made! (I hope not!)

In my testing, it seems to have worked and can confirm in the syslog that ports from those ips are being forwarded through the VUPNP chain and that I am using the custom config:
Nov 28 10:27:06 custom config: Using custom /jffs/configs/upnp config file.

My knowledge of bash/linux is next to nothing and just recently attempted to do something I wanted with the resources from snb, github, and other online resources.

Should I add /255.255.255.255 netmask to the allow rules? Is only one allow line allowed? I certainly don't want insecure requests to be made.

Please correct me if I am wrong. I'm a tiny fish in a big pond here.

 

[mstombs]

If it all works then it is fine, I have checked the source-code it accepts multiple allows and defaults to /255.255.255.255 or /32 . I also found the 7 year old thread when I last worked on this!

http://www.linksysinfo.org/index.php?threads/miniupnpd-with-nat-pmp-for-tomato.28050/

 

[Nazgulled]

Would love to know how to do this too...

However, I have no file/folder at /tmp/etc/upnp...