what happens if I disable UPnP?

[SwampKracker]

I don't think we would be having this conversation if upnp was well implemented. Maybe it is fine today. But that was not always the case. Otherwise, there would be no question as to its security or lack of.

It was created to make something easier for the masses, not to make anything more secure.

 

[GuruGuy]

Hi,
I read everywhere that it's a big secuiry hazard!
So please if disable will I be still able to use:
- my email program
- torrent client
- skype (or other communicaion app)
- gaming console (nintentdo or sony)
- nzbget
- other programs that I might have forgotten
?

If not, is it all about finding what ports these programs use and then port-forward them?
Is there another elegant solution to that will let me keep upnp switched on with the devices I trust? (but it still seems dangerous to me!).

Thanks for input

In the news today: https://arstechnica.com/information...g-on-a-5-year-old-upnp-bug-in-broadcom-chips/

 

[ColinTaylor]

In the news today: https://arstechnica.com/information...g-on-a-5-year-old-upnp-bug-in-broadcom-chips/

Already reported multiple times in these forums. Old news really, and not relevant to us as Asuswrt doesn't use Broadcom's UPnP code (as pointed out by RMerlin 5 years ago). Note that their list of detected infected devices didn't include any Asus models.

 

[RamGuy]

The source of the misconception is the fact that people for some reason misinterpret NAT as some kind of firewall or security feature when it's clearly not and was never designed to be such a thing. NAT (or NATv4 as it's being referred to these days) was something we was forced to start using because we started to run out of IP-addresses in all the public IPv4 address scopes. As a result of not having enough public IPv4-addresses to go around NAT became a thing as it would let private and corporate networks to utilise the same private IPv4-scopes behind a one or a few public IPv4-addresses. So instead of providing each and every client and device their own public IPv4-address, you could instead provide them with a single one whereas the router would have to utilise NAT in order to translate the traffic going to and from this singe address to multiple client and devices hiding behind it.

This had never anything to do with security or firewalls. But of course it automatically created something people would relate to as a secure feature as devices hiding behind your router did not have any directly accessible IPv4-address so unless you created translation rules on your router there was no longer a way for external traffic to reach your local devices as they had no way of communicating without having NAT-rules on your router translating the inbound and outbound traffic to work through your public IPv4-address. But again, NAT was never designed as a security feature and has nothing to do with firewalling anything.

What UPNP is trying to do is to automate the process of NAT. As people tend to get more and more clients and devices, and especially home users tend to not have access to a public IPv4-address scope so they are limited to a single public IPv4-address solutions like UPNP became of vital importance in order to make sure traffic would actually work. By default all home routers will have automatic outbound NAT-rules that allows for all outbound traffic (traffic going from your internal clients to the Internet) to be automatically hidden behind your public IPv4-address. So when your computer on 192.168.1.10 try to reach Google DNS on 8.8.8.8 your router will already have NAT rules that says traffic from this 192.168.1.10 private IPv4-address that wants to reach this 8.8.8.8 public IPv4-address will be able to do so by being translated into the public IP-address of your router. That's how you are automatically able to communicate with the outside world using your client with a private IPv4-address.

For inbound connections on the other hand it starts to become more difficult. By default your home router will not automatically allow for inbound connections through NAT. Why is that? It's not because of security, its because of compatibility. Inbound connections are traffic originating from the outside (public IPv4-addresses) that is trying to reach something on your private network (private IPv4-addresses) but as the traffic is originating from the outside, so let's say Google tries to initiate traffic towards your computer (192.168.1.10) from the public IPv4-address 8.8.8.8 all it really knows is that you are sitting behind your public IPv4-address. It has no way of knowing anything about your internal network. So it all it does it send traffic to your public IPv4-address which is the WAN-address on your router. From here your router will have to make sure this traffic is handled correctly. But there is no way for your router to know what device in your private network that Google (8.8.8.8) is trying to reach. This is where inbound NAT rules comes into to play. In order to make sure this traffic will be working and reach its intended destination you will have to have a NAT rule (inbound NAT rules on consumer routers is often labelled as port forwarding) that tells your router that hey if someone is trying to reach me send this traffic to 192.168.1.10. So with this NAT rule your router knows that if 8.8.8.8 is sending traffic on your public IPv4-address this is to be translated into reaching your local client on 192.168.1.10.

But normally you don't want to have all traffic to be translated into a single device on your private network. That's why we are using specific ports in the translation rules, so you can translate specific traffic that is traversing on specific networking ports to reach different devices. So if you have a Web-Server you would normally have HTTP (port 80) and HTTPS (port 443) translated into reaching the private IPv4-address of your Web-Server. And for Xbox Live which is using port 3074 you would have a inbound NAT rule telling that all incoming traffic on port 3074 to be translated into whatever is the private IPv4-address you have on your Xbox etc..

There is no where for your router to automatically know what devices is supposed to get the incoming traffic unless the traffic is initiated from inside your private network. Therefore all these inbound rules has to be created manually, and two different devices can not have rules using the same port as the router would not know whether to send the traffic to device A or B.


This is where UPNP comes into play. What UPNP does is that it gives your local devices the capability of telling your router what inbound rules they will be needing for traffic to flow correctly. So if you have a Xbox for instance, it could tell your router that "Hey! I will need you to send all public traffic on port 3074 to me, otherwise my Xbox Live won't work" and with UPNP the router will do so and open a temporarily NAT rule saying that incoming traffic on port 3074 will now be sent to whatever is the private IPv4-address of your Xbox.

As a result you won't have to create any rules manually as UPNP handles this automatically. The argument against UPNP is that you might lose control of what is allowed through your NAT. If you have a rogue device on your network, there is nothing stopping it from creating NAT rules allowing for inbound traffic reaching it. When not using UPNP you would have to handle it all manually. It also allows for several devices to work with inbound traffic even though they rely on the same port.


A problem with UPNP gaming is how NAT filtration is being done on the router. Most will have restrictions where inbound connections are only allowed if they originate from the same public IPv4-address as your lets say your Xbox was using when utilising UPNP. So if your Xbox is using UPNP in other to allow for incoming traffic from 8.8.8.8 on port 3074 the automatically created inbound NAT rule will ONLY allow for incoming traffic from 8.8.8.8 on port 3074. This is known as symmetrical NAT filtration. This is when the crated NAT-rule will be strict and only allowing from incoming traffic from the same IP and port as was used as the destination from your local device utilising UPNP.

The problem that might occur then is when Microsoft, Sony, Activation or whatever expects your NAT rule to behave as a manual port forward, which it won't be when utilising UPNP on a device with strict NAT filtration. A manual port forward will translate ALL INCOMING TRAFFIC, so if you have a port forward telling all public traffic on port 3074 is going to be translated into the IPv45-address of your Xbox it won't care if the traffic comes for 8.8.8.8, 8.8.4.4 or whatever. All traffic hitting your WAN-address will be translated by your router and sent to your Xbox. When you are using UPNP and have strict NAT-filtration this is no longer the case, the UPNP rule will only allow for incoming traffic originating from the same IP and port as was used by your Xbox when creating the mapping. So in this example it would allow for traffic from 8.8.8.8 on port 3074, but when 8.8.4.4 is trying to send you traffic on port 3074 it will be dropped.

As many gaming services, like Call of Duty for instance is sending you incoming traffic from many different public IPv4-address the UPNP will not be efficient in order for this to work. This is where Open NAT filtration, aka Full-Cone-NAT comes into play which is a less secure form of NAT filtration what makes it so that everything done by UPNP behaves just like a manual port forward. It doesn't care if the incoming traffic originates from the same IP it will still be sent to your Xbox.


All this is why IPv6 is so much more preferable.. Then you won't have to deal with NAT and all it's quirks and limitations. But unless you have no requirement of traffic originating from public IPv4-addresses to be able to reach your local devices you will be able to live without UPNP. But if you have something that would require inbound NAT rules in order for the to work will either have to create the required rules manually (port forwarding) or have UPNP activated so the process is done automatically. And even then it's not guaranteed to work ref my previous description of how strict and open NAT filtration handles the traffic.

 

[Grisu]

@RamGuy: Thanks for this very good explanation!

I think you wrote it from business perspective not applicable to our home networks with many unknown devices
In fact we dont know how well done our clients and their firewalls are programmed, so it really is a security issue to use UPNP or any other kind of forwarding to those clients.

Some more open questions from my side are:
Which way will a Asus router open a port with UPNP, symmetrical or full-cone-NAT?
Or does it depend on the kind of request sent by the client?
Is it temporarily opened, for a given time like DHCP lease, unlimited or how else is this handled?

 

[ColinTaylor]

Which way will a Asus router open a port with UPNP, symmetrical or full-cone-NAT?
Or does it depend on the kind of request sent by the client?

Unless you have one of the routers that has the option for Symmetric NAT it will be a Full Cone type.
Correction: A UPnP forwarded port is always a Full Cone type (see posts 32, 33 and 35).

Is it temporarily opened, for a given time like DHCP lease, unlimited or how else is this handled?

It is the responsibly of the application to remove any forwarding rules that it has created once it has finished. That said, miniupnpd can set the maximum lifetime of a port mapping, which is usually 24 hours.

 

[john9527]

Unless you have one of the routers that has the option for Symmetric NAT it will be a Full Cone type.

I think you may have that backwards? ???

 

[ColinTaylor]

I think you may have that backwards? ???

Hmmm.... What I would call Full Cone NAT is the same as a "normal" manually forwarded port. i.e. One where any external client can connect to the WAN IP/port and be forwarded to the internal device. I would call it Symmetric NAT when only one external client can connect to the WAN IP/port and only after having first received data from the internal device.

I'm using the terminology here as I understand it.

 

[sfx2000]

Hmmm.... What I would call Full Cone NAT is the same as a "normal" manually forwarded port. i.e. One where any external client can connect to the WAN IP/port and be forwarded to the internal device. I would call it Symmetric NAT where the only one external client can connect to the WAN IP/port and only after having first received data from the internal device.

I'm using the terminology here as I understand it.

Full Cone is basically Static NAT...

Symmetric NAT is pretty close to Static NAT - so that's ok...

 

[john9527]

Full Cone is basically Static NAT...

Symmetric NAT is pretty close to Static NAT - so that's ok...

Full Cone NAT was just added to the HND platforms,,,,the ability to forward from any source. Prior upnp only accepted forwards from the original connection. At least that's my understanding.

 

[sfx2000]

Full Cone NAT was just added to the HND platforms,,,,the ability to forward from any source. Prior upnp only accepted forwards from the original connection. At least that's my understanding.

Only folks that really need to be concerned with various NAT flavors is the gaming consoles.... which at the end of the day, is a client issue, not a router concern...

 

[ColinTaylor]

Full Cone NAT was just added to the HND platforms,,,,the ability to forward from any source. Prior upnp only accepted forwards from the original connection. At least that's my understanding.

Yes that's confusing.

Consider this: My RT-AC68U is running your firmware. I start up a BitTorrent client and it uses UPnP to forward port 6881 to itself. According to your theory nobody can connect to this port unless I contact them first . This is a) not true and b) would be useless for any kind of server. How many NAS' use UPnP to enable remote access to them?

P.S. I just checked from canyouseeme.org and port 6881 is open as far as it is concerned.

 

[ColinTaylor]

Full Cone NAT was just added to the HND platforms,,,,the ability to forward from any source. Prior upnp only accepted forwards from the original connection. At least that's my understanding.

OK I had to go back to this thread to remind myself. IIRC the "Full Cone NAT" option on HND is refering to the normal NAT function of the router, not the UPnP function. Normally the router's NAT is a Port-restricted cone NAT.

 

[john9527]

Normally the router's NAT is a Port-restricted cone NAT.

I actually liked this explanation from @RamGuy
https://www.snbforums.com/threads/upnp-not-working-with-ac68-and-xbox-one.49899/#post-444129

 

[ColinTaylor]

I actually liked this explanation from @RamGuy
https://www.snbforums.com/threads/upnp-not-working-with-ac68-and-xbox-one.49899/#post-444129

Whilst I agree with almost everything he said I disagree with his assertion that Asus' UPnP port forwarding is "symmetrical" for the reasons I gave in post #32.

 

[horizonbrave]

thank you all, the discussion got really interesting.. but beyond my basic networking understanding.
My home network, as most I guess, has many unknown devices (guests, unsecured computers and so on) and perhaps few gadget/devices that can't be trusted.
Would UPnP be a security hazard? All of these not-trusted device will open router on the ports.. isn't that a big internal attack vector? Or routers in general are able to "sandbox" those open ports to those specific IP without risks for the network?
And as @ColinTaylor said disabling UPnP and port-forwarding represent a static open route for attacks as well.
Isn't there any way to create a sub-net of trusted device able to use UPnP and block the other from using it?
I've got zero netsec knowledge so I'm pretty sure to sound silly
Thanks for help and contributions so far!

 

[ColinTaylor]

@horizonbrave What you're asking for is similar to what the WiFi guest network does. Obviously it only applies to wireless devices, but it stops them from being able to access your trusted LAN. You can also set it to AP Isolated (in John's firmware, don't know about Merlin) which isolates the guests from each other. Also, a client attached to the guest network can't use UPnP. That may be a hindrance or a help depending on your requirements.

Once you get beyond a fairly basic "one size fits all" kind of scenario, where some devices can or can't use UPnP, and some devices can or can't access the LAN, etc. you've gone beyond what the router was designed for. Asus are marketing it at home users with minimal networking knowledge. If you need to setup segregated networks, ACL's, VLANs, etc. then there are other devices more suitable.

 

[MarkyPancake]

I've always left UPnP enabled on routers I've had without any issues so far. I found that multiple online gaming consoles just work without NAT issues with UPnP enabled (Open NAT) and particularly if you have more than one of the same type of console. You can't use port forwarding on more than one console at a time, so can't get an Open NAT on more than one with port forwarding. So, you don't really have a choice but to use UPnP if you want an Open NAT on multiple consoles at the same time.

 

[umarmung]

https://www.snbforums.com/threads/casthack-aka-what-does-pewdiepie-and-upnp-have-in-common.54301/

 

[CriticJay]

https://www.snbforums.com/threads/casthack-aka-what-does-pewdiepie-and-upnp-have-in-common.54301/

I suspect that the more recent ASUS routers (like AC86U) are not affected by this bug.

Also, I suspect that in a well-designed router like the AC86U you can safely disable UPnP and not impact Chromecast functionality.

As a test, I disabled UPnP on my AC86U (firmware 45149) last night, and was able to use my Chromecast and Google Home without any issues.