Hi, I would like to block UPnP for two LAN IP addresses but I don't understand how to do it ...
I tried to block port 5000 TCP/UDP with chain input and forward but it still works, do I have to block others ports or protocols?
Thanks
Re: How to block UPnP for some LAN clients
Unless something changed, it should be 1900/udp and 2828/tcp, see viewtopic.php?p=645929#p645929.
Re: How to block UPnP for some LAN clients
Thanks Sob, unfortunately UPnP continues to work ...
Re: How to block UPnP for some LAN clients [SOLVED]
I did quick test with current 7.3.1 and it's the same as it was before, ports didn't change. When I block them, I see that they drop packets and UPnP client no longer works.
Although I'd probably rather use whitelist:
And allow_upnp list would be filled by DHCP server, using static leases:
Code: Select all
/ip firewall filter
add action=drop chain=input dst-port=1900 protocol=udp src-address=192.168.x.x
add action=drop chain=input dst-port=2828 protocol=tcp src-address=192.168.x.xCode: Select all
/ip firewall filter
add action=drop chain=input dst-port=1900 protocol=udp src-address-list=!allow_upnp
add action=drop chain=input dst-port=2828 protocol=tcp src-address-list=!allow_upnpCode: Select all
/ip dhcp-server lease
add address=192.168.x.x mac-address=xx:xx:xx:xx:xx:xx address-lists=allow_upnpRe: How to block UPnP for some LAN clients
Many thanks Sob, I was using src-port instead of dst-port 
PS. In my case I see packets only on port 1900 UDP
You are right is the best solution!Although I'd probably rather use whitelist
PS. In my case I see packets only on port 1900 UDP
Re: How to block UPnP for some LAN clients
There are two steps, first uses port 1900 and only if it succeeds, then it continues with 2828. You can test it if you allow 1900 and block only 2828, then you'll see that one blocking packets.
Who is online
Users browsing this forum: panayi and 38 guests