Community discussions

 
RyperX
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Thu May 21, 2015 11:14 am

Need help @ UPnP configuration (not working)

Thu May 21, 2015 11:43 am

Hello!

I have since yesterday my first mikrotik device and its working really great.
I already set-up some Rules and managed the most with the information on the web ;)

But now i have the problem that i cant get the Upnp feature running.

About my configuration, it should be everything default because i used the Quick Set page for the initial configuration.

I enabled Upnp in the Upnp Settings and added the interfaces (i know it should be better to make an Master/Slave config but this will be my next project ;))
I testet it also with pppoe-out1 as external but also not working.

Image

I read that after enabling the Upnp it should be a Dynamic NAT Rule automatic created but nothing happens for me.
There is only the masquerade rule and my port forwarding rules.

I have Version 6.28 installed on my 2011UiAS-2HnD

Thanks for support.

Best regards
RyperX
 
User avatar
pukkita
Trainer
Trainer
Posts: 2982
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Need help @ UPnP configuration (not working)

Thu May 21, 2015 12:17 pm

Can you post a ip > addresses screenshot?

Which device has the public WAN ip assigned? ether1-gateway or pppoe-out1?

For the dynamic NAT rule to be created an internal application should "negotiate" upnp, are your sure that's the case?
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
RyperX
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Thu May 21, 2015 11:14 am

Re: Need help @ UPnP configuration (not working)

Thu May 21, 2015 12:30 pm

I think its pppoe-out1

Image

I tried the upnp service with my ps3 (Test Connection is an extra step for Upnp) and on the windows client i tried it to find the router under network
 
User avatar
pukkita
Trainer
Trainer
Posts: 2982
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Need help @ UPnP configuration (not working)

Thu May 21, 2015 2:44 pm

the external uPNP interface should be pppoe-out1 then.
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
RyperX
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Thu May 21, 2015 11:14 am

Re: Need help @ UPnP configuration (not working)

Thu May 21, 2015 2:51 pm

Sadly its not working. (Tested with Skype and Plex for example)

Do you know how the NAT Rule should look like when its automatic created or am i wrong about this rule?
When Upnp is working where i can see the automatic opened Upnp Ports?

Filter Rules:
Image
 
User avatar
pukkita
Trainer
Trainer
Posts: 2982
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Need help @ UPnP configuration (not working)

Thu May 21, 2015 3:28 pm

Yes, you should see the dst-nat rules added at the end of Firewall > NAT
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
RyperX
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Thu May 21, 2015 11:14 am

Re: Need help @ UPnP configuration (not working)

Thu May 21, 2015 3:34 pm

Mmmh, any idea how i could troubleshoot the problem?
Any log files about that or check thats the upnp service is correct running?
 
User avatar
pukkita
Trainer
Trainer
Posts: 2982
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Need help @ UPnP configuration (not working)

Thu May 21, 2015 3:35 pm

Go to System > logging and add a rule for topic upnp.

You should see something like this when mapping succeeds (here I tested a bittorrent client UPNP):

Image
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Need help @ UPnP configuration (not working)

Thu May 21, 2015 3:44 pm

When this is operational, you need to make VERY CERTAIN that your pppoe-out interface is dropping incoming UPnP packets - UPnP is notoriously insecure, so make sure that only your LAN can use it.

Typically, if the input chain of your firewall has rule1 = allow established,connected connection states, rule 2 = allow icmp rate-limit to like 10/sec (stops flooding but allows basic functionality), and rule 3 = drop everything..... then you'll be safe from UPnP attacks.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
RyperX
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Thu May 21, 2015 11:14 am

Re: Need help @ UPnP configuration (not working)

Thu May 21, 2015 4:00 pm

Thanks for you input about security, i edited the #1 Rule with icmp and set under Extra the Limit Rate to 10/s.
I let Burst at default 5. Hope this settings are correct
#3 Rule is Drop In.Interface ether1-gateway. Should i switch here to pppoe-out1?

Still i cant get the Upnp feature running.
I activated the logging rule and tried now with the Plex Media Server to make it acceptable from the web. Its an extra Option in the Settings. It isn't working and i dont see anything in the log events. Device is connected @ ether2

I only see in the log when i change the upnp settings or save the settings (example: upnp interface removed by admin)

Edit:
I googled now what Port Upnp is using and i found out its 1900 and so i testet the sniffer tools from the tools functions.
I filtered the connections for the UDP 1900 Port and my source IP. There are packages when i start the upnp request on my computer but nothing happens on the router. Any idea?

Here is the screenshot
Image
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Need help @ UPnP configuration (not working)

Thu May 21, 2015 6:21 pm

Thanks for you input about security, i edited the #1 Rule with icmp and set under Extra the Limit Rate to 10/s.
I let Burst at default 5. Hope this settings are correct
#3 Rule is Drop In.Interface ether1-gateway. Should i switch here to pppoe-out1?
Yes. Use the actual WAN interface. In fact, change this in every rule wherever it says ether1 - change it to pppoe-out. Ether1-gateway is just a physical port with no IP configuration on it. It's simply a vessel to carry the pppoe frames to/from the pppoe server. As far as IP and the firewall are concerned, ether1-gateway is never even used.

As for the ICMP rule, you might make burst a little higher than 5 - if you do a traceroute or something, it's going to generate more ICMP. I'd say play around and as long as everything's working in normal conditions, then you're fine.
I googled now what Port Upnp is using and i found out its 1900 and so i testet the sniffer tools from the tools functions.
I filtered the connections for the UDP 1900 Port and my source IP. There are packages when i start the upnp request on my computer but nothing happens on the router. Any idea?

Here is the screenshot

Whatever interface is your LAN interface, make sure there's a rule in the input chain which allows all traffic on that interface. Furthermore, if there are rules in output (these are more rare, but they do serve a purpose) then make sure they're not blocking anything heading out-interface= your lan interface

Almost certainly, there's a lan-bridge interface with ports = wlan1 and ether6-master (I sense that you're using a 2011 model). Basically, ether3 - ether5 should have master = ether2, and ether7 - ether10 should have master = ether6
Then the LAN bridge has ports = wlan1, ether2, and ether6.
The LAN bridge is your ACTUAL lan interface.

No firewall rule should mention any of the physical ethernet / wlan interfaces (unless you're using bridge filtering also, but that's more advanced so if you don't know what it is or aren't sure, then you're not). Your firewall should only have rules about interfaces that also have IP addresses on them.

Likewise, the only interfaces you need to enable for UPnP are pppoe-out and the LAN bridge. The physical interfaces are basically just dumb switch ports.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
RyperX
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Thu May 21, 2015 11:14 am

Re: Need help @ UPnP configuration (not working)

Thu May 21, 2015 7:13 pm

Yeah! Thanks very much, i changed the internal interface to bridge-local and it works instantly.

At the moment the configuration was 2,3,4,5 separetly bridged and 6 master 7,8,9,10 slave.
I changed it to 2 master 3,4,5 to slave. I will later use the eth1 as master but i have to wait for my sfp.

I dont really understand this bridging and master configuration but i will check it out ;)

Have a nice day guys.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Need help @ UPnP configuration (not working)

Thu May 21, 2015 8:50 pm

Yeah! Thanks very much, i changed the internal interface to bridge-local and it works instantly.

At the moment the configuration was 2,3,4,5 separetly bridged and 6 master 7,8,9,10 slave.
I changed it to 2 master 3,4,5 to slave. I will later use the eth1 as master but i have to wait for my sfp.

I dont really understand this bridging and master configuration but i will check it out ;)

Have a nice day guys.
Remember those old Linksys routers that only had 1 WAN port and 1 LAN port?
If you wanted to connect more than one computer, you needed a switch in addition to the router.
The "bridge" interface is like that single LAN port, and the ether2-master, ether3-slave, ether4-slave, ... ports are the switch.

So any configs you put on a master interface (ip addresses, firewall rules, etc) will also apply to all of its slaves.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
RyperX
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Thu May 21, 2015 11:14 am

Re: Need help @ UPnP configuration (not working)

Thu May 21, 2015 8:58 pm

Thanks! Okey, i also read that the Master/ Slave configuration is faster then briding every interface itself.
Is this because in master/slave mode the interfaces communicate directly?
When the interfaces in Bridge Mode they have to go throw the switch for every connection?
 
User avatar
pukkita
Trainer
Trainer
Posts: 2982
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Need help @ UPnP configuration (not working)

Thu May 21, 2015 9:09 pm

bridge = switch by software, uses CPU. Ports in the same switch group in master/slave will reach wirespeed as the work is done by the switch chip.
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
RyperX
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Thu May 21, 2015 11:14 am

Re: Need help @ UPnP configuration (not working)

Fri May 22, 2015 10:32 am

Another question about the ethernet1 and pppoe-out1 interfaces.

After i switched the default configuration rules from "In. Interface= ether1" to pppoe-out1 for example the WinBox and SSH Conections didnt work from the internet/wan side. I had to add a rule that the access to pppoe-out1 is allowed for SSH and WinBox. Does this mean as long the firewall rule was set to ether1 all connections was going throw?

I am only a little bit confused because when i used the QuickSet option why isnt WinBox configuring the wrong incoming interface? I know its not a router for noobs but this is an important point. Or i does missing something? ;)

Maybe you can check my rules for a moment, are they okey for a basic security?
I am a little bit afraid now about.
 0    ;;; Allow SSH & WinBox
      chain=input action=accept protocol=tcp in-interface=pppoe-out1 dst-port=22,8291 log=no log-prefix="" 

 1    ;;; default configuration
      chain=input action=accept protocol=icmp limit=10,5 log=no log-prefix="" 

 2    ;;; default configuration
      chain=input action=accept connection-state=established,related log=no log-prefix="" 

 3    ;;; default configuration
      chain=input action=drop in-interface=pppoe-out1 log=no log-prefix="" 

 4    ;;; default configuration
      chain=forward action=accept connection-state=established,related log=no log-prefix="" 

 5    ;;; default configuration
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

 6    ;;; default configuration
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=pppoe-out1 log=no log-prefix="" 

 7    ;;; drop ssh brute forcers
      chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22 log=no log-prefix="" 

 8    chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=1w3d dst-port=22 log=no log-prefix="" 

 9    chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m dst-port=22 log=no log-prefix="" 

10    chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=22 log=no log-prefix="" 

11    chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22 log=no log-prefix="" 

12    ;;; drop ftp brute forcers
      chain=input action=drop protocol=tcp src-address-list=ftp_blacklist dst-port=21 log=no log-prefix="" 

13    chain=output action=accept protocol=tcp content=530 Login incorrect dst-limit=1/1m,9,dst-address/1m log=no log-prefix="" 

14    chain=output action=add-dst-to-address-list protocol=tcp address-list=ftp_blacklist address-list-timeout=3h content=530 Login incorrect log=no log-prefix="" 
Edit:
Ok i read some time in the wiki and found out that the rules are not configured when i use the QuickSetup. The rules are the basic rules when you reset the device. ;)

Edit2:
This wiki page helps a lot :D
http://wiki.mikrotik.com/wiki/How_to_co ... er#Filters

With them i start to understand this settings and to optimize the Rules. At the moment they arent optimal.
 
chrisjenx
just joined
Posts: 4
Joined: Sat May 24, 2014 8:37 pm

Re: Need help @ UPnP configuration (not working)

Sat Dec 19, 2015 7:36 pm

I don't want to re-open an old topic, but I was having similar issues and after reading through carefully in regards to using "bridge-local" and "pppoe-out" over the physical ports, everything started working instantly.

Thanks all!
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Need help @ UPnP configuration (not working)

Fri Jan 15, 2016 11:38 pm

I don't want to re-open an old topic, but I was having similar issues and after reading through carefully in regards to using "bridge-local" and "pppoe-out" over the physical ports, everything started working instantly.

Thanks all!
The key point is this: If you're specifying an interface in an IP feature such as firewall filters, nat rules, dhcp server, etc - then use the name of an interface that actually has an IP address configured on it.

PPPoE is the IP interface, so ether1 is not the IP interface anymore, which is why a filter or nat rule won't work if you specify ether1 as the interface. The only thing ether1 sees any more are these "boxes" with "pppoe" stamped on them. It's the PPPoE interface that "loads and unloads the boxes."
When given a spoon,
you should not cling to your fork.
The soup will get cold.

Who is online

Users browsing this forum: No registered users and 15 guests