Community discussions

MikroTik App
 
User avatar
omega-00
Forum Guru
Forum Guru
Topic Author
Posts: 1167
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

UPnP port blocking

Fri Oct 02, 2015 5:14 pm

Hi Guys,

Had a query and wondered if anyone else had encountered this and might have a suggestion / solution.

I've use UPnP on some customer facing routers to allow devices like xboxes, playstations etc to perform port mapping and get online. As part of this I've always added some dst-nat action=accept rules that prevent any router ports we use from being accidentally mapped by UPnP to internal users (21,22,23,80,443,8291,1812,1813 etc).

This however presents a problem for the UPnP enabled devices. If a device/service maps port 80 and is told by UPnP that this mapping has succeeded, then it expects that the port forward should be setup and working even though my static rules (which sit above the dynamic rules created by UPnP) aren't allowing them to.

Additionally; in the event there is a static port forward on the router for something like UDP/3074 (for an xbox) and another xbox is connected; it won't know about this and still try and map and use the port; while if both xboxes are simply using UPnP the first one will get 3074, the second will see that it is in use and pick another port (normally a random high port).

Which brings me to my question: Is there a way to make certain UPnP port mappings unavailable via MikroTik? I've tried creating static rules, drop rules; all of them *work* but there doesn't seem to be any coherence between UPnP and the port forwards already in place; so it will try and double up on them.

Lastly, the why: Why not just have each device use UPnP and don't use the port forwards? For starters as mentioned above; I need to be able to protect the router ports from being forward to an internal user. Secondly the basis behind this requirement is that some users are behind a second router on a private network; essentially creating a double-nat situation that I'd like to be able to address programatically. If I could check for UPnP mappings on routers onsite and block ports that are already in use; this would allow for multiple console devices to be connected and map ports through from the core device all the way back to the users console; allowing them open NAT connectivity with no additional configuration on their end.
 
efaden
Forum Guru
Forum Guru
Posts: 1708
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: UPnP port blocking

Fri Oct 02, 2015 11:07 pm

Hi Guys,

Had a query and wondered if anyone else had encountered this and might have a suggestion / solution.

I've use UPnP on some customer facing routers to allow devices like xboxes, playstations etc to perform port mapping and get online. As part of this I've always added some dst-nat action=accept rules that prevent any router ports we use from being accidentally mapped by UPnP to internal users (21,22,23,80,443,8291,1812,1813 etc).

This however presents a problem for the UPnP enabled devices. If a device/service maps port 80 and is told by UPnP that this mapping has succeeded, then it expects that the port forward should be setup and working even though my static rules (which sit above the dynamic rules created by UPnP) aren't allowing them to.

Additionally; in the event there is a static port forward on the router for something like UDP/3074 (for an xbox) and another xbox is connected; it won't know about this and still try and map and use the port; while if both xboxes are simply using UPnP the first one will get 3074, the second will see that it is in use and pick another port (normally a random high port).

Which brings me to my question: Is there a way to make certain UPnP port mappings unavailable via MikroTik? I've tried creating static rules, drop rules; all of them *work* but there doesn't seem to be any coherence between UPnP and the port forwards already in place; so it will try and double up on them.

Lastly, the why: Why not just have each device use UPnP and don't use the port forwards? For starters as mentioned above; I need to be able to protect the router ports from being forward to an internal user. Secondly the basis behind this requirement is that some users are behind a second router on a private network; essentially creating a double-nat situation that I'd like to be able to address programatically. If I could check for UPnP mappings on routers onsite and block ports that are already in use; this would allow for multiple console devices to be connected and map ports through from the core device all the way back to the users console; allowing them open NAT connectivity with no additional configuration on their end.
I too would like to see some ability to control/restrict UPNP
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

UPnP port blocking

Sat Oct 03, 2015 9:03 am

I have decided to disable upnp and I do the port mappings manually when really necessary. Only by this approach I have the control over it. I see very dangerous to let any application on whatever device in the network to open a hole inside on its own. But maybe you don't care.
 
efaden
Forum Guru
Forum Guru
Posts: 1708
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Sat Oct 03, 2015 9:07 am

That's why I only use it at home... [GRINNING FACE WITH SMILING EYES]

Sent from my SCH-I545 using Tapatalk
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: UPnP port blocking

Sat Oct 03, 2015 9:41 am

a nasty solution is to change the mikrotik port on that services conflicting
 
User avatar
omega-00
Forum Guru
Forum Guru
Topic Author
Posts: 1167
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: UPnP port blocking

Wed Oct 07, 2015 9:33 am

I have decided to disable upnp and I do the port mappings manually when really necessary. Only by this approach I have the control over it. I see very dangerous to let any application on whatever device in the network to open a hole inside on its own. But maybe you don't care.
That is true but in this case the reason for using UPnP is simply due to lack of public IPv4 resources; we want users to be able to map public ports into their local routers for consoles and even to be able to temporarily host their own services if they want.

MikroTik can't do CGNAT yet though so until such time we're stuck trying to make this work :-)
 
User avatar
omega-00
Forum Guru
Forum Guru
Topic Author
Posts: 1167
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: UPnP port blocking

Wed Oct 07, 2015 9:36 am

a nasty solution is to change the mikrotik port on that services conflicting
That's fine for services on those ports but the problem I'm running into is like this; say I have 4 users with Xbox's on a site; each behind their own router which is in turn behind the core router. Normally if they had public IP addresses on the router a simple UPnP port map for UDP/3074 gets them open NAT and access to join any game server through Xbox live.

Now compare this to the setup available, where even if they use UPnP they only get port 3074 mapped locally; and me mapping port 3074 locally to one of them means all the others lose out.
 
Puppa
just joined
Posts: 2
Joined: Mon Nov 30, 2015 9:50 pm

Re: UPnP port blocking

Mon Nov 30, 2015 10:14 pm

Don't forget that, if available on your customer's network/ISP, IPv6 eliminates the need for NAT/UPnP. If addresses are available, configuring IPv6 will completely get around the NAT port-sharing issue (solved it for me on my just-purchased CCR Routerboard--no more strict NAT).
 
amokkatmt
newbie
Posts: 33
Joined: Mon Oct 24, 2011 3:31 pm

Re: UPnP port blocking

Thu Dec 17, 2015 5:09 pm

For anyone looking for solution to protect mikrotik itself from upnp port override is like this:
/ip firewall nat
add action=return chain=dstnat dst-address-type=local dst-port=21 protocol=tcp
add action=return chain=dstnat dst-address-type=local dst-port=22 protocol=tcp
add action=return chain=dstnat dst-address-type=local dst-port=23 protocol=tcp
add action=return chain=dstnat dst-address-type=local dst-port=53 protocol=udp
add action=return chain=dstnat dst-address-type=local dst-port=80 protocol=tcp
add action=return chain=dstnat dst-address-type=local dst-port=161 protocol=udp
add action=return chain=dstnat dst-address-type=local dst-port=8291 protocol=tcp
add action=return chain=dstnat dst-address-type=local dst-port=8728 protocol=tcp
add action=return chain=dstnat dst-address-type=local dst-port=8729 protocol=tcp
But device still does not know that port is already in use unforunatelly.
 
leosmendes
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Fri Jun 20, 2008 1:03 pm
Location: Brazil
Contact:

Re: UPnP port blocking

Mon Dec 21, 2015 3:18 am

hello good night, also made a topic about UPnP and read your interesting thought. really would otimo the possibility of creating a reserve of doors not to be used by UPnP and the possibility of intelligent use of another port if one is already in use by another rule.

Who is online

Users browsing this forum: andreo, syasar and 90 guests