Community discussions

MikroTik App
 
Zoxc
just joined
Topic Author
Posts: 17
Joined: Fri Aug 13, 2021 4:01 pm

UPnP security questions

Sat Sep 11, 2021 11:56 pm

I have some questions about the security of MikroTik's UPnP implementation. It doesn't have much in the way of security options so I'm wondering which security measures (if any) is implemented or could be configured in some way.

Here's the measures I'm interested in:
  • Preventing devices to open ports to another device with a different IP.
  • Preventing devices on one internal interface to open ports to another internal interface. A use case here would be isolated VLANs for apartments. You don't want one apartment to be able to open ports to a different apartment's devices. It seems like the RP filter could perhaps be used in combination with the first measure to achieve this, but I'm not sure when the RP filter gets applied.
  • Whitelisting the devices allowed to open ports. Allowing just your gaming consoles to open port and not more questionable IoT devices would useful to narrow the attack surface. The first measure again seems to be useful as it would allow you to use firewall rules to filter the devices allowed to open ports.
These concerns would also apply to an eventual PCP implementation.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: UPnP security questions

Sat Sep 11, 2021 11:58 pm

Dont enable UPNP!
 
paintballer4lfe
Frequent Visitor
Frequent Visitor
Posts: 59
Joined: Tue Dec 06, 2016 5:10 pm

Re: UPnP security questions

Tue Nov 16, 2021 4:51 am

+1 this can be useful

My friends who rent out VPS space on my servers are always opening up ports to stream their plex porno collection. This can be helpful to only allow home devices to open up instead of my annoying friends on my servers paying me big bucks for shitty VPS's.
 
TheGreatWanderer
just joined
Posts: 1
Joined: Fri Oct 22, 2021 4:10 am

Re: UPnP security questions

Tue Nov 16, 2021 4:54 am

Dont enable UPNP!
This statement may lead to angry gamer noises for casual home users interested in using Mikrotik.

Anyways, I don't see UPnP secure mode as a feature in Mikrotik yet. It's mainstream on software routers running miniupnpd. I'd love to see at least UPnP Secure Mode and NAT-PMP in the future since it makes life much easier as a home user. It's a nice step up in security as well.
 
Zoxc
just joined
Topic Author
Posts: 17
Joined: Fri Aug 13, 2021 4:01 pm

Re: UPnP security questions

Thu May 26, 2022 6:38 pm

I did verify that RouterOS 7.2.3 does not contain any such security measures. This means that UPnP must not be used at all if subnets / VLANs are isolated for security purposes. A subnet with UPnP access can open ports to other subnets.

Who is online

Users browsing this forum: Bing [Bot], coreshock, johnson73 and 78 guests