Community discussions

MikroTik App
 
User avatar
Frederick88
newbie
Topic Author
Posts: 49
Joined: Thu Jun 24, 2021 12:34 pm

UPnP vs Static NAT Rules

Thu Apr 13, 2023 11:02 am

OVERVIEW
RB4011 running ROS 7.8.
Gaming Console that requires open ports for internet related gaming features.
Gaming Console (with static IP) on its own network VLAN90, connected directly to RB4011 ether3 (untagged port, PVID90).

GOAL
Provide necessary open ports for Gaming Console, with as little impact on overall network security as possible.

DISCUSSION
I've used manually added Static NAT rules in the past, which satisfied the Gaming Console. However, I noticed when I did a external port scan of the RB4011, it would show the NAT'ed ports as "no response" instead of the desired status "Stealth"..

Have considered UPnP in the past, but read many bad things about it, including certain router vendor's poor implementation of the protocol, and also the fact one device within the network could start punching firewall holes for other devices in the same network..

So my question
Is MikroTik's implementation of UPnP solid?
Would security be acceptable if UPnP was enabled only for the VLAN interface of Gaming Console? (EG: UPnP couldn't affect any other LANs if Gaming Console was compromised)

I'm thinking:
ip upnp> set enable=yes
allow-disable-external-interface=no
show-dummy-rule=yes
ip upnp interfaces> add interface=ether1 type=external
add interface=VLAN90 type=internal
You do not have the required permissions to view the files attached to this post.
 
User avatar
Joni
Member Candidate
Member Candidate
Posts: 156
Joined: Fri Mar 20, 2015 2:46 pm
Contact:

Re: UPnP vs Static NAT Rules  [SOLVED]

Thu Apr 13, 2023 12:46 pm

A temporary workaround, like most things Mikrotik, would be to give intended devices static DHCP leases and add them to a dynamic address list

(tip: however not nessesary static ip)
/ip/dhcp-server/lease/add server=dhcp comment=XBox mac-address=01:01:01:01:01:01 address=pool-Home address-lists=upnp
vs
/ip/dhcp-server/lease/add server=dhcp comment=XBox mac-address=01:01:01:01:01:01 address=192.168.0.80 address-lists=upnp 

and finally with a firewall rule rejecting UPnP requests of non-whitelisted clients:
/ip/firwall/filter/add chain=input action=reject protocol=udp dst-port=1900 comment="prevent non-privileged UPnP" reject-with=icmp-admin-prohibited src-address-type=!local src-address-list=!upnp
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: UPnP vs Static NAT Rules

Sun Apr 16, 2023 12:27 am

it would show the NAT'ed ports as "no response" instead of the desired status "Stealth"..
But if you open the door yourself, how is it hidden?...
Otherwise the other consoles that have to be connected remotely, how do they do if nothing replies?...
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: UPnP vs Static NAT Rules

Sun Apr 16, 2023 12:35 am

/ip/firwall/filter/add chain=input action=reject protocol=udp dst-port=1900 comment="prevent non-privileged UPnP" reject-with=icmp-admin-prohibited src-address-type=!local src-address-list=!upnp
Translated:
Any packet that arrives as input to the routerboard, that use UDP with destination port 1900, if the source is not part of the UPnP list,
and if the type of the source IP is not assigned to one of router's interfaces,
reject it and sends an ICMP Admin Prohibited reply...

Well, with this rule you make the routerboard participate in a DDoS attack.
Nice rule... Reply with something, even a spoofed IP, on the internet...
 
User avatar
Joni
Member Candidate
Member Candidate
Posts: 156
Joined: Fri Mar 20, 2015 2:46 pm
Contact:

Re: UPnP vs Static NAT Rules

Sun Apr 16, 2023 2:41 am

How about instead of being unconstructive you come with solutions instead. And as a sidenote if your firewall rules blindly allow incoming traffic up to this point then you have bigger problems. https://en.wikipedia.org/wiki/Fear,_unc ... _and_doubt
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: UPnP vs Static NAT Rules

Sun Apr 16, 2023 3:54 am

And as a sidenote if your firewall rules blindly allow incoming traffic up to this point then you have bigger problems.
I know, you didn't specify any warning...
and you don't know that standard users can use copy&paste better than us?
https://en.wikipedia.org/wiki/Cut,_copy,_and_paste
 
User avatar
Frederick88
newbie
Topic Author
Posts: 49
Joined: Thu Jun 24, 2021 12:34 pm

Re: UPnP vs Static NAT Rules

Sun Apr 16, 2023 5:43 am

what’s the advantage of
reject-with=icmp-admin-prohibited
vs sending traffic black hole?

will devices on LAN stop trying UPnP if they receive the icmp prohibited message?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: UPnP vs Static NAT Rules

Sun Apr 16, 2023 10:55 am

In principle rejecting traffic allows client to recover quickly and try something else. Blackholing traffic means clients have to timeout before trying something else. So for legitimate clients rejecting traffic is fine, but for attackers/bots it's definitely better to blackhole traffic as this slows attackers down. And what @rextended wrote: senfing rejects to spoofed remote addresses is one way of (unwillingly) participation in DDoS attack against 3rd party ...

What clients (e.g. LAN clients trying to do UPnP) do after they receive rejection is entirely up to client software. They might politely shut up but they might as well hammer the router with further requests. In the later case dropping requests (instead of rejecting) is probably better.
 
User avatar
Joni
Member Candidate
Member Candidate
Posts: 156
Joined: Fri Mar 20, 2015 2:46 pm
Contact:

Re: UPnP vs Static NAT Rules

Sun Apr 16, 2023 11:23 am

what’s the advantage of
reject-with=icmp-admin-prohibited
vs sending traffic black hole?

will devices on LAN stop trying UPnP if they receive the icmp prohibited message?
Faster timeouts and network troubleshooting, no automation involved, tcpdump would show your denied reply instead of no reply at all.

Probably should be, ipv6 might return the role for icmp and its error messages, but as you can see there are different schools around it. In the ideal world peoole want to disable upnp and use magic, and it is quite surprising mikrotik hasn't removed it completely (not complete implementation to begin with), however in reality so many consumer services depend on it and its turn key nature that not implementing it is often futile. Especially in the future world of ipv6 there is the persistent question that even though a firewall doesn't need to do NAT or port forwarding (due to unlimited public ips, also inside lan, just not opening ports to them) clients still needs something to communicate with a firewall to open ports. Guess which protocol does all the other scaffolding and on top which the upnp standard most probably could be implemented...
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: UPnP vs Static NAT Rules

Sun Apr 16, 2023 11:46 am

One thing is to decide not to reply (with ICMP) to something that might be part of an attack. Completely different thing is to block entire ICMP protocol family (which is what some people recomend).

So: ICMP has to be dealt with properly. It is fine not to use/answer some parts (e.g. no replies to ICMP echo request or notbsending ICMP forbiden service for filtered ports), but definitely not blocking all of it (e.g. ICMP time exceeded or ICMP packet too big are crucial for properly working IP, both v4 and v6).

Who is online

Users browsing this forum: AtomikRoach, Bing [Bot] and 55 guests