Hacker News new | past | comments | ask | show | jobs | submit login
My NAS exposes itself over the internet without permission (kn100.me)
390 points by kn100 7 days ago | hide | past | favorite | 296 comments

> Unfortunately, disabling uPnP these days is too much of a hit to convenience, so I looked for other solutions.

Don't do this, there is no good reason to run UPNP if you care about security, turn it off and learn to manage a firewall.

If the author really cares, go one step further and replace the ISP owned router with something with more control.

Finally, if one cares about the software one's NAS runs, build or buy from someone like TrueNAS.

People make blanket statements like this without thinking of how it is used by popular consumer devices.

As others have said it's really necessary for some consumer devices to work properly - especially if you have more than one of the same device.

Games consoles are the best example.

If you have one console only, then you can usually forward ports manually, but if you have two or more of the same console, and want them to go online at the same time, then you need to use UPnP.

If you don't have UPnP enabled on one of the consoles, you'll see issues like being unable to join some games or being unable to do voice chat with certain players.

> Games consoles are the best example.

Not with you there bud - we have multiple game consoles and my firewall doesn’t even support UPNP. I also have never set up and DNAT or ‘punched holes’ in it to Mae them work. They just do.

I have replied elsewhere about Xbox Live, but it's generally an impossibility (without advanced forwarding or UPnP) to have two consoles (of the same type - e.g. two Xbox One consoles or two Nintendo Switch consoles), connected to the internet, both able to access ALL online features, at the exact same time.

Out of the box on most consumer networks, you're going to be able to access things like the store, downloading updates etc.

To play with certain players on peer to peer games (which are less common these days) or have a voice chat with certain players, you will need to port forward (manually or with UPnP).

You either need to forward ports manually (which can obviously only be done to one console), or use UPnP. The Xbox One and later does have an option to manually ask it to use a different port on multiple consoles for some features (so that you can port forward separately to consoles), but I am unsure if that will solve all issues in such an environment.

This is not true based on my experience with multiple switches and xbox one consoles.

It does depend on the game. A P2P game like Call of Duty will have problems when played simultaneously on more than one console because the external port can not be shared.

What happens though is that another external port gets forwarded to 3074 instead.

3074 -> 3074

3075 -> 3074

3076 -> 3074 etc.

Its likely uPnP does this automatically as even uPnP won't be able to map multiple devices to the same external port but it does make the process convenient.

That’s not how NAT works though. It uses random ports, and there are no collisions, unless you have thousands of Xboxes behind a NAT. Also, remember that CGNAT is a thing, with hundreds of households( with dozens of game consoles) all behind a single IP address. Essentially, the people talking about game consoles not working are wrong.

That is how NAT works for connections opened from private network to the Internet. If the console needs to listen to a port, the NAT must be configured to forward the listened port to correct device. Multiple devices behind NAT can not listen to the same port, and this is where the forwarding of different ports on public IP to same port on different private IPs comes in.

The source port would be random and conmunication would ride on that established connection. An exposed port is not necessary for client initiated communication.

Yes, you're talking about a device behind NAT which initiates a connection to an external service.

However, we're talking about a service listening behind NAT (in this case Call of Duty on an Xbox at home) that needs to be listening for connections initiated by other Xboxes to establish a P2P connection. This is what port forwarding enables and this is what uPnP automates.

Why wouldn't they use a solution like https://samy.pl/pwnat/ this is a long solved problem that doesn't require uPnP.

Is it somehow better than uPnP?

Yes, CGNAT is causing a lot of issues not being able to host multiplayer games, as I've experienced myself (with PC games, though server-client ones, not peer to peer ones).

Anyway, these days, if you don't have an IPv6 /56, you don't have a real Internet connection.

Only one of the two sides needs UPnP, no?


That's not true, at least for xbox live. It's NAT punching will gladly use UPnP if available, but doesn't rely on it, even for multiple devices on the same public IP.

It's unlikely that you will have an "OPEN NAT" status on more than one console without UPnP at the same time.

Depending on the game you're playing, that may or may not be an issue.

It can stop you connecting to certain players in a peer to peer scenario.

It'll be fine. They'll be on two pretty arbitrary public ports, but it works just fine if you have a vaguely sane nat implementation in your router. That's the whole point of nat punching. And even if you have an incredibly broken nat implementation that won't accept UDP packets from other sources than the server you originally connected to, there's a fallback pathway at the first layer of that port 3074 protocol that bridges p2p messages through live's backend.

As another example, last time I checked WebRTC didn't use UPnP, but has all the same issues as a fundamentally P2P UDP protocol. They use STUN/ICE/TURN, live uses custom protocols filling the same niches.

This Xbox help article explains how having a "Moderate" or "Strict" NAT can affect you and how it can be solved:


I don't think anything has fundamentally changed in this area since the days of the Xbox 360. Back then it was a PITA to get two or more consoles working properly without UPnP, and I can't see anything about the problem that would be different now.

Nintendo has a similar page:


So does Sony:


I hate Sony for that page. I’ve helped multiple people with router issues who turned out to have forwarded all those ports from wan to their PlayStation (or it’s previous IP). Ofc it wasn’t the issue at hand, but horrible none the less.

How does it work with IPv6-only networks?

The last I looked on PS4, they expected you to use a particular port. I don't think there was a dynamic portion, just forward port X to the PS4. I could absolutely be wrong though, it's been a while.

I find it amusing that many people are convinced that IPv6 is less safe, because there is no NAT, and at the same time use UPnP. No, NAT isn't designed for security, the blocking of incoming traffic is just side effect, you should use a firewall for security.

IPv6 can be a privacy issue, sure, but it's no less secure, my firewall is still blocking all incoming IPv6 traffic.

The issues with IPv6, in my experience come from its relative complexity, compared to IPv4, and also from forgetting to manage it at all, as it often uses different tools, firewalls, e.g. ip6tables vs iptables, or the fact that Ubiquiti EdgeRouters don't expose ANY IPv6 firewall configuration in the GUI at all.

Ubiquiti's router offerings are rather poor, VPNs can't roll over to WAN2 automatically, redundant tunnels are hard to configure, IPv6 support is a mess, asking Ubiquiti for support gets you an unhelpful chat that redirects you to help articles you've already read.

Other players in this space have had these capabilities for over a decade, and you can call to get help. Ubiquiti might be inexpensive, but its still more than double the price of Grandstream's SoHo/SMB router and access point offerings while offering equivalent support and features.

Really neither of these offerings are good outside the SoHo and single location business space. I wish for OpenWRT, OPNsense or WatchGuard's configurability wrapped in a single interface that lets you see the router, switches and access points performance live while letting you alter their settings, without seriously kneecapped router capabilities.

> IPv6 can be a privacy issue

Why do people throw this out there as if it's a fact we all agree on?

I've heard of one potential privacy issue 20 years ago, which was that IPv6 autoconf used the MAC address for the host part of the address, but this has long since been replaced with regularly rotating random suffixes.

So... why keep saying this?

Because the prefix stays the same. And many ISPs that provide IPv6 don’t rotate very often, if at all.

For most ISPs the IPv4 acts exactly the same way, being almost but not quite stable. I don't understand how that's a downside to IPv6.

Because "most ISPs" are actually wrong, it's "most American ISPs". In rest of the world, unless you're explicitly requested static IPs, your IPv4 (and IPv6) addresses are being rotated (usually either daily or weekly). There's a reason why dynamic DNS services are popular.

P.S. If your security paradigm relies on IP addresses being semi-stable, you need to overhaul it.

>In rest of the world, unless you're explicitly requested static IPs, your IPv4 (and IPv6) addresses are being rotated (usually either daily or weekly).

I'm in the rest of the world and my non-static IP address almost never changes. I actually memorised my external IP address at one point since I saw it so often.

>In rest of the world, unless you're explicitly requested static IPs, your IPv4 (and IPv6) addresses are being rotated (usually either daily or weekly).

Fair, but that's still IPv4 and IPv6 rotating at the same rate.

This is wrong, at least in Europe, static IP is considered to be best practice.

I live in France and work in IT and never heard about this "best practice". Who claims that?

In use the highest fibre offering from Orange and have a dynamic IP. Fixed IP is for "professionals".

RIPE : https://www.ripe.net/publications/docs/ripe-690#5-2--why-non...

That's funny, because I kind of have the "lowest" fiber offering from Orange, and I don't think my IP ever changed ? (I wouldn't bet on it thought.)

The RIPE article is about IPv6. I use only v4

I monitor closely my Internet connection (since I serve stuff on it, and also because why not) and I saw my IP changing and wandering throughout the Ile-de-France. I would say that the changes are every 6 months or so (since one of my domain is with Gandi I had to write a checker and change the assignment through their API)

If you only use IPv4, then these days (with not only the Asiatic countries never having got IPv4, but Europe having ran out if IPv4 addresses), technically you don't have a "real" Internet connection any more.

I do not understand what you are saying. Do you imply thet IPv4 is non-existant in Asia??

How having ran out of IPv4 means that there is no "rea" Internet?

Honestly - it would be great if IPv6 caught up but the standard, first choice is IPv4.

My bad, I should have said that "some" Asian countries never had enough IPv4 addresses to start with. AFAIK this explains why India is one of the world leaders in IPv6 deployment ? (I've also heard that IPv6-only networks are not uncommon in some Asiatic countries ?)

IPv6 has been slowly rolled out for more than a decade now, though AFAIK the standard has only been finalized in 2017.

Since 2017, first choice should have been IPv6.

"Internet" stands for "International network". If you're using IPv4 only, when someone else uses IPv6 only, then obviously you won't be able to connect to each other. Therefore you aren't on the same network. And only one of them can be "really" called "Internet".

(Also, IPv4 was an experimental ARPANET protocol which wasn't supposed to be used "in production" worldwide, but here we are...)

Internet stands for interconnected network, with the capital "I" signifying that it's "the" interconnected network.

Not according to my network teacher (for the upper case one), but this is a moot point, since the result is the same.

Sadly anyway in theory, dual stack is less secure than single stack, despite whether IPv6 good or bad.

No firewall or opt-in firewall (which only a tiny fraction of people turn on) is pretty common for IPv6. It's also somewhat an open question whether router firewalls are even a good idea on IPv6 (since the security advantages are not that certain, and it can prevent the adoption of new protocols).

> pretty common for IPv6

Source? Every consumer router I've ever seen that supported IPv6 also had a firewall covering IPv6. Given the crapshot routers tend to be I wouldn't be surprised if some messed that up, but "pretty common" seems unlikely.


For context, Free recently boasted reaching 99% IPv6 coverage. On their (now) midrange Freebox Revolution router, the IPv6 firewall is (AFAIK still today) opt-in.

Ugh. Idiots. CPEs should default to firewall on.

Well, OTOH, the fact that tens of millions of people have now been connected through firewall-free/disabled IPv6 for years, yet the (somewhat expected) disaster of widespread hacking/compromises clearly didn't happen... which could mean that this is not that critical of a security feature as could be expected ?

Yep, the author depends on NAT as a security feature, when it was never designed to be one. UPnP is a convenience feature, and is disabled in all security focused networks. If you want convenience and security, set up two VLANs, one for your insecure UPnP devices, and one for your more sensitive devices.

Aren't these two points slightly contradictory?

> the author depends on NAT as a security feature, when it was never designed to be one

> UPnP is a convenience feature, and is disabled in all security focused networks.

uPnP punches holes in a NAT. If you shouldn't be trusting NAT to protect you anyway, why bother disabling a feature that's designed to punch holes in it? Just set up your firewall to protect your network, and it's not an issue.

(I suppose some routers might automatically add a firewall exception when doing uPnP hole punching, but if so that's an issue with those routers, not with the idea of relying on a firewall.)

UPNP doesn't "punch holes in NAT." It is dynamically configuring NAT to provide a specific translation. The same kind of dynamic translation happens the other way for any allowed outgoing traffic, and lots of old NAT traversal tricks made use of that before UPNP was a thing.

The hole was always there. People get this topic confused all the time because the majority of network devices doing NAT are also acting as firewalls of varying efficacy. There are basically no non-firewall routers anymore, they all have at least simple network address ACLs.

The purpose of upnp is touchless configuration. If you care about security, that is orthogonal to your goals, and so it must be restricted by some other policy enforcement.

Good point, I should have been more careful about the terminology. My point was that it's possible to have UPnP configure a port to be translated for a particular host on the LAN but still have a firewall on the router blocking access to that port.

Another reply to my comment suggests that at least some consumer routers open a firewall port up as well, meaning that UPnP is still a potential security hole on those routers. (This might actually be required by the IGD protocol spec for all I know, that would be unfortunate...)

There are at least some non-firewall or opt-in firewall (which amounts to the same for most people) for IPv6 routers provided by major ISPs.

> I suppose some routers might automatically add a firewall exception when doing uPnP hole punching

Every consumer router I’ve ever had will open up a port in the firewall when uPnP is enabled and a request is received. Is that not standard?

Ah that’s fair, but it’s the combination of both that is the worst

This is the way to do it.

NAT is not really security and UPnP doesn't really do much to prevent malicious software already on your network from doing malicious things except perhaps hosting itself on your WAN to spread further.

What disabling it does help is prevent improperly configured or flawed devices from accidentally exposing themselves to your WAN. IOT devices? Put them on a network with no UPnP. Workstations and video game consoles with up-to-date patches? UPnP is probably fine.

This is what I did a couple years ago. The documentation for OpenWRT is great, and Luci/LDE makes it approachable if you don’t feel comfortable managing from the CLI. I have one VLAN for my “privileged” devices and one for the “IO(shi)T” devices.

This sort of thinking is endemic in industrial networks; they finally internalized basic ipv4 concepts in the late 00s and never considered maybe the stateful tracking required for UPNP and other NAT tricks also might exist without it.

I've set up several private v6 networks to deal with renewable energy projects in which the integrator used the same ipv4 address blocks on every single one, and the whole 6to4 translation explanation landed like they had just seen a devil sorcerer graft a goat head onto a human.

There are many, many networking and originally UNIX tools tricks (e.g. SSH) you can show to the poor people supporting industrial networks/ hardware. I have written some of my tricks down in this OrgPage: https://www.orgpad.com/s/UHUor4 there are screenshots for Linux and Windows for some things related to SSHFS, SOCKS Proxy and more. Click units with shadows to open them. From time to time, I update it to reflect new tricks.

This knowledge saved at least 2 companies hundreds if not thousands of euros in on-site support, hardware and other expenses. Funnily, while these things are quite hacky, they tend to work better than most of the dedicated hardware I have seen in practice, while keeping you/ the technician/ engineer in control. With any kind of working infrastructure, you can estimate how good your solutions are because you don't get called at random times and from monitoring/ explicit contact you just see/ hear the things work fine.

Your link doesn't open in my Firefox, unfortunately.

I tried just now in two different Firefox (ESR and current) versions and it works. Perhaps you have to enable JavaScript, since OrgPad is a web application?

You can also try this not-shortened link: https://www.orgpad.com/o/AWhUSD7lhAjYC0sw-9lcDd

Disabled uBO, still no luck. It says "Computing sizes of all cells, 50 remaining ..." and spins forever.

IMHO IPv6 is an ISP problem, I don't need every (any, really) of my devices accessible from outside my personal VPN, and IPV4 private space is more than sufficient for that.

IPv6 is overly complex, therefore insecure. Thanks to the US Patriot Act I dont even trust the VPN stuff tbh.

> IPv6 is overly complex

I'm being a bit pedantic about this since you're right that in practice, setting up stuff for IPv6 is in-fact complex since support for it is all over the place.

But I want to stress that IPv6 as a protocol is much simpler, more intuitive and much more versatile than IPv4. I'd even go so far as to say that it's actually fantastically suited for local networks, especially so in complicated setups with multiple subnets (in an alternate reality where everything supports it).

It's really, truly, a genuine shame that it never gained the momentum it could have.

The basics of the client side are simple.

But the routing is not simple.

I'm pretty well versed in networking generally - even IPv6, but a quick glance over something like: http://ipv6now.com.au/primers/IPv6RoutingSecurity.php

Makes it obvious why it still hasn't gotten anywhere, _no one_ wants to dig through all that unless they really really have to.

Security depends on securing the routing and address allocation. So it is hardly surprising very few were/are willing to step up a declare IPv6 installations safe for service.

Combine that with most users being happy and comfortable with 1 IP address and there was no mass market appeal for IPv6 hardware or software.

I'd go so far as saying the vast majority of people do not even realise their machines can be accessed from the outside world when they only have one public address behind their "firewalled super safe ISP router", and would be terrified to find out they can.

> http://ipv6now.com.au/primers/IPv6RoutingSecurity.php

Everything listed there either also applies/transfers to IPv4 or is not applicable at all to the situation you're evaluating.

> Makes it obvious why it still hasn't gotten anywhere






[EDIT: sibling post by minimaul has the better link:] https://www.google.com/intl/en/ipv6/statistics.html#tab=ipv6...

> Combine that with most users being happy and comfortable with 1 IP address and there was no mass market appeal for IPv6 hardware or software.

The mass market appeal for IPv6 is the fact that we do not have enough IPv4 to actually give one internet connection a unique IP. CGNAT is getting ever more present in the marketplace as a result of this.

Major providers are rolling out IPv6. eg in the USA, several major cable/fibre providers provide v6, several mobile networks provide IPv6 using things like 464xlat. It's the same in the UK - BT for example provide IPv6 on consumer internet connections, EE (a major phone carrier) provide v6 and use 464xlat to provide v4 connectivity to handsets.

India and Germany are further ahead still, generally. Google's IPv6 stats are a good indicator of just how much v6 is in use now: https://www.google.com/intl/en/ipv6/statistics.html#tab=ipv6...

Usually, inbound IPv6 are firewalled by the ISP router just fine. As far as I know, there is UPnP with IPv6 though there seems to be some work into that direction. Also, current CGNAT setups tend to close connections before they should according to RFCs: https://anderstrier.dk/2021/01/11/my-isp-is-killing-my-idle-...

All the IPv6 routing security has to be done with IPv4 as well. ARP -> NDP, prevent source address spoofing, DHCP guard/ RA guard are basically two sides of the same coin. Serious networking hardware supports this for years or there are firmware updates supporting it. For about the last 5 years, supporting IPv6 became much easier, almost as easy as supporting IPv4 for most of the real world use cases. Anyway, the reality is, we don't really have much choice other than to migrate to IPv6 sooner or later.

Pretty often, IPv6 is NOT firewalls (or the firewall is opt-in which in practice amounts to the same thing).

Perhaps. Do you have concrete examples? As with everything: "Trust, but verify." https://en.wikipedia.org/wiki/Trust,_but_verify

Well, the governments are starting to get the stick out : you don't have IPv6 support? No 5G authorisation for you!

@yesco is right that practice is all over the place for IPv6 if it works at all. But in general, IPv6 as a protocol is just fine, at least equally secure as IPv4 and not more complex than IPv4 in many practical cases. I would even go so far to say it is way easier to do a clean address plan with IPv6. Usually, IPv6 inbound access is blocked by default on the ISP routers firewall.

In practical networks, IPv4 tends to be set up in some way and usually seems to work correctly - until you discover all the atrocious hacks people have commited over the ~ 25 years of practical, widespread use. Quite often multiple levels of NAT without much reason for it, UPnP where it shouldn't be, payment for even single IP addresses (great, we are paying for numbers other people got basically for free) and more - IPv4 are often handled like pets. Compared to IPv6, it is much harder to do a simple split into security groups based on prefix with IPv4. (In IPv6, you can usually just give every broadcast domain a /64 and will not do a huge mistake - they are a single security group. Sometimes, you might want to hand out a /64 or even shorter prefix to every client though.)

There are some great resources for modern and practical IPv6 too: https://knihy.nic.cz/#IPv6-2019 (4th edition in Czech by Pavel Satrapa, but can be translated using Google Translate and is more or less ok as a translation: https://docs.google.com/document/d/10CRjSRBLcdqtGjJgaW5Sct5h...) there are older books in English that are also mostly relevant still. The free IPv6 course by RIPE NCC is also a good way to get up to speed and avoid (spreading) FUD.

“Overly complex, therefore insecure” Has to be the most incorrect understanding I’ve ever seen in computing... And I’ve seen people talking to their mice...

Maybe they were from the future and just needed a tank for some whales...

You made my day^

I have the opposite problem, where I actually want one of my devices to be publicly accesible but my ISP only provides NAT.

And they even disable UPnP from some of their routers for "security reasons".

Why the sarcastic quotes around “security reasons”? Mom and pop need same defaults. An argument can be made that disabling it is a same default.

OP is not talking about disabled by default, he’s talking about disabled permanently, i.e. you literally cannot turn uPnP on because the ISP disables the functionality. I know that AT&T does this with their BGW210-700. Security is good, but locking people out of basic features is not.

NAT can mean 2 things, 1 to 1, and 1 to many. Firewall is a concept not a thing.

IPv6 could be set up so every computer has an internal address and you choose to map external to internet using 1 to 1 NAT.

As a former maintainer of firewalls... You are wrong. From beginning to end, utterly, and completely.

::Pets His firewalls lovingly:: “Don’t listen to Him, He didn’t mean it.”

Ah yeah the good old IPv6-NAT....

Sure, UPnP can open ports to the outside world, but that's something that might be desired in some cases.

However, devices should default to local access only, and offer an option to expose them to the world, with appropriate warning.

> However, devices should default to local access only

Unfortunately we need to act based on what is and not what should be.

This is exactly my opinion and exactly how I use uPnP. I can't control exactly what runs on my network since I'm not the only one using it, but I can guard certain parts of my network more thoroughly.

You have to choose: security or convenience.

It’s a sliding scale, otherwise you’d run an airgapped network and hand carry your info into and out of your home on CDs...

Reminds me of a state secretary who decided to use gmail because it was more convenient than the secure smartphone provided to him.

Ofcourse for most people who aren't dealing with state secrets convenience is a priority.

“They that would give up a little convenience for a little security deserve neither and they shall lose them both.” -Beenjammin Frankmon

You could also configure your Internet router to only allow one or two trusted devices to invoke UPnP to open ports.

Not the ISP supplied ones i guess.

Edited: deleted my comment as I was unintentionally offensive.

To rephrase this somewhat less offensively (I am the author) "I realised a potential solution but decided the drawbacks of disabling uPnP were larger than the potential risk keeping uPnP enabled poses". My household makes use of many different services that would need to be port forwarded one by one in order to keep everything working, and some games just punch whatever port they like using uPnP so it's hard to keep playing those with it disabled. Sysadminning at home is only fun for a short while, I do this stuff at work, I'd rather keep my home setup as simple as I can help it.

As usual, various solutions are available, I described one here. Disabling uPnP is an option for some, and I encourage those who want to go that route to go that route.

I think some people miss the point of the article. That a NAS like Terramaster F2-210 shouldn't open ports externally and if they do there should be options to turn this feature off.

I agree with bunnyfoofoo’s conclusion - maybe not the tone but certainly the conclusion. It’s tough to trust an article that makes security claims while ignoring so many self imposed security holes.

I'm sorry, I didn't mean to come off as offensive. I agree that it would be bothersome to convert from uPnP to non-uPnP, but you really only need to set it up once. Then any new devices you add to your network don't require individual workarounds.

It's fine, I wasn't personally offended nor should you feel like you need to censor yourself. It's really difficult to justify turning uPnP off when you can't necessarily control every application that runs on your network. My wife is going to get rather annoyed when whatever video conferencing software she uses stops working, and I'm gonna get mad when the game I want to play doesn't work - which is why I engage in a somewhat fruitless fight with the stuff I can control to keep the uPnP port punching under control somewhat.

It's definitely a bug in the nas that it continues to punch ports no matter how it is configured. Plenty of software gives you the option of not punching ports.

FWIW I have never had upnp enabled and I don't recall any cases where it's caused a problem for me. Certainly my wife and I are on videoconferences all day and they work fine. I am completely with you that I can't have network configurations that make the network unusable, confusing, or inconvenient for my family, but are you sure that upnp falls into that category? I'm sure you have different applications than I do, but I think we're pretty normal...

This article pissed me off so I went to check on uPNP and I had disabled it when moving into this home. Never had any problem where uPNP was the solution, we have gamers, video calls, VPNs, BitTorrent, etc etc. all work fine. We even have a printer that works. I think it is calling home to Google or HP or whatever.

Try it and see what happens.

I build secure communications solutions for a living, so I'm speaking from experience.

Any solution worth its salt doesn't want or need UPnP on your network, it doesn't need anything other than for you to let it hit the internet and for the traffic to come back the other way.

I also run and have run other solutions in my day to day working from home and private life, many SIP flavours, Teams, Zoom (once, because it was the only option), Jitsi, BBB, Google Duo, Hangouts, Houseparty they all work with no effort from me.

There is a lot of hypothetical about what will and won't work, but take it or leave it when I say that some of us, the people building these solutions, have a bit of a clue about networking and how to build solutions around security best-practice.

I also game online with PC, Nintendo Switch and PlayStation 4/5, not one has given me issues, nor have I needed any custom firewall rules for the consoles.

My wife works from home on a government issues laptop, she's never complained of issues with video conferencing or her work VPN.

There may be some exceptions, sure, but it's less of an issue than people think.

You keep saying "whatever" software wouldn't work without UPnP, but you are failing to give us concrete examples.

You are responding to His blog, and He shared His reasoning. Go find your own examples on your network. Even better if you can’t find anything and have UPNP disabled.

> It's difficult to justify turning it off when

Isn't it more difficult to justify keeping it on when you can't trust devices not to, literally as the article shows, punch gaping holes in your network? 4 ports and if you didn't know too look...

At a bare minimum, if you MUST have uPnP, then those devices need to be on their own "unsafe" network with another network further in or next to it that has uPnP disabled.

It was clear you didn't want to disable UPnP support on the entire network, but I couldn't tell whether you'd tried disabling it on the NAS.

Does the following disable the FS2-210's local UPnP?

Go to TOS Desktop> Control Panel> Network Services> Discovery Service> UPnP Discovery > Uncheck "Enable UPnP discovery service"


I assume this won't break anything you don't want broken (ie- automatic port forwards), but I'm with you that the option is needlessly ambiguous.

This option was and is disabled - I should have mentioned this in the blog post


Actually, I also found grandparent's (bunnyfoofoo) tone offensive. It's borderline derogatory, since it disregards the situation of the original author in many levels, plus everyone fixates on the wrong point.

UPnP has its security implications, but it doesn't mean that random appliances can just open ports through it without any settings whatsoever.

Everybody has the freedom to have opinions and free to express them, however we shouldn't disregard other person's situation while expressing our opinion. Talking about theoretical best practices is always easy in a vacuum.

Addendum: I want to congratulate bunny for trying to learn from his/her mistakes, for being honest and sincere. I wanted to leave it here since there's no other way to contact. I also made a lot of mistakes and HN taught me how to discuss this stuff, so you're at the right place.

I'm wondering what definition of the word "offensive" you're using.

To be very exact, being offended is a choice, in that nobody can offend you if you don't let them. You can always choose to not take offense. (The statement in question does seem rude and dismissive to me, however.)

I believe the eminent feminist and humanitarian, Elanor Roosevelt, would have agreed with the fairness of your assessment.


Offensive as Rude.

Then @kn100 assigns to @bunnyfoofoo the offending behaviour.

It's the personal responsibility thing.

"I'm offended" vs "You're offensive".

I think it's pretty clear than the author believes he may have offended people with his statement, and is rephrasing in a more precise manner to avoid confusion.

Is there a reason why the software claims it’s not available over the internet but still is because of something it did?

Because that’s a bug.

You mean ignoring the fact that a NAS which claims to not be available over the internet is available over the internet?

The correct solution is the NAS manufacturer needs to correct the issue and provide a software update.

This article shouldn't be ignored at all. Your supposed "correct solution" does nothing to fix the root issue.

Man, I have to catch myself all the time with this.

UPnP is also sometimes used to refer to some forms of zeroconf/mDNS/Bonjour/DLNA.

Maybe he is under the impression if he turns off UPnP on his router (the automatic port forwarding feature), that his LAN device discovery features will break?

UPNP is pretty important for a lot of online games.

Which ones? I have it turned off and haven't had any issues with games.

Games that use Peer-to-peer lobbies instead of dedicated servers, more popular with multiplayer co-op games.

Typically, it can be possible to join another lobby, but impossible to host (insofar as other people can't connect to it)

Lets not forget about consoles too. Xbox Live and PSN complain about obstructive NAT configurations and rely upon uPnP to open ports.

Of course they can be opened manually but that assumes some technical experience, and that the ISP provided hardware gives you access to its configuration.

This is also a problem with games using the client/server model where one of the players is the server.

Ubisoft games come to mind. Without UPnP or specific ports forwarded you’ll have limited NAT support which many games will tell you.

Yeah, you can’t really “manage your firewall” when consumer software doesn’t open fixed ports and assumes upnp.

Why not? Which consumer software breaks?

Normally people say games. I have disabled upnp on my firewall and there're two gaming PCs, a PS3, a PS4 and a PS5 running happily behind it. I just finished a Demon Soul's session with voice chat with friends with no problems. NAT type 2, because I managed my firewall to enable this.

Have you tried a client/server style game not relying on Steam multiplayer?

It makes no difference since as I wrote I manage the firewall to allow this. But yes, since none of the games on consoles use Steam. If NAT wasn't set up I would get NAT type 3 on the PlayStations for example.

ETA: My point was to get an example of something that breaks "because it doesn't work without upnp". I have yet to see a game that doesn't support a fixed set of ports.

So I don't know about routers or networks. I live in a an apartment. Which router (+ a extra point / 2 hub mesh) is recommended these days. There seems to be a plethora of options. But most of always end with ubiquity, which today feels like a bad choice. Also kind of expensive. Preferable something Completely local. No cloud service. Preferable opens source.

I live in EU.

(Sorry if it's bad form to ask for product recommendations, but I am unhappy with/ don't trust, my isp provided router, and gp explicitly mentions buying a router)

I've replied to a couple of others, normally I would have recommended Ubiquiti, but I no longer do. Not just because of their recent breach debackle, but because their software quality has declined since some of their best developers left.

The short but not so useful answer is, run something with pfSense or similar, I hear PCEngines hardware works well and is open source from the bootloader up.

Ubiquiti has hardware offloading using Cavium hardware so you need to get some throughout tests if you need high bandwidth in hardware without the offloading hardware.

Although netgate’s recent debacle calls into question the code quality of pfsense as well:


I can recommend PC Engines (though a bit pricey, and kind of a hobby project to set up), and also Ubiquiti (ignoring the recent debacle).

Both are generally maintenance free once they’re set up.

Considering linksys WRT3200ACM. Heard pfsense is not good with wireless.

I switched to pfsense* from a WRT. Awful router! It uses a cloud service to log in and nine times out of ten the awfulness that is their app cannot "locate a Linksys router on the network" even from a phone using the routers WiFi. I even tried flashing OpenWRT which was much better but the hardware still sucked and had to be restarted often. Cannot recommend (sadly I did recommend it to a friend before I knew how awful it is and he has the exact same problems even though he owns a different WRT model (1900 I think)).

* I'd recommend OPNsense over pfsense. If nothing else then because they break licenses (pfsense is NOT open source as they claim. You cannot built from the sources they provide).

Pfsense isn’t a replacement for ubiquity if you want a single plane for firewall switch’s and aps - I don’t know if any reasonable one sadly

I'm pretty sure the WRT-54G I had in 2005 was better at penetrating walls than anything Ubiquiti has ever built. After dealing with the one my mother was issued for her remote work I'm convinced that anyone not trying to remote-admin a hundred-router campus installation would be a fool to buy one.

Nothing is where you expect it to be. Getting to the control panel requires multiple login screens. Changing a port forwarding rule for devices that are and are not currently connected not only isn't on the same screen, it's not even in the same section of the control panel.

I had no end of problems getting it up and running for her, despite having paid tech support on the phone. Everything connected via ethernet would benchmark at exactly 1/2 the normal download speed of her old router, and anything on wifi benchmarked at 1/6. For the first three days her IP phone just rang continuously with nobody there, and neither I nor the tech support guy have any idea why it started working correctly.

Can you get rid of your ISP provided router? There are lots of obstacles there.

I don't know to be honest?


The ux is... not good and I wouldn’t recommend it for anyone not experienced

yeah i bought Mikrotik for home and i have no idea what to do there. I tried to do hairpin nat with it and after 3 tutorials i somehow managed to get it working and now i have no clue how does it work or what its it really doing.

I think its only for real networking pros

The issue is letting untrusted or badly behaved devices on the network. UPnP works great, if you control which devices get on your network.

Static port forwarding combined with DHCP gets annoying quickly, you end up having to set up static assignments for every device that may need a port forwarded, which can be a lot, with modern multiplayer gaming and p2p.

And for applications that select a random port on startup, such as some bittorrent clients, you either have to manually forward the port every time or select a static port.

UPnP serves a purpose and is extremely convenient, as long as you trust the devices on your network.

> And for applications that select a random port on startup, such as some bittorrent clients, you either have to manually forward the port every time or select a static port.

What if you run them over a VPN? I don’t use torrents much but have a client containerised with OpenVPN. I’m not a networking expert but I had assumed (with all the dangers that comes with) that this moved the problem to the VPN provider?

it will work as long as you are the one initiating the connection. if some peer suspects you have a wanted piece available i.e. from another peer in the swarm it can not communicate the intent to get that piece from you to your client directly. i think BitTorrent can relay messages through intermediate peers to make your client establish the connection to that other peer (reversing the initiator). Otherwise peers will exchange other peers that are visible to them so that your client might eventually learn how the other peer that wanted that piece is reachable and connects to it. So it actually will work without port forwarding but reaching your client will be harder and thus less peers inside the swarm will be available to you or them, likely making it slower.

So, keeping track of which device on your network belongs to which MAC address, and reserving an address for each, is that what you mean by ‘annoying’ - the administration of that?

That's the easy part. Plenty of applications (such as bittorrent clients) use randomized ports. So you have to either disable that, manually add the port forward every time you start the client, or let UPnP handle it, because you don't let any untrusted devices or apps onto your network.

And multiple devices on the network may need the same port forwarded at different times, such as multiple games consoles.

Opening ports for a specific machine with dynamic IPv6 addresses can be difficult though.

If the suffix stays stable then with iptables you can use netmasks where you mask out the prefix rather than the suffix.

If both prefix and suffix are dynamic you need a solution that takes dhcp or host names into account. Not all router firmwares support something like that.

Another alternative is to use UPnP or PCP with authentication.

Suffix should always be static with SLAAC because it’s your MAC address. Even if you’re using privacy extensions (and you should) you should still be able listen on the MAC address one.

If you’re using DHCPv6 then the DHCP server should take care of DNS as it would for v4.

> Suffix should always be static with SLAAC because it’s your MAC address.

Except for devices that randomize mac addresses. Normally even those that do that only try do so when connecting to a new network but that's not always reliable.

> Even if you’re using privacy extensions (and you should) you should still be able listen on the MAC address one.

I'm doubtful that all applications make that distinction and advertise the right address. If they just use some external "what is my IP" service to determine their address because that's what they did for IPv4 then they'll get the privacy address and advertise that to peers because that'll be picked by default for outgoing connections.

Being able to allow incoming connections to a port for any address belonging to a particular machine would be less error-prone.

These issues will keep happening, in completely unrelated domains, as long there are not fines for violating security best practices.

AFAIK the goal is to get rid of MAC adresses entirely - so how is this going to work?

I don’t think that is the goal, no.

There was always a tension between the Internet and Ethernet guys, the Internet guys have won, so Ethernet-specific concept like MAC adresses are on their way out ?

Not at all - MAC is layer 2, IP is layer 3.

Yes, and the two layers are represented by different political groups, each of which is trying to dominate.

Do you have a router you recommend? Ideally something running free software

OPN/pfSense have been mentioned.

Don't waste time with WiFi on the gateway itself as most WiFI chips you can buy are crippled in firmware for regulatory reasons. Just use a dedicated commercial AP hooked up directly or VLANed.

Once you get comfortable with something like pfSense I highly recommend switching to regular Free/OpenBSD, or Linux depending on what you're comfortable with. I find it much easier to manage a gateway with the entire configuration in version control than a GUI. There aren't that many services that a gateway needs to run.

If you feel like you'll miss pf on the *BSDs check out nftables on Linux. It's not as well documented but it's much less painful than iptables.

To loop this into the UPnP discussion: when you build your own gateway from scratch you have to add a UPnP daemon and configure it yourself, instead of forgetting to disable it and exposing poorly configured IOT stuff.

I like Mikrotik for routers. They're cheap and have a lot of knobs in the SW (maybe too many if you just want NAT). They do run linux, but their SW isn't open. I've been pairing my Mikrotik hEX with a Unifi AP. Not sure what I'll do going forward, as I've heard Mikrotik's APs aren't as good as their routing and switching hardware.

If I was going the "dedicated machine" route, I'd probably go with OPNsense nowadays.

The PC Engines hardware line is popular here. The firmware is coreboot and you can run OPNsense on it for an entirely free software solution. It's quite solid, have had no issues at all. See e.g. https://www.pcengines.ch/apu4d4.htm

Not aff'd, just a customer.

Hardware wise, I run Ubiquiti EdgeMAX but I wouldn't recommend them anymore, their software has gone down hill since many of their best developers left.

Software wise, pfSense is where it's at, but I don't have experience with their own hardware other than the ones we ran at work all failed due to a silicon flaw in the Intel SoCs they ran.

> Ubiquiti EdgeMAX but I wouldn't recommend them anymore

Sadly there isn't exactly a lot of alternatives in the hobbyist network setup area ... It's basically just ubiquity and mikrotik at this point as far as I know

I've heard good things about Turris hardware too, but no personal experience. https://www.turris.com/en/omnia/overview/

> Software wise, pfSense is where it's at

Recent events suggest that the people behind pfSense are not especially responsible stewards; see https://arstechnica.com/gadgets/2021/03/buffer-overruns-lice... and https://opnsense.org/opnsense-com/ .

Look at the range of devices from GL.inet. They run a custom version of openwrt with a nice UI on top. But most are upstreamed and you can flash vanilla openwrt on them. They re quite cheap as well. I m not affiliated with them but I have bought devices from them. I use one between the router s ISP and my home network.

This is a safe bet if you don't need advanced hardware features, I have several gl.inet devices, you can build your own OpenWRT for and turn off the phone home functionality.

The 2 hub valica mesh model is a contender :)

OPNsense or pfSense

I have used both OPNsense and pfSense. I currently OpenWRT which I find to be full featured, secure, and lightweight.

Honest question - what would I use UPnP for?

I discovered a similar issue as the blog poster with my QNAP NAS which was easily remedied by disabling UPnP.

I’ve not noticed any issues. We can do all the same things we did before. My Xbox and Switch still do online multiplayer just fine.

I remember hearing Xbox/PS3-4 and UPnP mentioned together but it’s been a while.

UPnP allows devices to open up firewall ports for themselves to allow traffic to reach them inbound. Games (for example) that that host a server on the users local machine may require an open port to allow access inbound so UPnP can help with this.

Now-a-days it's not used much and quite frankly it was always a fairly bad idea.

Nowadays you should use IPv6 anyway, which doesn't need NAT.

There are ISP's out there which disallow the use of gateways other than theirs to enter their WAN. That means you are stuck with whatever config it allows.

I have root access to mine, so I can configure it to my liking, but the device is _not_ blinking out in quality, needing to be reset at least once every 14 days, otherwise it starts chocking when I need to transmit my radio stations over the NET

These type of ISP's make a lot of cash, selling bulk purchased cheap hardware, esp mine, which still sells services over copper using VDSL & ADSL2. Their FTTH speeds are also inconveniently capped on VDSL speeds

Can you not just put something behind their gateway?


My router firewall drops all packets from my NAS to my WAN. Doesn’t matter what software it runs.

On the other hand, if you want to play games on your network you absolutely must have UPNP. Unless the game has a dedicated server infrastructure. But even then you risk higher latency on VOIP if it even works at all.

This is completely false. Almost all home networks use port-restricted NAT, which allows for STUN for NAT traversal. You do not need UPnP to play games, even those that have peer to peer multiplayer.

Also STUN for VOIP does not increase latency. It tells you your external IP and port.

Edit: Port symmetric —> port restricted

I get the feeling you’ve never ran n>1 Xbox Ones connecting to Xbox Live at the same time. Without UPnP only one will be able to connect.

I have and I manually manage my firewall. I have never seen a game that only uses/allows one port so IMO it would only become a problem with something like 10+ consoles playing the same game at the same time and all of them being a host. If even then.

So is this issue mostly with consoles? I've always kept UPnP off and we do lots of gaming here without a problem, but pretty much all PC gaming.

PC also has problems. Truth be told it’s all about the kinds of games you play.

You can port forward of course, but you have to know which ports and obviously it only goes to one static IP

I can't say for sure, but I have never ever seen a PC game using UPnP. That said, I have only ever seen it once with a console, a PS3 in this case.

And, don't quote me on this, but most PC games are not Peer-To-Peer. They often come with their own server software.

Yeah, which pretty much requires you to do manual port forwarding. And if you're behind a CGNAT, you can't host.

Do you mean TURN? STUN does not work over Symmetric NAT as the source port is unpredictable.

I'm gaming on my Xbox right now with specific ports forwarded. I guess "absolutely must" is a bit much, huh? UPNP has no place in a secure network.

This is not a reasonable solution for most people, it requires intimate knowledge of the games you play (which ports they use), a static IP for your console and no more than one player/console per household.

Heaven forbid you have a PC game and a Xbox game that have conflicting ports.

And, I just have to say: you open arbitrary ports to your game console from the internet and talk about security.

Well, NAT itself has pretty much no place on a network these days, so the point is kind of moot...

n>1, not n=1.

If you want to host servers on your network then you need firewall rules, but if you are just a client then the firewalls implicitly allow the responses to client traffic through.

Only if it’s dedicated server infrastructure (as mentioned) games like call of duty will not work.

Indeed, UPNP effectively turns on "auto-pilot". The fridge running on 10 years old firmware might open ports dynamically.

Networks featuring UPNP should be marked as "open/insecure".

If your fridge has a MAC address, you have much much deeper problems than UPnP.

I also found this weird, and this got me to check if it was enabled on my business firewall devices: turns out they don't even support UPnP. Is it just consumer routers that support it nowadays? Shouldn't that feature just be nuked?

EDIT: Well it sounds like a feature for pro users that know what they are doing and control all devices on the network. Even then, security appliances (eg. from SonicWall) don't support it. I don't know, this is probably a niche feature for a few occasions.

Far from only a feature for pro users. Notably, it is a must for VoIP (without going through a relay) and BitTorrent when you don't want to manually configure a firewall. (allows to create holes in a controlled way for a NATted network)

Without UPnP, you specifically have to configure your NAT for this...

>Without UPnP, you specifically have to configure your NAT for this...

While I realize that configuring nftables/iptables is beyond most folks, there are many firewalls out there that have a GUI/webui which makes this dead simple.

Not sure why this should be an issue in 2021, except for users' trained-in helplessness.

> Not sure why this should be an issue in 2021, except for users' trained-in helplessness.

Kids hosting games on random ports (terraria, etc.) benefit from UPnP. I'd rather enable it than manually enter firewall rules for each game or give them admin access to the firewall.

UPnP is only an additional risk if you have malware inside your network already and then it mostly allows malware to host services in a simpler way, but capable malware will be able to use TCP hole punching to establish arbitrary connections between infected networks.

>UPnP is only an additional risk if you have malware inside your network already

I'm not sure where you get that idea. Once a hole is poked (depending on the perimeter device/software in use), it stays poked and you've expanded your attack surface.

I make sure that there's no dynamically defined external access to my network. Can you guarantee that no software in use on your network is free of vulnerabilities? I'm not talking about malware here, just your run-of-the-mill software bugs.

If you think the answer is no, then why don't you share your network details with us and let's have a go? Then we'll see how much of an extra risk upnp might be.

What's that? You'd prefer not to do so? If there's no risk, then it shouldn't be a problem, right?

My suggestion is (obviously, I hope) an idle one and more intended as food for thought.

>Kids hosting games on random ports (terraria, etc.) benefit from UPnP. I'd rather enable it than manually enter firewall rules for each game or give them admin access to the firewall.

That may be a valid use case for you. However, claiming that it doesn't increase your attack surface/risk profile doesn't magically make it so.

I'm not telling you what you should or shouldn't do, but I do disagree with your rationalizations about why allowing upnp to expose your perimeter doesn't increase your risk profile.

> If you think the answer is no, then why don't you share your network details with us and let's have a go? Then we'll see how much of an extra risk upnp might be.

The cheap and fast attacks are DDoS and they're trivial to aim at a cable modem. Avoiding becoming a target is at least 50% of security posture. There were already 4286 ssh login attempts today so I don't really need more attempts than the automated botnet scans provide.

It's a risk/convenience tradeoff. I could probably package up a vpn.exe and force the kids' friends to run it before playing games, or force them to host games remotely. It's just not worth it.

I'm also reasonably sure that there are plenty of 0-days in all networks, given their relatively frequent discovery. So, again, don't be more of a target than necessary, and keep offline backups current and tested.

Ugh, users trained in helplessness. I just had an utterly annoying conversation with my cell phone provider whose reps have been trained in helplessness and thus fail to follow really simple security procedures.

This phrase is a thing of nightmares now. Stay tuned for a really scary Haunted House full of users trained in helplessness...coming Halloween 2021.

Since this is 2021, you should use IPv6, which doesn't need NAT.

Alas, many ISP's don't offer it yet. Give it a few decades more and we might get that.

At some point the governments should forbid them from calling themselves "I"SPs. This has already started with the 5G.

While there's always demand for more bandwidth, IPv6 isn't really something that people care about in the larger scheme of things. Many ISP's and carriers solved the IPv4 congestion issue with CGNAT and that'll keep things going until we run completely out of IPv4 addresses.

Once that happens, there will be government action. Not before.

We'll never completely run out of IPv4 addresses.

Meanwhile the top agencies distributing IPv4 blocks have ran out of them a decade ago. Recently it was the time for a lower level agency to run out - for Europe.

There's a lot of things that people don't care about until it's too late. Governments are supposed to be able to plan decades in advance. And they do, for things like digital TV. (And I already gave an example of governments acting to push IPv6.)

CGNAT is causing issues in that some protocols simply don't work properly through them. IPv6 also allows for simpler networking, since you don't have to add the extra abstraction layer that is NAT.

Politicians in Europe expects the market to take care of it. Businesses won't hurt their profit margins unless they have to (because IPv6 does mean additional costs).

We need something that increases consumer demand for IPv6 if we wantbthis to be dealt with now.

> Notably, it is a must for VoIP

Wouldn't making STUN work be a better alternative?

Yes, it’s a feature supported by many VOIP clients, and this comments section is filled with UPnP apologists

As I said, "without going through a relay".

And TURN is one of those relays.

(I host a STUN and TURN relay myself, because I had to for my personal VoIP server for enough people to be able to connect on it. Downside is more use of bandwidth.)

edit: replaced STUN with TURN where appropriate, I did confuse both as they were provided as a single package.

What STUN relay software do you use, or is it a hardware device?

I use https://github.com/coturn/coturn, provided as the coturn package on Ubuntu 20.04.

STUN is not a relay.

STUN is not a relay, but TURN is, and STUN/TURN is a common combo for when STUN doesn't manage to holepunch reliably, falling back to the relay when the direct connection fails.

What's also true, and what I think the GP was trying to get at, is that STUN requires an external coordination server. UPnP (I think—I am far less familiar with it) does not, because in UPnP you're negotiating the holepunching with the local router directly, whereas STUN is sort of using a loophole.

With TURN, all the traffic to the clients is routed through the TURN server indeed. That makes hosting a discussions server more traffic-heavy than otherwise...

(and it turns out that the server software that I use implements TURN and STUN in the same daemon)

STUN is a workaround and doesn't support all types of NAT.

https://kn100.me/turning-upnp-off/ I've written a follow up, which you may find interesting.

Or/also, nag your ISP to give you an IPv6 prefix (or switch to Comcast, because they delegate you a /62). If you still want to manage a stateful firewall then go for it. But we shouldn't still need this NAT traversal crap in an IPv6 world.

Yes, the real lesson here is, I learned not to trust random vendors and turned off upnp.

> If the author really cares, go one step further and replace the ISP owned router with something with more control.

I wanted to do that for a while now. Do you happen to have a good suggestion regarding whose products are worthwhile?

Up until a week ago I would have suggested the UniFi. Since the latest snafu, the handling of the breach not the breach itself, I’m not so sure anymore what would be the best alternative. Perhaps just their EdgeRouter devices or a mikrotik device.

The snafu: https://news.ycombinator.com/item?id=26638145

Also, the security report you're talking about came out like two days after a huge blow-up on this site because of a report they added advertising to a UI for one of their products. (The controller I think?)

Its muddy right now, I run Ubiquiti EdgeMAX switches and EdgeRouter at home, but I wouldn't recommend them right now (see another comment of mine, or check out the subreddit), for NAS I run TrueNAS, on a home built server.

For your NAS, to you have a mobo and case recommendation?

Not OP, but I built a NAS not that long ago. For the case I purchased the Fractal Design Node 304 (https://www.fractal-design.com/products/cases/node/node-304/...) and am very happy with it.

For the Mobo I suggest finding a decent board (AMD based one if you want ECC RAM) and then use a PCI-e controller card to support the hard drives you need. It is hard to find a nice MB with all the SATA ports you need, using an external card gives you a lot more options. When I researched it everyone recommended an "LSI Logic Controller Card LSI00301 SAS 9207-8i" (eg. https://www.amazon.com/LSI-Controller-LSI00301-9207-8i-Inter...) and it has performed very well for me. If you go that way you'll need a SAS to SATA cable, they are easy to find as well.

I would never use the pre-installed software on a device, always replace it with a bare-bones install of a generic Linux/BSD distro and add any packages really needed.

Doesn't TrueNAS (was FreeNAS) connect to iXsystem servers from the NAS and from the NAS web interface?

Building your own is probably the easiest of all the options presented.

That sounds like he didn't even try.

also dont buy Ubiquiti gear :)

Nothing wrong with uPnP. If you’re worried about something opening up ports on your network, you’re already compromised.

Like a buggy NAS. So yes, lots wrong with upnp. Letting anything with an IP forward ports is being auto compromised.

The article focuses on the security issues surrounding his new NAS, and that's fine. But the problem isn't security. It's Trust.

Consumers generally trust that manufacturers will follow Best Practices and that security is part of the deal: I pay you money, you give me a quality product that Just Works and is Secure.


Products are made to be sold at a profit. You can imagine that some engineer at that company knows about this problem, put in a Jira bug for it and since it didn't affect overall functionality, and because the product needed to be released as soon as possible, they rejected the bug and sent it off.

By default, we should NOT trust that things are Good and Secure. If we are security conscious, then it's on us as consumers to figure out how to mitigate these problems. Or is it?

If I was this guy, I'd box that thing up and send it back and give the company feedback as to why, and then I'd show them this very blog post.

The manufacturer probably won't care. They know that until the average consumer cares about security and knows how to mitigate problems it won't matter. And we all know that the average consumer, even of technical products, has security habits.

Now if you'll excuse me, I need to go take care of some security stuff on my boxes, this really got me thinking about it!

  sudo passwd root

Yeah, until we see these companies get large fines for not following the best practices, and the engineers in charge lose their licenses, nothing will change.

That was supposed to say "has terrible security habits." But the time to edit has passed. sigh.

You should NOT have any terramaster NAS internet facing right now. I disclosed a bug last month to Terramaster that still hasn't been fixed.

Go to http://NAS_IP/module/api.php?wap/ and it will give your admin password out as an md5crypt hash. Why? I assume it's some sort of backdoor/dev code but I don't know.

Jesus, confirmed here. That is tragic.

Once more a sad story about so called plug and play devices doing weird stuff. I prefer getting my hands a bit dirty using:

  - FreeNAS / NAS4free / OpenMediaVault (for Home-NAS)
  - OpenWRT / OPNsense / PFSense (for Home-Firewall)
Nearly Plug and play with this Hardware:

  - Dell T20 / T30 / T40
  - HP Microserver N54L / Gen8 / Gen10
  - Linksys WRT 1200 / 1900 / 3200 / 32X (https://dc502wrt.org/)
  - Alix APU

Been running a T20 w/4x 4TB HDs with plain FreeBSD for a few years now and it works pretty well. I'm barely even competent when it comes to sysadmin sorts of things, but it was pretty easy to get set up following a blog post I found years ago.

The consistency of FreeBSD is a real benefit here — it's well documented to begin with, and since things change so little between releases, bits and pieces you find online are largely still relevant even if they're a little old.

First thing I did when I got my Buffalo Terastation was look up how to install plain Debian Linux on it and set it up myself. There is usually very little benefit to using the manufacturer's neutered, cobbled-together firmware.

Same thing with my Internet router. Flash it with non-manufacturer firmware so I can configure it properly.

+1 for FreeNAS.

Its use of ZFS and ability to easily manage multiple "jails" and vms is perfect for a reliable home automation platform!

The only major downside I've found thus far it that you cannot pass USB devices selectively to a jail/vm.

I really wish it could do USB passthrough. I need that for home automation to run in a VM under TrueNAS. The solution I've been running for a few years now is to have TrueNAS and Home Assistant running under VMWare ESX. Required getting an HBA that I could pass through to the VM instead of using the ports on the mobo but it works nicely.

Having Home Assistant as a guest under TrueNAS would be nicer though. Right now there's no data redundancy for Home Assistant.

I'm looking forward to TrueNAS SCALE[1], which is basically TrueNAS on top of Debian instead of FreeBSD.

Mainly because then my containers can run on the metal rather than being limited by Bhyve.

Currently in Alpha. I fired it up in a VM and it had some rough edges still but did manage to create a pool and fire up some containers.

Been running FreeNAS, now TrueNAS, for several years and been happy with that, but not being able to take full advantage of the hardware due to Bhyve has been a pain point.

[1]: https://www.truenas.com/truenas-scale/

I also had good experience with mini-PCs like Chuwi's. They are pretty cheap, have a good amount of ports and have the advantage of having newer CPUs with very little power consumption.

> Upon SSHing into the NAS and having a dig around the file system, I discovered a file that could be modified. /etc/upnp.json seems to contain a list of port forwarding rules. Thank you to Terramaster for providing root access to these at least. Simply change bEnable to 0 for whatever ports you don’t want exposed, reboot the NAS, and check the port forwarding rules.

And don't forget to do all this each time the NAS updates. And pray to whatever entity you wish that auto-updates don't get enabled.

Seriously, after a blunder like this, why not return the device and find a manufacturer you can trust?

I'm confused. Some significant length was gone to in attempting to interrogate the device and modify it in such a way that it wouldn't try to open uPnP ports anymore. Further, a lot of devices try to leverage uPnP by default, and many of them are significantly more opaque than this NAS proved to be. However, the author doesn't want to just disable uPnP in their router and manage forwarding directly due to a perceived loss of convenience.

Surely, first discovering by happenstance that a devices is doing this in the first place, then trying to figure out how to go through idiosyncratic & unsupported means to change the device's behavior, is significantly less convenient than updating a router/firewall config rules in supported standard predictable ways on occasion?

Given this:

> My router is an ISP provisioned one so the feature-set there is somewhat limited

My assumption was that their router doesn't support disabling uPnP for a single client, so it's 100% on or 100% off. If they play a significant number of p2p games or use p2p applications with non-predictable ports, it might well be more difficult to do manual port-forwarding when needed than to leave uPnP enabled (or even impossible, depending on what the router can do).

I'd argue that the right approach is to replace the ISP router with your own and disable uPnP, for your own security. Otherwise its only a matter of time before you see this again. You cannot count on having only trusted devices on your network.


Administrator’s username is admin and the initial password is admin as well. "



“Users can change the password of administrator but cannot change the administrator’s username.

Is this article helpful? Yes / No”

At least you change the password...

Don't know if it's true for this model, but at least some Terramaster NAS's are just x86 computers [EDIT: I see the model in the article is an ARM box, but also that it's already running a Terramaster specific Linux distro, so just nuking most of the Terramaster specific stuff might be easier than trying to find a way to do a clean reinstall].

For at least some of the x86 ones, you just need the right cable to connect to a suitable monitor, and it can boot from a USB drive. You don't need the VGA cable to replace the OS, but it helps a lot. You may have to dismantle the whole thing to get at the boot drive, but they're pretty easy to take apart.

First I did with mine was to install Open Media Vault.

I've never enabled uPnP, and get by just fine.

Are there actually good alternatives to consumer NAS that don't break the bank? I'd love to just throw a raspi4b at some HDD's - but no sata, and no ECC. And the hard drives need to be kept safe from their vibrations.

Some USB drives with a Pi is a decent solution, given that the most cost effective option for HDDs is usually shucking WD easystores anyway. USB HDDs usually have decent vibration damping and cooling also. USB might be less ideal than SATA, same with ECC, but you’re also saving a major amount of money, % wise.

Don't do that, you'll have no redundancy in case of disk errors, the performance will be abysmal (Pi4 possibly excluded) and USB drive spindown and SMART support is sketchy at best.

I bought a Fractal Node 304 case (room for 6 drives), put an ITX board in it, a PCIe SATA controller and set it up as btrfs RAID, with CIFS, NFS and FTP. Not a huge outlay and so much better than a hacked-together Pi solution.

It also functions as my DNS and DHCP (Pi-Hole in a Docker container) and since it has hardware video decoding, it works great as an always-on HTPC, which is practical for apartment living.

3 USB drives in a raid setup isn’t any less redundant than 3 SATA drives in the same setup (mathematically anyway, excluding potential bus problems which don’t really seem to be much of an issue these days).

Personally I also have a node 304 based nas, but I’ve seen plenty of people with low cost Pi setups and no major issues. Plugging a few drives into a Pi is much easier if you don’t have experience with building computers, and is still a couple hundred dollars cheaper than something like that.

Also worth noting that it’s possible to connect PCIe devices to a Pi, although I believe you need a specific model.

Perhaps look at some of the Odroid Homecloud solutions? They have some limitations, but are cheap and easy to use.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact