People make blanket statements like this without thinking of how it is used by popular consumer devices.
As others have said it's really necessary for some consumer devices to work properly - especially if you have more than one of the same device.
Games consoles are the best example.
If you have one console only, then you can usually forward ports manually, but if you have two or more of the same console, and want them to go online at the same time, then you need to use UPnP.
If you don't have UPnP enabled on one of the consoles, you'll see issues like being unable to join some games or being unable to do voice chat with certain players.
Not with you there bud - we have multiple game consoles and my firewall doesn’t even support UPNP. I also have never set up and DNAT or ‘punched holes’ in it to Mae them work. They just do.
I have replied elsewhere about Xbox Live, but it's generally an impossibility (without advanced forwarding or UPnP) to have two consoles (of the same type - e.g. two Xbox One consoles or two Nintendo Switch consoles), connected to the internet, both able to access ALL online features, at the exact same time.
Out of the box on most consumer networks, you're going to be able to access things like the store, downloading updates etc.
To play with certain players on peer to peer games (which are less common these days) or have a voice chat with certain players, you will need to port forward (manually or with UPnP).
You either need to forward ports manually (which can obviously only be done to one console), or use UPnP. The Xbox One and later does have an option to manually ask it to use a different port on multiple consoles for some features (so that you can port forward separately to consoles), but I am unsure if that will solve all issues in such an environment.
It does depend on the game. A P2P game like Call of Duty will have problems when played simultaneously on more than one console because the external port can not be shared.
What happens though is that another external port gets forwarded to 3074 instead.
3074 -> 3074
3075 -> 3074
3076 -> 3074 etc.
Its likely uPnP does this automatically as even uPnP won't be able to map multiple devices to the same external port but it does make the process convenient.
That’s not how NAT works though. It uses random ports, and there are no collisions, unless you have thousands of Xboxes behind a NAT. Also, remember that CGNAT is a thing, with hundreds of households( with dozens of game consoles) all behind a single IP address. Essentially, the people talking about game consoles not working are wrong.
That is how NAT works for connections opened from private network to the Internet. If the console needs to listen to a port, the NAT must be configured to forward the listened port to correct device. Multiple devices behind NAT can not listen to the same port, and this is where the forwarding of different ports on public IP to same port on different private IPs comes in.
The source port would be random and conmunication would ride on that established connection. An exposed port is not necessary for client initiated communication.
Yes, you're talking about a device behind NAT which initiates a connection to an external service.
However, we're talking about a service listening behind NAT (in this case Call of Duty on an Xbox at home) that needs to be listening for connections initiated by other Xboxes to establish a P2P connection. This is what port forwarding enables and this is what uPnP automates.
Yes, CGNAT is causing a lot of issues not being able to host multiplayer games, as I've experienced myself (with PC games, though server-client ones, not peer to peer ones).
Anyway, these days, if you don't have an IPv6 /56, you don't have a real Internet connection.
That's not true, at least for xbox live. It's NAT punching will gladly use UPnP if available, but doesn't rely on it, even for multiple devices on the same public IP.
It'll be fine. They'll be on two pretty arbitrary public ports, but it works just fine if you have a vaguely sane nat implementation in your router. That's the whole point of nat punching. And even if you have an incredibly broken nat implementation that won't accept UDP packets from other sources than the server you originally connected to, there's a fallback pathway at the first layer of that port 3074 protocol that bridges p2p messages through live's backend.
As another example, last time I checked WebRTC didn't use UPnP, but has all the same issues as a fundamentally P2P UDP protocol. They use STUN/ICE/TURN, live uses custom protocols filling the same niches.
I don't think anything has fundamentally changed in this area since the days of the Xbox 360. Back then it was a PITA to get two or more consoles working properly without UPnP, and I can't see anything about the problem that would be different now.
I hate Sony for that page.
I’ve helped multiple people with router issues who turned out to have forwarded all those ports from wan to their PlayStation (or it’s previous IP).
Ofc it wasn’t the issue at hand, but horrible none the less.
The last I looked on PS4, they expected you to use a particular port. I don't think there was a dynamic portion, just forward port X to the PS4. I could absolutely be wrong though, it's been a while.
I find it amusing that many people are convinced that IPv6 is less safe, because there is no NAT, and at the same time use UPnP.
No, NAT isn't designed for security, the blocking of incoming traffic is just side effect, you should use a firewall for security.
IPv6 can be a privacy issue, sure, but it's no less secure, my firewall is still blocking all incoming IPv6 traffic.
The issues with IPv6, in my experience come from its relative complexity, compared to IPv4, and also from forgetting to manage it at all, as it often uses different tools, firewalls, e.g. ip6tables vs iptables, or the fact that Ubiquiti EdgeRouters don't expose ANY IPv6 firewall configuration in the GUI at all.
Ubiquiti's router offerings are rather poor, VPNs can't roll over to WAN2 automatically, redundant tunnels are hard to configure, IPv6 support is a mess, asking Ubiquiti for support gets you an unhelpful chat that redirects you to help articles you've already read.
Other players in this space have had these capabilities for over a decade, and you can call to get help. Ubiquiti might be inexpensive, but its still more than double the price of Grandstream's SoHo/SMB router and access point offerings while offering equivalent support and features.
Really neither of these offerings are good outside the SoHo and single location business space. I wish for OpenWRT, OPNsense or WatchGuard's configurability wrapped in a single interface that lets you see the router, switches and access points performance live while letting you alter their settings, without seriously kneecapped router capabilities.
Why do people throw this out there as if it's a fact we all agree on?
I've heard of one potential privacy issue 20 years ago, which was that IPv6 autoconf used the MAC address for the host part of the address, but this has long since been replaced with regularly rotating random suffixes.
Because "most ISPs" are actually wrong, it's "most American ISPs". In rest of the world, unless you're explicitly requested static IPs, your IPv4 (and IPv6) addresses are being rotated (usually either daily or weekly). There's a reason why dynamic DNS services are popular.
P.S. If your security paradigm relies on IP addresses being semi-stable, you need to overhaul it.
>In rest of the world, unless you're explicitly requested static IPs, your IPv4 (and IPv6) addresses are being rotated (usually either daily or weekly).
I'm in the rest of the world and my non-static IP address almost never changes. I actually memorised my external IP address at one point since I saw it so often.
>In rest of the world, unless you're explicitly requested static IPs, your IPv4 (and IPv6) addresses are being rotated (usually either daily or weekly).
Fair, but that's still IPv4 and IPv6 rotating at the same rate.
I monitor closely my Internet connection (since I serve stuff on it, and also because why not) and I saw my IP changing and wandering throughout the Ile-de-France. I would say that the changes are every 6 months or so (since one of my domain is with Gandi I had to write a checker and change the assignment through their API)
If you only use IPv4, then these days (with not only the Asiatic countries never having got IPv4, but Europe having ran out if IPv4 addresses), technically you don't have a "real" Internet connection any more.
My bad, I should have said that "some" Asian countries never had enough IPv4 addresses to start with. AFAIK this explains why India is one of the world leaders in IPv6 deployment ?
(I've also heard that IPv6-only networks are not uncommon in some Asiatic countries ?)
IPv6 has been slowly rolled out for more than a decade now, though AFAIK the standard has only been finalized in 2017.
Since 2017, first choice should have been IPv6.
"Internet" stands for "International network". If you're using IPv4 only, when someone else uses IPv6 only, then obviously you won't be able to connect to each other. Therefore you aren't on the same network. And only one of them can be "really" called "Internet".
(Also, IPv4 was an experimental ARPANET protocol which wasn't supposed to be used "in production" worldwide, but here we are...)
No firewall or opt-in firewall (which only a tiny fraction of people turn on) is pretty common for IPv6. It's also somewhat an open question whether router firewalls are even a good idea on IPv6 (since the security advantages are not that certain, and it can prevent the adoption of new protocols).
Source? Every consumer router I've ever seen that supported IPv6 also had a firewall covering IPv6. Given the crapshot routers tend to be I wouldn't be surprised if some messed that up, but "pretty common" seems unlikely.
For context, Free recently boasted reaching 99% IPv6 coverage. On their (now) midrange Freebox Revolution router, the IPv6 firewall is (AFAIK still today) opt-in.
Well, OTOH, the fact that tens of millions of people have now been connected through firewall-free/disabled IPv6 for years, yet the (somewhat expected) disaster of widespread hacking/compromises clearly didn't happen... which could mean that this is not that critical of a security feature as could be expected ?
Yep, the author depends on NAT as a security feature, when it was never designed to be one. UPnP is a convenience feature, and is disabled in all security focused networks. If you want convenience and security, set up two VLANs, one for your insecure UPnP devices, and one for your more sensitive devices.
> the author depends on NAT as a security feature, when it was never designed to be one
> UPnP is a convenience feature, and is disabled in all security focused networks.
uPnP punches holes in a NAT. If you shouldn't be trusting NAT to protect you anyway, why bother disabling a feature that's designed to punch holes in it? Just set up your firewall to protect your network, and it's not an issue.
(I suppose some routers might automatically add a firewall exception when doing uPnP hole punching, but if so that's an issue with those routers, not with the idea of relying on a firewall.)
UPNP doesn't "punch holes in NAT." It is dynamically configuring NAT to provide a specific translation. The same kind of dynamic translation happens the other way for any allowed outgoing traffic, and lots of old NAT traversal tricks made use of that before UPNP was a thing.
The hole was always there. People get this topic confused all the time because the majority of network devices doing NAT are also acting as firewalls of varying efficacy. There are basically no non-firewall routers anymore, they all have at least simple network address ACLs.
The purpose of upnp is touchless configuration. If you care about security, that is orthogonal to your goals, and so it must be restricted by some other policy enforcement.
Good point, I should have been more careful about the terminology. My point was that it's possible to have UPnP configure a port to be translated for a particular host on the LAN but still have a firewall on the router blocking access to that port.
Another reply to my comment suggests that at least some consumer routers open a firewall port up as well, meaning that UPnP is still a potential security hole on those routers. (This might actually be required by the IGD protocol spec for all I know, that would be unfortunate...)
NAT is not really security and UPnP doesn't really do much to prevent malicious software already on your network from doing malicious things except perhaps hosting itself on your WAN to spread further.
What disabling it does help is prevent improperly configured or flawed devices from accidentally exposing themselves to your WAN. IOT devices? Put them on a network with no UPnP. Workstations and video game consoles with up-to-date patches? UPnP is probably fine.
This is what I did a couple years ago. The documentation for OpenWRT is great, and Luci/LDE makes it approachable if you don’t feel comfortable managing from the CLI. I have one VLAN for my “privileged” devices and one for the “IO(shi)T” devices.
This sort of thinking is endemic in industrial networks; they finally internalized basic ipv4 concepts in the late 00s and never considered maybe the stateful tracking required for UPNP and other NAT tricks also might exist without it.
I've set up several private v6 networks to deal with renewable energy projects in which the integrator used the same ipv4 address blocks on every single one, and the whole 6to4 translation explanation landed like they had just seen a devil sorcerer graft a goat head onto a human.
There are many, many networking and originally UNIX tools tricks (e.g. SSH) you can show to the poor people supporting industrial networks/ hardware. I have written some of my tricks down in this OrgPage: https://www.orgpad.com/s/UHUor4 there are screenshots for Linux and Windows for some things related to SSHFS, SOCKS Proxy and more. Click units with shadows to open them. From time to time, I update it to reflect new tricks.
This knowledge saved at least 2 companies hundreds if not thousands of euros in on-site support, hardware and other expenses. Funnily, while these things are quite hacky, they tend to work better than most of the dedicated hardware I have seen in practice, while keeping you/ the technician/ engineer in control. With any kind of working infrastructure, you can estimate how good your solutions are because you don't get called at random times and from monitoring/ explicit contact you just see/ hear the things work fine.
I tried just now in two different Firefox (ESR and current) versions and it works. Perhaps you have to enable JavaScript, since OrgPad is a web application?
IMHO IPv6 is an ISP problem, I don't need every (any, really) of my devices accessible from outside my personal VPN, and IPV4 private space is more than sufficient for that.
IPv6 is overly complex, therefore insecure. Thanks to the US Patriot Act I dont even trust the VPN stuff tbh.
I'm being a bit pedantic about this since you're right that in practice, setting up stuff for IPv6 is in-fact complex since support for it is all over the place.
But I want to stress that IPv6 as a protocol is much simpler, more intuitive and much more versatile than IPv4. I'd even go so far as to say that it's actually fantastically suited for local networks, especially so in complicated setups with multiple subnets (in an alternate reality where everything supports it).
It's really, truly, a genuine shame that it never gained the momentum it could have.
Makes it obvious why it still hasn't gotten anywhere, _no one_ wants to dig through all that unless they really really have to.
Security depends on securing the routing and address allocation. So it is hardly surprising very few were/are willing to step up a declare IPv6 installations safe for service.
Combine that with most users being happy and comfortable with 1 IP address and there was no mass market appeal for IPv6 hardware or software.
I'd go so far as saying the vast majority of people do not even realise their machines can be accessed from the outside world when they only have one public address behind their "firewalled super safe ISP router", and would be terrified to find out they can.
> Combine that with most users being happy and comfortable with 1 IP address and there was no mass market appeal for IPv6 hardware or software.
The mass market appeal for IPv6 is the fact that we do not have enough IPv4 to actually give one internet connection a unique IP. CGNAT is getting ever more present in the marketplace as a result of this.
Major providers are rolling out IPv6. eg in the USA, several major cable/fibre providers provide v6, several mobile networks provide IPv6 using things like 464xlat. It's the same in the UK - BT for example provide IPv6 on consumer internet connections, EE (a major phone carrier) provide v6 and use 464xlat to provide v4 connectivity to handsets.
Usually, inbound IPv6 are firewalled by the ISP router just fine. As far as I know, there is UPnP with IPv6 though there seems to be some work into that direction. Also, current CGNAT setups tend to close connections before they should according to RFCs: https://anderstrier.dk/2021/01/11/my-isp-is-killing-my-idle-...
All the IPv6 routing security has to be done with IPv4 as well. ARP -> NDP, prevent source address spoofing, DHCP guard/ RA guard are basically two sides of the same coin. Serious networking hardware supports this for years or there are firmware updates supporting it. For about the last 5 years, supporting IPv6 became much easier, almost as easy as supporting IPv4 for most of the real world use cases. Anyway, the reality is, we don't really have much choice other than to migrate to IPv6 sooner or later.
@yesco is right that practice is all over the place for IPv6 if it works at all. But in general, IPv6 as a protocol is just fine, at least equally secure as IPv4 and not more complex than IPv4 in many practical cases. I would even go so far to say it is way easier to do a clean address plan with IPv6. Usually, IPv6 inbound access is blocked by default on the ISP routers firewall.
In practical networks, IPv4 tends to be set up in some way and usually seems to work correctly - until you discover all the atrocious hacks people have commited over the ~ 25 years of practical, widespread use. Quite often multiple levels of NAT without much reason for it, UPnP where it shouldn't be, payment for even single IP addresses (great, we are paying for numbers other people got basically for free) and more - IPv4 are often handled like pets. Compared to IPv6, it is much harder to do a simple split into security groups based on prefix with IPv4. (In IPv6, you can usually just give every broadcast domain a /64 and will not do a huge mistake - they are a single security group. Sometimes, you might want to hand out a /64 or even shorter prefix to every client though.)
There are some great resources for modern and practical IPv6 too: https://knihy.nic.cz/#IPv6-2019 (4th edition in Czech by Pavel Satrapa, but can be translated using Google Translate and is more or less ok as a translation: https://docs.google.com/document/d/10CRjSRBLcdqtGjJgaW5Sct5h...) there are older books in English that are also mostly relevant still. The free IPv6 course by RIPE NCC is also a good way to get up to speed and avoid (spreading) FUD.
“Overly complex, therefore insecure”
Has to be the most incorrect understanding I’ve ever seen in computing...
And I’ve seen people talking to their mice...
OP is not talking about disabled by default, he’s talking about disabled permanently, i.e. you literally cannot turn uPnP on because the ISP disables the functionality. I know that AT&T does this with their BGW210-700. Security is good, but locking people out of basic features is not.
This is exactly my opinion and exactly how I use uPnP. I can't control exactly what runs on my network since I'm not the only one using it, but I can guard certain parts of my network more thoroughly.
To rephrase this somewhat less offensively (I am the author) "I realised a potential solution but decided the drawbacks of disabling uPnP were larger than the potential risk keeping uPnP enabled poses". My household makes use of many different services that would need to be port forwarded one by one in order to keep everything working, and some games just punch whatever port they like using uPnP so it's hard to keep playing those with it disabled. Sysadminning at home is only fun for a short while, I do this stuff at work, I'd rather keep my home setup as simple as I can help it.
As usual, various solutions are available, I described one here. Disabling uPnP is an option for some, and I encourage those who want to go that route to go that route.
I think some people miss the point of the article. That a NAS like Terramaster F2-210 shouldn't open ports externally and if they do there should be options to turn this feature off.
I agree with bunnyfoofoo’s conclusion - maybe not the tone but certainly the conclusion. It’s tough to trust an article that makes security claims while ignoring so many self imposed security holes.
I'm sorry, I didn't mean to come off as offensive. I agree that it would be bothersome to convert from uPnP to non-uPnP, but you really only need to set it up once. Then any new devices you add to your network don't require individual workarounds.
It's fine, I wasn't personally offended nor should you feel like you need to censor yourself. It's really difficult to justify turning uPnP off when you can't necessarily control every application that runs on your network. My wife is going to get rather annoyed when whatever video conferencing software she uses stops working, and I'm gonna get mad when the game I want to play doesn't work - which is why I engage in a somewhat fruitless fight with the stuff I can control to keep the uPnP port punching under control somewhat.
It's definitely a bug in the nas that it continues to punch ports no matter how it is configured. Plenty of software gives you the option of not punching ports.
FWIW I have never had upnp enabled and I don't recall any cases where it's caused a problem for me. Certainly my wife and I are on videoconferences all day and they work fine. I am completely with you that I can't have network configurations that make the network unusable, confusing, or inconvenient for my family, but are you sure that upnp falls into that category? I'm sure you have different applications than I do, but I think we're pretty normal...
This article pissed me off so I went to check on uPNP and I had disabled it when moving into this home. Never had any problem where uPNP was the solution, we have gamers, video calls, VPNs, BitTorrent, etc etc. all work fine. We even have a printer that works. I think it is calling home to Google or HP or whatever.
I build secure communications solutions for a living, so I'm speaking from experience.
Any solution worth its salt doesn't want or need UPnP on your network, it doesn't need anything other than for you to let it hit the internet and for the traffic to come back the other way.
I also run and have run other solutions in my day to day working from home and private life, many SIP flavours, Teams, Zoom (once, because it was the only option), Jitsi, BBB, Google Duo, Hangouts, Houseparty they all work with no effort from me.
There is a lot of hypothetical about what will and won't work, but take it or leave it when I say that some of us, the people building these solutions, have a bit of a clue about networking and how to build solutions around security best-practice.
I also game online with PC, Nintendo Switch and PlayStation 4/5, not one has given me issues, nor have I needed any custom firewall rules for the consoles.
My wife works from home on a government issues laptop, she's never complained of issues with video conferencing or her work VPN.
There may be some exceptions, sure, but it's less of an issue than people think.
You are responding to His blog, and He shared His reasoning.
Go find your own examples on your network. Even better if you can’t find anything and have UPNP disabled.
Isn't it more difficult to justify keeping it on when you can't trust devices not to, literally as the article shows, punch gaping holes in your network? 4 ports and if you didn't know too look...
At a bare minimum, if you MUST have uPnP, then those devices need to be on their own "unsafe" network with another network further in or next to it that has uPnP disabled.
Actually, I also found grandparent's (bunnyfoofoo) tone offensive. It's borderline derogatory, since it disregards the situation of the original author in many levels, plus everyone fixates on the wrong point.
UPnP has its security implications, but it doesn't mean that random appliances can just open ports through it without any settings whatsoever.
Everybody has the freedom to have opinions and free to express them, however we shouldn't disregard other person's situation while expressing our opinion. Talking about theoretical best practices is always easy in a vacuum.
Addendum: I want to congratulate bunny for trying to learn from his/her mistakes, for being honest and sincere. I wanted to leave it here since there's no other way to contact. I also made a lot of mistakes and HN taught me how to discuss this stuff, so you're at the right place.
To be very exact, being offended is a choice, in that nobody can offend you if you don't let them. You can always choose to not take offense. (The statement in question does seem rude and dismissive to me, however.)
I think it's pretty clear than the author believes he may have offended people with his statement, and is rephrasing in a more precise manner to avoid confusion.
UPnP is also sometimes used to refer to some forms of zeroconf/mDNS/Bonjour/DLNA.
Maybe he is under the impression if he turns off UPnP on his router (the automatic port forwarding feature), that his LAN device discovery features will break?
Lets not forget about consoles too. Xbox Live and PSN complain about obstructive NAT configurations and rely upon uPnP to open ports.
Of course they can be opened manually but that assumes some technical experience, and that the ISP provided hardware gives you access to its configuration.
Normally people say games. I have disabled upnp on my firewall and there're two gaming PCs, a PS3, a PS4 and a PS5 running happily behind it. I just finished a Demon Soul's session with voice chat with friends with no problems. NAT type 2, because I managed my firewall to enable this.
It makes no difference since as I wrote I manage the firewall to allow this. But yes, since none of the games on consoles use Steam. If NAT wasn't set up I would get NAT type 3 on the PlayStations for example.
ETA:
My point was to get an example of something that breaks "because it doesn't work without upnp". I have yet to see a game that doesn't support a fixed set of ports.
So I don't know about routers or networks. I live in a an apartment. Which router (+ a extra point / 2 hub mesh) is recommended these days. There seems to be a plethora of options. But most of always end with ubiquity, which today feels like a bad choice. Also kind of expensive. Preferable something Completely local. No cloud service. Preferable opens source.
I live in EU.
(Sorry if it's bad form to ask for product recommendations, but I am unhappy with/ don't trust, my isp provided router, and gp explicitly mentions buying a router)
I've replied to a couple of others, normally I would have recommended Ubiquiti, but I no longer do. Not just because of their recent breach debackle, but because their software quality has declined since some of their best developers left.
The short but not so useful answer is, run something with pfSense or similar, I hear PCEngines hardware works well and is open source from the bootloader up.
Ubiquiti has hardware offloading using Cavium hardware so you need to get some throughout tests if you need high bandwidth in hardware without the offloading hardware.
I switched to pfsense* from a WRT. Awful router! It uses a cloud service to log in and nine times out of ten the awfulness that is their app cannot "locate a Linksys router on the network" even from a phone using the routers WiFi. I even tried flashing OpenWRT which was much better but the hardware still sucked and had to be restarted often. Cannot recommend (sadly I did recommend it to a friend before I knew how awful it is and he has the exact same problems even though he owns a different WRT model (1900 I think)).
* I'd recommend OPNsense over pfsense. If nothing else then because they break licenses (pfsense is NOT open source as they claim. You cannot built from the sources they provide).
I'm pretty sure the WRT-54G I had in 2005 was better at penetrating walls than anything Ubiquiti has ever built. After dealing with the one my mother was issued for her remote work I'm convinced that anyone not trying to remote-admin a hundred-router campus installation would be a fool to buy one.
Nothing is where you expect it to be. Getting to the control panel requires multiple login screens. Changing a port forwarding rule for devices that are and are not currently connected not only isn't on the same screen, it's not even in the same section of the control panel.
I had no end of problems getting it up and running for her, despite having paid tech support on the phone. Everything connected via ethernet would benchmark at exactly 1/2 the normal download speed of her old router, and anything on wifi benchmarked at 1/6. For the first three days her IP phone just rang continuously with nobody there, and neither I nor the tech support guy have any idea why it started working correctly.
yeah i bought Mikrotik for home and i have no idea what to do there. I tried to do hairpin nat with it and after 3 tutorials i somehow managed to get it working and now i have no clue how does it work or what its it really doing.
The issue is letting untrusted or badly behaved devices on the network. UPnP works great, if you control which devices get on your network.
Static port forwarding combined with DHCP gets annoying quickly, you end up having to set up static assignments for every device that may need a port forwarded, which can be a lot, with modern multiplayer gaming and p2p.
And for applications that select a random port on startup, such as some bittorrent clients, you either have to manually forward the port every time or select a static port.
UPnP serves a purpose and is extremely convenient, as long as you trust the devices on your network.
> And for applications that select a random port on startup, such as some bittorrent clients, you either have to manually forward the port every time or select a static port.
What if you run them over a VPN? I don’t use torrents much but have a client containerised with OpenVPN. I’m not a networking expert but I had assumed (with all the dangers that comes with) that this moved the problem to the VPN provider?
it will work as long as you are the one initiating the connection. if some peer suspects you have a wanted piece available i.e. from another peer in the swarm it can not communicate the intent to get that piece from you to your client directly. i think BitTorrent can relay messages through intermediate peers to make your client establish the connection to that other peer (reversing the initiator). Otherwise peers will exchange other peers that are visible to them so that your client might eventually learn how the other peer that wanted that piece is reachable and connects to it. So it actually will work without port forwarding but reaching your client will be harder and thus less peers inside the swarm will be available to you or them, likely making it slower.
So, keeping track of which device on your network belongs to which MAC address, and reserving an address for each, is that what you mean by ‘annoying’ - the administration of that?
That's the easy part. Plenty of applications (such as bittorrent clients) use randomized ports. So you have to either disable that, manually add the port forward every time you start the client, or let UPnP handle it, because you don't let any untrusted devices or apps onto your network.
And multiple devices on the network may need the same port forwarded at different times, such as multiple games consoles.
Opening ports for a specific machine with dynamic IPv6 addresses can be difficult though.
If the suffix stays stable then with iptables you can use netmasks where you mask out the prefix rather than the suffix.
If both prefix and suffix are dynamic you need a solution that takes dhcp or host names into account. Not all router firmwares support something like that.
Another alternative is to use UPnP or PCP with authentication.
Suffix should always be static with SLAAC because it’s your MAC address. Even if you’re using privacy extensions (and you should) you should still be able listen on the MAC address one.
If you’re using DHCPv6 then the DHCP server should take care of DNS as it would for v4.
> Suffix should always be static with SLAAC because it’s your MAC address.
Except for devices that randomize mac addresses. Normally even those that do that only try do so when connecting to a new network but that's not always reliable.
> Even if you’re using privacy extensions (and you should) you should still be able listen on the MAC address one.
I'm doubtful that all applications make that distinction and advertise the right address. If they just use some external "what is my IP" service to determine their address because that's what they did for IPv4 then they'll get the privacy address and advertise that to peers because that'll be picked by default for outgoing connections.
Being able to allow incoming connections to a port for any address belonging to a particular machine would be less error-prone.
There was always a tension between the Internet and Ethernet guys, the Internet guys have won, so Ethernet-specific concept like MAC adresses are on their way out ?
Don't waste time with WiFi on the gateway itself as most WiFI chips you can buy are crippled in firmware for regulatory reasons. Just use a dedicated commercial AP hooked up directly or VLANed.
Once you get comfortable with something like pfSense I highly recommend switching to regular Free/OpenBSD, or Linux depending on what you're comfortable with. I find it much easier to manage a gateway with the entire configuration in version control than a GUI. There aren't that many services that a gateway needs to run.
If you feel like you'll miss pf on the *BSDs check out nftables on Linux. It's not as well documented but it's much less painful than iptables.
To loop this into the UPnP discussion: when you build your own gateway from scratch you have to add a UPnP daemon and configure it yourself, instead of forgetting to disable it and exposing poorly configured IOT stuff.
I like Mikrotik for routers. They're cheap and have a lot of knobs in the SW (maybe too many if you just want NAT). They do run linux, but their SW isn't open. I've been pairing my Mikrotik hEX with a Unifi AP. Not sure what I'll do going forward, as I've heard Mikrotik's APs aren't as good as their routing and switching hardware.
If I was going the "dedicated machine" route, I'd probably go with OPNsense nowadays.
The PC Engines hardware line is popular here. The firmware is coreboot and you can run OPNsense on it for an entirely free software solution. It's quite solid, have had no issues at all. See e.g. https://www.pcengines.ch/apu4d4.htm
Hardware wise, I run Ubiquiti EdgeMAX but I wouldn't recommend them anymore, their software has gone down hill since many of their best developers left.
Software wise, pfSense is where it's at, but I don't have experience with their own hardware other than the ones we ran at work all failed due to a silicon flaw in the Intel SoCs they ran.
> Ubiquiti EdgeMAX but I wouldn't recommend them anymore
Sadly there isn't exactly a lot of alternatives in the hobbyist network setup area ... It's basically just ubiquity and mikrotik at this point as far as I know
Look at the range of devices from GL.inet. They run a custom version of openwrt with a nice UI on top. But most are upstreamed and you can flash vanilla openwrt on them. They re quite cheap as well. I m not affiliated with them but I have bought devices from them. I use one between the router s ISP and my home network.
This is a safe bet if you don't need advanced hardware features, I have several gl.inet devices, you can build your own OpenWRT for and turn off the phone home functionality.
UPnP allows devices to open up firewall ports for themselves to allow traffic to reach them inbound. Games (for example) that that host a server on the users local machine may require an open port to allow access inbound so UPnP can help with this.
Now-a-days it's not used much and quite frankly it was always a fairly bad idea.
There are ISP's out there which disallow the use of gateways other than theirs to enter their WAN. That means you are stuck with whatever config it allows.
I have root access to mine, so I can configure it to my liking, but the device is _not_ blinking out in quality, needing to be reset at least once every 14 days, otherwise it starts chocking when I need to transmit my radio stations over the NET
These type of ISP's make a lot of cash, selling bulk purchased cheap hardware, esp mine, which still sells services over copper using VDSL & ADSL2. Their FTTH speeds are also inconveniently capped on VDSL speeds
On the other hand, if you want to play games on your network you absolutely must have UPNP. Unless the game has a dedicated server infrastructure. But even then you risk higher latency on VOIP if it even works at all.
This is completely false. Almost all home networks use port-restricted NAT, which allows for STUN for NAT traversal. You do not need UPnP to play games, even those that have peer to peer multiplayer.
Also STUN for VOIP does not increase latency. It tells you your external IP and port.
I have and I manually manage my firewall. I have never seen a game that only uses/allows one port so IMO it would only become a problem with something like 10+ consoles playing the same game at the same time and all of them being a host. If even then.
This is not a reasonable solution for most people, it requires intimate knowledge of the games you play (which ports they use), a static IP for your console and no more than one player/console per household.
Heaven forbid you have a PC game and a Xbox game that have conflicting ports.
And, I just have to say: you open arbitrary ports to your game console from the internet and talk about security.
If you want to host servers on your network then you need firewall rules, but if you are just a client then the firewalls implicitly allow the responses to client traffic through.
I also found this weird, and this got me to check if it was enabled on my business firewall devices: turns out they don't even support UPnP. Is it just consumer routers that support it nowadays? Shouldn't that feature just be nuked?
EDIT:
Well it sounds like a feature for pro users that know what they are doing and control all devices on the network. Even then, security appliances (eg. from SonicWall) don't support it. I don't know, this is probably a niche feature for a few occasions.
Far from only a feature for pro users. Notably, it is a must for VoIP (without going through a relay) and BitTorrent when you don't want to manually configure a firewall. (allows to create holes in a controlled way for a NATted network)
Without UPnP, you specifically have to configure your NAT for this...
>Without UPnP, you specifically have to configure your NAT for this...
While I realize that configuring nftables/iptables is beyond most folks, there are many firewalls out there that have a GUI/webui which makes this dead simple.
Not sure why this should be an issue in 2021, except for users' trained-in helplessness.
> Not sure why this should be an issue in 2021, except for users' trained-in helplessness.
Kids hosting games on random ports (terraria, etc.) benefit from UPnP. I'd rather enable it than manually enter firewall rules for each game or give them admin access to the firewall.
UPnP is only an additional risk if you have malware inside your network already and then it mostly allows malware to host services in a simpler way, but capable malware will be able to use TCP hole punching to establish arbitrary connections between infected networks.
>UPnP is only an additional risk if you have malware inside your network already
I'm not sure where you get that idea. Once a hole is poked (depending on the perimeter device/software in use), it stays poked and you've expanded your attack surface.
I make sure that there's no dynamically defined external access to my network. Can you guarantee that no software in use on your network is free of vulnerabilities? I'm not talking about malware here, just your run-of-the-mill software bugs.
If you think the answer is no, then why don't you share your network details with us and let's have a go? Then we'll see how much of an extra risk upnp might be.
What's that? You'd prefer not to do so? If there's no risk, then it shouldn't be a problem, right?
My suggestion is (obviously, I hope) an idle one and more intended as food for thought.
>Kids hosting games on random ports (terraria, etc.) benefit from UPnP. I'd rather enable it than manually enter firewall rules for each game or give them admin access to the firewall.
That may be a valid use case for you. However, claiming that it doesn't increase your attack surface/risk profile doesn't magically make it so.
I'm not telling you what you should or shouldn't do, but I do disagree with your rationalizations about why allowing upnp to expose your perimeter doesn't increase your risk profile.
> If you think the answer is no, then why don't you share your network details with us and let's have a go? Then we'll see how much of an extra risk upnp might be.
The cheap and fast attacks are DDoS and they're trivial to aim at a cable modem. Avoiding becoming a target is at least 50% of security posture. There were already 4286 ssh login attempts today so I don't really need more attempts than the automated botnet scans provide.
It's a risk/convenience tradeoff. I could probably package up a vpn.exe and force the kids' friends to run it before playing games, or force them to host games remotely. It's just not worth it.
I'm also reasonably sure that there are plenty of 0-days in all networks, given their relatively frequent discovery. So, again, don't be more of a target than necessary, and keep offline backups current and tested.
Ugh, users trained in helplessness. I just had an utterly annoying conversation with my cell phone provider whose reps have been trained in helplessness and thus fail to follow really simple security procedures.
This phrase is a thing of nightmares now. Stay tuned for a really scary Haunted House full of users trained in helplessness...coming Halloween 2021.
While there's always demand for more bandwidth, IPv6 isn't really something that people care about in the larger scheme of things. Many ISP's and carriers solved the IPv4 congestion issue with CGNAT and that'll keep things going until we run completely out of IPv4 addresses.
Once that happens, there will be government action. Not before.
Meanwhile the top agencies distributing IPv4 blocks have ran out of them a decade ago.
Recently it was the time for a lower level agency to run out - for Europe.
There's a lot of things that people don't care about until it's too late. Governments are supposed to be able to plan decades in advance. And they do, for things like digital TV. (And I already gave an example of governments acting to push IPv6.)
CGNAT is causing issues in that some protocols simply don't work properly through them. IPv6 also allows for simpler networking, since you don't have to add the extra abstraction layer that is NAT.
Politicians in Europe expects the market to take care of it. Businesses won't hurt their profit margins unless they have to (because IPv6 does mean additional costs).
We need something that increases consumer demand for IPv6 if we wantbthis to be dealt with now.
(I host a STUN and TURN relay myself, because I had to for my personal VoIP server for enough people to be able to connect on it. Downside is more use of bandwidth.)
edit: replaced STUN with TURN where appropriate, I did confuse both as they were provided as a single package.
STUN is not a relay, but TURN is, and STUN/TURN is a common combo for when STUN doesn't manage to holepunch reliably, falling back to the relay when the direct connection fails.
What's also true, and what I think the GP was trying to get at, is that STUN requires an external coordination server. UPnP (I think—I am far less familiar with it) does not, because in UPnP you're negotiating the holepunching with the local router directly, whereas STUN is sort of using a loophole.
With TURN, all the traffic to the clients is routed through the TURN server indeed. That makes hosting a discussions server more traffic-heavy than otherwise...
(and it turns out that the server software that I use implements TURN and STUN in the same daemon)
Or/also, nag your ISP to give you an IPv6 prefix (or switch to Comcast, because they delegate you a /62). If you still want to manage a stateful firewall then go for it. But we shouldn't still need this NAT traversal crap in an IPv6 world.
Up until a week ago I would have suggested the UniFi. Since the latest snafu, the handling of the breach not the breach itself, I’m not so sure anymore what would be the best alternative. Perhaps just their EdgeRouter devices or a mikrotik device.
Also, the security report you're talking about came out like two days after a huge blow-up on this site because of a report they added advertising to a UI for one of their products. (The controller I think?)
Its muddy right now, I run Ubiquiti EdgeMAX switches and EdgeRouter at home, but I wouldn't recommend them right now (see another comment of mine, or check out the subreddit), for NAS I run TrueNAS, on a home built server.
For the Mobo I suggest finding a decent board (AMD based one if you want ECC RAM) and then use a PCI-e controller card to support the hard drives you need. It is hard to find a nice MB with all the SATA ports you need, using an external card gives you a lot more options. When I researched it everyone recommended an "LSI Logic Controller Card LSI00301 SAS 9207-8i" (eg. https://www.amazon.com/LSI-Controller-LSI00301-9207-8i-Inter...) and it has performed very well for me. If you go that way you'll need a SAS to SATA cable, they are easy to find as well.
I would never use the pre-installed software on a device, always replace it with a bare-bones install of a generic Linux/BSD distro and add any packages really needed.
The article focuses on the security issues surrounding his new NAS, and that's fine. But the problem isn't security. It's Trust.
Consumers generally trust that manufacturers will follow Best Practices and that security is part of the deal: I pay you money, you give me a quality product that Just Works and is Secure.
False.
Products are made to be sold at a profit. You can imagine that some engineer at that company knows about this problem, put in a Jira bug for it and since it didn't affect overall functionality, and because the product needed to be released as soon as possible, they rejected the bug and sent it off.
By default, we should NOT trust that things are Good and Secure. If we are security conscious, then it's on us as consumers to figure out how to mitigate these problems. Or is it?
If I was this guy, I'd box that thing up and send it back and give the company feedback as to why, and then I'd show them this very blog post.
The manufacturer probably won't care. They know that until the average consumer cares about security and knows how to mitigate problems it won't matter. And we all know that the average consumer, even of technical products, has security habits.
Now if you'll excuse me, I need to go take care of some security stuff on my boxes, this really got me thinking about it!
Yeah, until we see these companies get large fines for not following the best practices, and the engineers in charge lose their licenses, nothing will change.
You should NOT have any terramaster NAS internet facing right now. I disclosed a bug last month to Terramaster that still hasn't been fixed.
Go to http://NAS_IP/module/api.php?wap/ and it will give your admin password out as an md5crypt hash. Why? I assume it's some sort of backdoor/dev code but I don't know.
Hi friend, Could you please send a description of the specific problem to our email:support@terra-master.com? TerraMaster will do our best to serve every customer.
I sent an email to that address on the 19th of March.
The issue is that millions of passwords per second can be tried against the hash on an average computer and there's no good reason to give the hash out in production.
To anybody owning a Terramaster NAS then i'd advise to set a random password of the maximum length possible.
Been running a T20 w/4x 4TB HDs with plain FreeBSD for a few years now and it works pretty well. I'm barely even competent when it comes to sysadmin sorts of things, but it was pretty easy to get set up following a blog post I found years ago.
The consistency of FreeBSD is a real benefit here — it's well documented to begin with, and since things change so little between releases, bits and pieces you find online are largely still relevant even if they're a little old.
First thing I did when I got my Buffalo Terastation was look up how to install plain Debian Linux on it and set it up myself. There is usually very little benefit to using the manufacturer's neutered, cobbled-together firmware.
Same thing with my Internet router. Flash it with non-manufacturer firmware so I can configure it properly.
I really wish it could do USB passthrough. I need that for home automation to run in a VM under TrueNAS. The solution I've been running for a few years now is to have TrueNAS and Home Assistant running under VMWare ESX. Required getting an HBA that I could pass through to the VM instead of using the ports on the mobo but it works nicely.
Having Home Assistant as a guest under TrueNAS would be nicer though. Right now there's no data redundancy for Home Assistant.
I'm looking forward to TrueNAS SCALE[1], which is basically TrueNAS on top of Debian instead of FreeBSD.
Mainly because then my containers can run on the metal rather than being limited by Bhyve.
Currently in Alpha. I fired it up in a VM and it had some rough edges still but did manage to create a pool and fire up some containers.
Been running FreeNAS, now TrueNAS, for several years and been happy with that, but not being able to take full advantage of the hardware due to Bhyve has been a pain point.
I also had good experience with mini-PCs like Chuwi's. They are pretty cheap, have a good amount of ports and have the advantage of having newer CPUs with very little power consumption.
> Upon SSHing into the NAS and having a dig around the file system, I discovered a file that could be modified. /etc/upnp.json seems to contain a list of port forwarding rules. Thank you to Terramaster for providing root access to these at least. Simply change bEnable to 0 for whatever ports you don’t want exposed, reboot the NAS, and check the port forwarding rules.
And don't forget to do all this each time the NAS updates. And pray to whatever entity you wish that auto-updates don't get enabled.
Seriously, after a blunder like this, why not return the device and find a manufacturer you can trust?
I'm confused. Some significant length was gone to in attempting to interrogate the device and modify it in such a way that it wouldn't try to open uPnP ports anymore. Further, a lot of devices try to leverage uPnP by default, and many of them are significantly more opaque than this NAS proved to be. However, the author doesn't want to just disable uPnP in their router and manage forwarding directly due to a perceived loss of convenience.
Surely, first discovering by happenstance that a devices is doing this in the first place, then trying to figure out how to go through idiosyncratic & unsupported means to change the device's behavior, is significantly less convenient than updating a router/firewall config rules in supported standard predictable ways on occasion?
> My router is an ISP provisioned one so the feature-set there is somewhat limited
My assumption was that their router doesn't support disabling uPnP for a single client, so it's 100% on or 100% off. If they play a significant number of p2p games or use p2p applications with non-predictable ports, it might well be more difficult to do manual port-forwarding when needed than to leave uPnP enabled (or even impossible, depending on what the router can do).
I'd argue that the right approach is to replace the ISP router with your own and disable uPnP, for your own security. Otherwise its only a matter of time before you see this again. You cannot count on having only trusted devices on your network.
Don't know if it's true for this model, but at least some Terramaster NAS's are just x86 computers [EDIT: I see the model in the article is an ARM box, but also that it's already running a Terramaster specific Linux distro, so just nuking most of the Terramaster specific stuff might be easier than trying to find a way to do a clean reinstall].
For at least some of the x86 ones, you just need the right cable to connect to a suitable monitor, and it can boot from a USB drive. You don't need the VGA cable to replace the OS, but it helps a lot. You may have to dismantle the whole thing to get at the boot drive, but they're pretty easy to take apart.
First I did with mine was to install Open Media Vault.
Are there actually good alternatives to consumer NAS that don't break the bank? I'd love to just throw a raspi4b at some HDD's - but no sata, and no ECC. And the hard drives need to be kept safe from their vibrations.
Some USB drives with a Pi is a decent solution, given that the most cost effective option for HDDs is usually shucking WD easystores anyway. USB HDDs usually have decent vibration damping and cooling also. USB might be less ideal than SATA, same with ECC, but you’re also saving a major amount of money, % wise.
Don't do that, you'll have no redundancy in case of disk errors, the performance will be abysmal (Pi4 possibly excluded) and USB drive spindown and SMART support is sketchy at best.
I bought a Fractal Node 304 case (room for 6 drives), put an ITX board in it, a PCIe SATA controller and set it up as btrfs RAID, with CIFS, NFS and FTP. Not a huge outlay and so much better than a hacked-together Pi solution.
It also functions as my DNS and DHCP (Pi-Hole in a Docker container) and since it has hardware video decoding, it works great as an always-on HTPC, which is practical for apartment living.
3 USB drives in a raid setup isn’t any less redundant than 3 SATA drives in the same setup (mathematically anyway, excluding potential bus problems which don’t really seem to be much of an issue these days).
Personally I also have a node 304 based nas, but I’ve seen plenty of people with low cost Pi setups and no major issues. Plugging a few drives into a Pi is much easier if you don’t have experience with building computers, and is still a couple hundred dollars cheaper than something like that.
Also worth noting that it’s possible to connect PCIe devices to a Pi, although I believe you need a specific model.
I use a lot of software/devices which I think is using UPnP (airplay, airdrop, pioneer dj pro link, maybe the printer etc.). There's talk here about disabling UPnP but does that mean that the devices wouldn't be able to find each other? I don't want to babysit my router.
Or aren't they using UPnP? Quick googling wasn't successful. I thought most of those autodiscover-services use UPnP.
One is service discovery, in cooperation with zeroconf (aka bonjour/mDNS). This is handled 100% by devices themselves.
The other is the port forwarding protocol, where devices can ask your router to open a port in the NAT to the wide internet forwarded to them. This is done in the router. It's also a potential massive security hole.
If you disable UPnP on your router, you only disable the second thing. The first thing keeps working.
The service discovery isn't really the security hole though, is it? I mean I have mDNS configured on my LAN. It's the port forwarding, and specifically, configuring it so that any rando device on the network can set up port forwarding, which is the security problem.
If you really want the dubious convenience of UPnP port forwarding, at least limit it to the one or two devices on your LAN that need it.
"It depends" as not all the names you listed as examples use the same technology, but in general "UPNP is more useful for thins which need an incoming connection" (kinda sorta). This might be, say, a bittorrent client needing to allow other clients in on a port to share the file... sharing. To share. :) If you understand how Active vs Passive FTP works and how the incoming connections might need to be tracked (nf_conntrack for Linux folks), UPNP is more like that - apps which handle bi-directional conversations with the outside world beyond your router.
Airdrop uses an ad-hoc WiFi network (peer-to-peer) with TLS, as does I think (Android) Beam. If I'm not mistaken some other devices in this area (Chromecast, Roku, etc.) use similar techniques, and sometimes leverage bluetooth ad-hoc networks. Discovery services like printers and fileshares tend to use (I'm assuming you're macOS) Bonjour (Rendezvous, renamed awhile back), which is sort of like an ad-hoc multicast (mDNS) solution if I understand it. On Windows it would use something like Netbios - conceptually the same. I just set a static IP on my wifi printer and call it a day, it's trivial stuff being a printer.
We need a new term & new hardware that is an NAS but only available to Internal Network with no option of Internet access.
I have for years wished Apple made something like that and has iPhone / iPad Backup automatically to it or Time Capsule for iOS. Instead they continue to push their iCloud for services revenue increase.
> Unfortunately, disabling uPnP these days is too much of a hit to convenience,
No. Just, no. There is NOTHING you need on your network that should require UPNP. It’s a horrible, insecure, and completely irresponsible protocol that does not need to exist.
Trust but verify.
Just wanted to add that in my opinion it is best practice to schedule a recurrent task for scanning the network using tools like nmap.
On top, add.
After done (re)configuring a (new)device on you network, scan and document baseline. Verify baseline recurrently.
Forwarded ports are not always static, we're not in the world of just web servers and SSH.
Different devices may need to use VoIP, P2P, games and other applications that cannot be strictly mapped to just one system or even just one port. UPnP handles dynamic mappings, so you don't have to update your port forwards every time.
Story time: It depends on the hardware at your disposal. I'm now on the new T-Mobile Home Internet service, the router+wifi device supplied (a Nokia 5G LTE based unit with a SIM on one side) firmware has basically no configuration - you cannot assign static DHCP, no bridge mode, no port forwarding - it has UPNP on or off, that's it. A truly sparse webUI, frustrating no-config device at 1.0 firmware level that doesn't even show you what the DHCP ranges in use are. My G-Shock watch has more configuration options than this thing does. :-/
When there's a typo is the message telling you "Tt is only available on the local network" that might be a sign of how much care was taken with regard to it.
aren't all these prosumer nas devices just out of date foss with a clunky webgui that ultimately is sufficiently limited such that you spend more time working around limitations then you would have just setting up foss yourself or are they actually getting good now?
What does the author mean that the NAS punched a hole through the firewall? They say it several times. Do they mean enabled port forwarding on the router? If so, that seems like a router issue.
Routers have this thing called universal plug and play which enables applications to enable port forwarding on their own without the user having to dive into router firewall settings.
The JSON config is strange, the keys contain type information. But any JSON parser worth its salt should not require that since JSON is natively typed, no?
I suspect they mean the letter prefixes: _n_ExternalPort + _n_InternalPort for number, _s_Protocol for string and _b_Enable for boolean.
It's probably just a convention they use in the source code that's made its way into the JSON by serializing something? Either that or old habits die hard.
There is a distinct whiff of Docker to the ports it’s using. But maybe I’ve been too far down that hole and am just seeing things though Docker tinted spectacles.
It stands for "network attached storage", it's basically a standalone disk drive that is accessible to all devices within the local network (or public internet, if the device is setup that way).
In home setups, it's often used as a way to store terabytes of digital media (movies, videos, locally hosted wikipedia)
Just a computer with a bunch of hard drives so you can store your media all in one place. Most of the time people expose this to their home network so they can access the files from all their devices while on the same wifi, but you can also expose it to the internet so you can access the files anywhere.
Adding on to what others have said, I have one set up that's also used as part of my backup strategy for the important stuff on all the other boxes around here.
Don't do this, there is no good reason to run UPNP if you care about security, turn it off and learn to manage a firewall.
If the author really cares, go one step further and replace the ISP owned router with something with more control.
Finally, if one cares about the software one's NAS runs, build or buy from someone like TrueNAS.