UPNP Security - Xbox One

centuryx476

Hello,
I have several interfaces on the router and one of them is my DMZ. I put my xbox one into the DMZ but there are several tutorials on how to make the nat "OPEN" for the xbox but it requires to use UPNP.

I have never trusted upnp and was wondering even though I am pointing the upnp service to the xbox does this present a security issue for my network?

I am using the latest version of pfsense - 2.2.6 (64-bit)

Currently I have NAT port forward all the xbox live ports to the xbox one but apparently that is not enough as stated before I need to use upnp service. I put a static IP on the xbox as well. (Standard Procedure)

Any Opinions on UPNP ?

Also if this is in the wrong section of the forum then please move it.

Thank You

johnpoz

UPnP is no different than port forwarding as long as you lock it down just letting your xbox open the ports to its own IP..

example

allow 1024-65535 192.168.5.100/32 1024-65535

Only 192.168.5.100 can use UPnP – this is my sons ps3.

centuryx476

Ok then.

Let me ask you this.

Do I have to put in such a large range of port numbers "allow 1024-65535 192.168.5.100/32 1024-65535"

Could I just specific the ports that xbox live requires and nothing more nothing less?

Thank You

johnpoz

sure you could… if you actually are aware of them... If you actually knew the ports and forwarded them you wouldn't need UPnP...  So clearly don't actually know what ports are in use.. Why don't you let UPnP open the ports, see what they are and then just manually open them and disable UPnP.

I personally don't really care what ps3 opens up to itself anyway, its also locked down to its own vlan.. And no access to the rest of my network..

centuryx476

As I clearly stated in my first post
"I have NAT port forward all the xbox live ports to the xbox one but apparently that is not enough"

These are the ports that are required
    Port 88 (UDP)
    Port 3074 (UDP and TCP)
    Port 53 (UDP and TCP)
    Port 80 (TCP)
    Port 500 (UDP)
    Port 3544 (UDP)
    Port 4500 (UDP)

This is where the logic fails, if they are already open then why should I even use upnp

Guess that is how pfsense is designed.

Thanks for the help

johnpoz

"but apparently that is not enough""

Exactly so how do you know what ports are needed to be open via UPnP??

So why would you limit it… Let it open up what it needs, and then see what they are and disable UPnP

UPnP doesn't do any magic that you can not do with a manual forward.

You sure and the F do not need to forward inbound dns 53 tcp and udp inbound...  Its not running a dns server..  What I have found is the ports listed required are not always actually true...  Let UPnP open up what it wants to open.. Then look in the status and see what they are, then forward them....  Then you can turn off UPnP.

UPnP doesn't do anything you can not do with a normal forward, it just does it without freaking asking you or telling you what its opening.

Port 500 is locked static outbound for ISAKMP, maybe that is causing you a problem??

toddos

@centuryx476:

As I clearly stated in my first post
"I have NAT port forward all the xbox live ports to the xbox one but apparently that is not enough"

These are the ports that are required
    Port 88 (UDP)
    Port 3074 (UDP and TCP)
    Port 53 (UDP and TCP)
    Port 80 (TCP)
    Port 500 (UDP)
    Port 3544 (UDP)
    Port 4500 (UDP)

This is where the logic fails, if they are already open then why should I even use upnp

Guess that is how pfsense is designed.

Thanks for the help

The only port on that list that needs to be forwarded is 3074/udp.  The rest are used outbound, not inbound (http, dns, kerberos, ipsec, etc).  As for why you should use upnp instead of manually forwarding 3074/udp, do you have multiple consoles?  Any Xbox 360, Xbox One, Playstation 3, or Playstation 4 will preferentially use 3074/udp as an inbound port.  If you only have one of these, then feel free to forward the port manually and be done (though there's a caveat …).  But if you have more than one of these, obviously only one can use 3074/udp at a time.  That's where upnp comes in.  All of the consoles have an internal list of alternate ports that they will request if 3074/udp is taken.  But they only know to request and listen for those ports if upnp tells them that 3074/udp is unavailable.  So with upnp, you can have all of those consoles online with Open NAT simultaneously (IIRC, the alternate port list is at least 10 deep, as the old Microsoft router certification required routers to support at least 10 simultaneous xbox consoles).  I suppose if you really wanted, you could hunt down that list and do asymmetric manual port forwarding (forward external port X to internal port 3074), but why not just let the consoles do the work themselves?

And the caveat I mentioned -- some apps (skype) and games (COD:BO3) require more ports than the standard one.  If UPnP is available, they will request the ports automatically.  If it's not, then you have to know what ports to manually forward to take full advantage of those apps and games.

JonathanLee

Also make sure you are not blocking multicast traffic if you are UPNP will not work.