Upnp + firewall security



  • I have a IP camera system segregated onto its own VLAN and would like to allow it access to the internet via UPNP and prevent it from accessing any other LAN subnets.  I have locked down the device's available port range w/ UPNP options, and when it comes to firewall the only way UPNP seems to work is if I have a default "allow any" rule in place.

    1. what would the correct protocol be for allowing UPNP function? it is opening UDP ports, but does the UPNP service require something else allowed?

    2. what is the correct destination to allow ONLY UPNP functionality outbound and no LAN access? "Lan Address" on the VLAN?


  • Rebel Alliance Developer Netgate

    If you want security, UPnP is not an option. It isn't designed for that. It's designed to allow a local system to request inbound traffic from any source to a target device on a specified port.

    If it's an IP camera, you shouldn't expose that to the Internet anyhow. Setup a VPN as the only way into that network segment and access it that way.


  • Rebel Alliance Global Moderator

    UPnP doesn't do outbound, its used for allowing inbound, ie a port forward.

    As Jimp mentions - IP cameras should not be available from the internet.  Unless your wanting to be part of a botnet? ;)