UPnP on Home Network Issues



  • Because of the security warnings I've seen on the web about UPnP, I've kept it off so far.  Those warnings tend to be for corporate networks, though, and I'm just a teeny home network.  Because of my spousal unit's nigh-on-infinite, ever-expanding list of games, I'm getting a bit tired of adding the ports she needs to my open-ports list.  How much of a security risk is turning UPnP on for a home network?  If I do turn it on, I'd probably turn on the Default Deny option and set up Access Control Lists.  But, do I delete all my open port rules in the firewall and let UPnP handle it?



  • After looking around some more, it seems like asking about the risk of UPnP on a Home Network results in half the people saying it's fine and the other half saying it's anathema.  So, I guess it's up to me to make the decision.  On the assumption I decide to enable that, what's a reasonable range to use in the Access Control List area of Services / UPnP & NAT-PMP?  The example shown uses the whole Registered and Ephemeral port range (1024-65535).  Is there any reason not to include the Registered port range (0-1024)?



  • Well, I must be missing something fundamental with UPnP.  I tried a test run and it didn't seem to be working at all even though the miniupnp service was running.  I did the following on the Services / UPnP & NAT-PMP page:

    • Enable:  Enable UPnP & NAT-PMP – [X]
    • UPnP Port Mapping:  Allow UPnP Port Mapping [X]
    • NAT-PMP Port Mapping:  Allow NAT-PMP Port Mapping [X]
    • External Interface:  Chose my two VPN WAN interfaces
    • Interfaces:  Chose my two VPN LAN interfaces
    • Log packets:  Log packets handled by UPnP & NAT-PMP rules [X]
    • Default Deny:  Deny access to UPnP & NAT-PMP by default [X]
    • ACL Entries:  allow 1024-65535 192.168.20.0/24 1024-65535 (if I got that right, that should enable this for all devices in the 192.168.20 subnet )

    I save and applied the above, and the miniupnp service showed up in the Services Status box on my Dashboard.  Other than that, there was no indication that UPnP was running.  There was nothing showing in Status / System Logs /Firewall, nothing in Status / UPnP & NAT-PMP, and no UPnP rules that I could find under Firewall / Rules (I don't know if there should have been).

    I removed the specific WAN ports I was allowing in the 1024:65535 range from my Aliases and had the wife fire up some of her PC games that needed them.  They wouldn't run.  Checked Status / System Logs /Firewall and saw that they their traffic was being denied by my existing user-defined rules.  Checked Status / UPnP & NAT-PMP and still nothing showing.  I rebooted the router and the computer and tried again.  Same thing.

    Is there something else I was supposed to have done?  Was a UPnP rule supposed to appear (perhaps on the Firewall / Rules tabs for my two VPN WAN interfaces)?

    According to:

    https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

    UPnP rules should be processed before user-defined rules.  So, it should have caught things and allowed the traffic before my own rules caught the traffic and refused to pass it.  What am I missing?


  • LAYER 8 Global Moderator

    What games is you wife running that needs unsolicited inbound traffic?  She is hosting the game, ie being the server?  Are they PC games or console games?

    VPN interface? So what vpn service are you using that forwards all traffic down the tunnel to you?  Never seen such a vpn service.. They might forward 1 port for you to run torrents with, etc.  maybe you can even have an interface and have a few down.

    But vpn services don't normally allow unsolicited traffic inbound to you.. Since most vpn exit IPs are shared..



  • OK.  Right there:

    What games is you wife running that needs unsolicited inbound traffic?

    That question shows me that I'm obviously missing something fundamental here.  For example, Steam, itself on our Windows 10 PCs.  According to:

    https://support.steampowered.com/kb_article.php?ref=8571-GLVN-8711

    It requires the following open ports:

    To log into Steam and download content:
    HTTP (TCP port 80) and HTTPS (443)
    UDP 27015 through 27030
    TCP 27015 through 27030

    Steam Client
    UDP 27000 to 27015 inclusive (Game client traffic)
    UDP 27015 to 27030 inclusive (Typically Matchmaking and HLTV)
    UDP 27031 and 27036 (incoming, for In-Home Streaming)
    TCP 27036 and 27037 (incoming, for In-Home Streaming)
    UDP 4380

    Dedicated or Listen Servers
    TCP 27015 (SRCDS Rcon port)

    Steamworks P2P Networking and Steam Voice Chat
    UDP 3478 (Outbound)
    UDP 4379 (Outbound)
    UDP 4380 (Outbound)

    If I don't specifically allow HTTP (TCP port 80) and HTTPS (443), UDP 27015 through 27030, and TCP 27015 through 27030 through my firewall, Steam doesn't even open properly.  Whether that traffic is considered solicited or unsolicited, I don't know.  I just know that it doesn't work if I don't open the ports.

    According to:

    https://doc.pfsense.org/index.php/What_are_UPnP_and_NAT-PMP

    UPnP and NAT-PMP both allow devices and programs that support them to automatically add dynamic port forwards and firewall entries.

    I assumed (and I know what that means) that UPnP would handle the opening of those ports and I wouldn't have to manually enter them into my "allowed ports" Alias.  And, that applies to her Steam games, too (for example, "Talisman," "Golf with your Friends," and "Gremlins" – none of which will even start up properly if I don't let the ports their servers use through my firewall).  You've been commenting on my firewall over at:

    https://forum.pfsense.org/index.php?topic=129085.0

    if you want to see what my rules look like.  So, maybe I'm missing something fundamental on firewall rules as well as UPnP.  Perhaps I need to first entirely revamp my firewall rules (perhaps by setting up open ports at Firewall / NAT / Port Forward instead of adding open ports via an Alias in my user-defined firewall rules).

    And, as far as your VPN comments, you're right.  My VPN (AirVPN) port forwards nothing automatically (it will allow 20 port forwards, but since I barely understand that, I haven't set anything up).  But, that's for later after I figure out what I don't know I'm missing with UPnP.


  • LAYER 8 Global Moderator

    And as always these companies are confusing to what is needed as an unsolicited inbound or forwarded port, and what is need in an outbound direction.

    The default rules for pfsense outbound would be any any.. Have you modified the outbound rules to be restrictive?  UPnP is normally not used to allow outbound traffic, it is normally used to allow for inbound unsolicited traffic to be forwarded to the requester..

    So your wifes machine is on the vpn_lan net?  If so you allow icmp and tcp/udp outbound.. Are you sending her out the vpn connection?  That could be a problem??  Your not going to be able to use UPnP for a vpn to allow for inbound traffic.. But with a vpn normally being shared traffic you could have issues with stuff like udp on common ports that some other user is using stream through the vpn as well, etc.

    The only ports that seem to be inbound on that list is
    UDP 27031 and 27036 (incoming, for In-Home Streaming)
    TCP 27036 and 27037 (incoming, for In-Home Streaming)

    But are those unsolicited inbound?  Ie does the server on the internet or client on the internet send traffic to your public internet IP on those ports? that are not in answer to something you requested?  Where is it getting your IP from, does the client send its rfc1918 address?  Does it log your clients public IP in the server?  If your going through a vpn, then is it sending that traffic to your vpn endpoint.. Which would never make it to pfsense if not forwarded through the vpn, etc.

    You would think with the VAST majority of users being behind a nat these companies would just be straight forward.. Allow these ports outbound to internet, forward these ports to your box running our software, etc..



  • UPnP is definitely for something other than what I thought it was for.  I'm going to shelve it (for a while, at least).  I think my problem is that the guide I followed for setting up my pfSense box so all my traffic would go through my VPN was way too restrictive in what it allowed through the firewall (at least regarding outbound traffic).  It's currently set up so that if traffic is going off the local network, I have to approve the ports.  Actually, it's set up so that I have to approve the ports on all internal network traffic, too.  That's too restrictive for my home network.  I don't know if I want to allow ALL outbound traffic.  So, I'm definitely going to have to go back and figure out what I really need my firewall rules to look like.  Thanks.

    Do you have any suggestions of good sites to look at for decent, basic firewall rules?  This pfsense.org page is worthless to me:

    https://doc.pfsense.org/index.php/Example_basic_configuration


  • LAYER 8 Global Moderator

    "I don't know if I want to allow ALL outbound traffic."

    That is a decision you would have to make… What I can tell you is I have been in the field for 30ish years, currently one of my primary functions is infosec.  And in my home I run any any outbound.  I don't restrict anything outbound..

    In work place yes we are restrictive outbound.  Pretty much all traffic outbound has to go through proxy that does content filtering, etc.  Devices are not allow to talk directly out to the internet unless specifically required with limitations on where they can talk and only when it can not be made to work through proxy, etc.  Then again they are not playing games in a work environment ;)  Nor really any other odd ball software that wouldn't use odd ball ports.

    It just not really worth the hassle.. What do you think it stops exactly?  If your box is compromised or infected - the ports the software to use to go outbound are almost always going to be the standard web ports 80, 443..  Stuff sending out on some weird port draw too much attention ;)

    You could for sure lock down the ports, but its just going to be a lot of work any time some new application requires outbound that your not allowing.  But if your boxes do get infected its already too late if your just blocking them from talking outbound on non standard ports.  You should be more worried about prevents of the infection in the first place.  Keep them patched and updated..

    Keep an eye on what the machines are doing, ie log their traffic - maybe just log the non standard outbound traffic and if you see something odd investigate it, etc.  If you want run IPS.. But that is a job in itself filtering out the noise - which there will be a LOT of until you get your rules trimmed down.. For sure run IPS in monitor only mode until you work out all the kinks.. Or your wife is going to be complaining all the time this is not working, that is not working.

    I do have all my iot devices on their own isolated segments, I log all of their traffic and monitor it from time to time for any strange behavior..  They really only do dns for the same thing over and over ;)  And are talking to the servers they are suppose to be talking too, either on the companies own netblocks or in the amazon cdn, etc.

    It can for sure be a learning experience logging the traffic and looking into what is going on.. But blocking out of the box all non standard ports in a home setup is going to be lots of extra work and lots of complaints from the "users" ;)

    If you have questions about traffic your seeing, etc.  Just post it up like your other thread - always happy to discuss such things..



  • Thank you.  Very helpful.  I think I'm going to remove my "allowed ports" aliases entirely and just allow outbound traffic in my firewall rules.


  • LAYER 8 Global Moderator

    If you have concerns - just log it, and see what is going on.  Like I said it can be very interesting.. If your into that sort of thing - which I am ;)

    Have not used steam in long time, not really a game player other than KSP and bought that standalone long time ago..  And just just grab updates from them directly, etc. I do play the new elite dangerous now and then - but none of these require any inbound traffic.

    If you were attempting to let UPnP do outbound opens - might well just open it all.  Since UPnP doesn't do any sort of auth or anything, so if you were going to let it open ports anyway.. Might as well just open them.

    You could always send your logs to a syslog server and then do some fancy stuff with that monitoring your outbound connections, etc.



  • @johnpoz:

    "I don't know if I want to allow ALL outbound traffic."
    And in my home I run any any outbound.  I don't restrict anything outbound..

    In work place yes we are restrictive outbound.  Pretty much all traffic outbound has to go through proxy that does content filtering, etc.  Devices are not allow to talk directly out to the internet unless specifically required with limitations on where they can talk and only when it can not be made to work through proxy, etc.  Then again they are not playing games in a work environment ;)  Nor really any other odd ball software that wouldn't use odd ball ports.

    It just not really worth the hassle.. What do you think it stops exactly?  If your box is compromised or infected - the ports the software to use to go outbound are almost always going to be the standard web ports 80, 443..  Stuff sending out on some weird port draw too much attention ;)

    You could for sure lock down the ports, but its just going to be a lot of work any time some new application requires outbound that your not allowing.  But if your boxes do get infected its already too late if your just blocking them from talking outbound on non standard ports.  You should be more worried about prevents of the infection in the first place.  Keep them patched and updated..

    This is one of the most helpful comments I've read as I've gone through the experience of implementing pfSense in my home network.  I started out locking down the egress filtering but have found there are enough exceptions (TiVo, AppleTV, Facetime, WiFi calling from iPhone…) that the rule administration is a hassle.  Plus, I don't think it's really doing any good.  It might feel good, but I don't think it actually does anything useful.  Stateful filtering is probably the biggest benefit in a home network.  Thank you for just stating that.



  • Yep-  My kids have Steam here and it works just fine on a default setup.


Log in to reply