Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Dangers of UPNP?

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 2 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yeleek
      last edited by yeleek

      Hi,
      Looking for advice please. I have a PFsense install with three nics (1x wan, 1x lan & 1x wifi). There are approximately 20 devices on the network. PfblockerNG is on and working, NtopNG is on and working. Its all going well.

      My son has an Xbox one and he appears to be having difficulties due to the NAT type. I know PFsense provides the ability to enable UPNP and using an ACL to restrict it to certain IP addresses/CIDR ranges.

      What are the dangers though of UPNP? If i enable it for my sons xbox only (he already has a reserved addressed via DHCP), are there any potential negatives for the rest of the devices?

      Thank you

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @yeleek
        last edited by

        With any device that you allow unsolicited inbound traffic, the risk of compromise of that system increases.

        From a security standpoint, you might want to segment that device off from the rest of your network.. Call it a dmz, a firewalled segment..

        Its not apparent if your running vlans or not, or have the ability via switching or wifi AP to do vlans.

        But would be prudent if your going to allow inbound access to that device, to limit what else on your network it could talk to.

        I would break it off and put it on its own vlan. Then firewall it so it can only talk to the min required resources on other segments in your network.. For example maybe you want to watch movies off your plex server, that currently resides in your lan.. If so just allow that port 32400 to your plex IP.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        Y 1 Reply Last reply Reply Quote 0
        • Y
          yeleek @johnpoz
          last edited by

          @johnpoz Thanks for the reply. No i am not running vlans, currently have 192.168.1.0/25 for lan and 192.168.2.0/25 for wifi. With a DHCP server running on the Pf sense LAN interface and another on the WIFI interface.

          Would you recommend I changed this approach and ran vlans then? With a view to creating a small vlan for xbox? I don't have any IoTs yet, but i imagine the kids will want them soon, would i be right in presuming they will want UPnP too?

          Thank you

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @yeleek
            last edited by johnpoz

            I have loads of iot devices.. No smart devices, light switches, light bulbs, thermostat, harmony hub, echos, etc.. require any inbound ports to be opened. If you have such device that says it requires you open inbound traffic - I would prob look for a different device.

            To be honest the only sort of device that would normally require inbound traffic is some console game, when you want to host games, etc.

            I have all of these devices isolated to their own vlans, segmented by type.. Roku's, TV, Directv box, harmony all on the roku vlan. Other iot like the echos and lightbulbs, etc. on another vlan.

            From a security standpoint, yeah its a good idea to isolate such devices from your main trusted devices.. On the possibility that they become compromised.. You never know.. Why would my light bulbs need access to my pc, or my nas for example ;) So even if they were compromised - they could only talk to other iot devices on that vlan..

            Having the ability to vlan (isolate networks) from each other gives you the option to segment different devices into their own little networks and limit what they can or can not do with the other devices on your network in other vlans.

            Anyone that has taken the step to moving to something like pfsense - then yes the ability to create multiple local vlans only increases what you can do..

            The biggest hurdle for most users is the the wifi.. Most soho wifi APs, be it a reused old wifi router as AP or fancy new mesh systems do not support vlans. Atleast not with native firmware.. So you need to get something that does - unifi APs are very popular with pfsense users, mostly because of the support for vlan support.. I have been running 3 of them in my home for years, and very happy with their feature set and performance. Not that they are perfect and don't have their own issues - but they get the job done, and have a feature set well above any normal soho wifi stuff. At home budget doable price point..

            The switch part is easier - you can pick multiple different bands of entry level smart switches that support vlans for like $40.. Normally 5 to 10$ more than their dumb little brother models..

            But you can get much fancier with switches as well and easy spend hundreds of dollars on a switch with more features..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            Y 1 Reply Last reply Reply Quote 2
            • Y
              yeleek @johnpoz
              last edited by

              @johnpoz Very useful thank you. My AP does not support vlans. My Pfsense does though have a spare NIC, so what i might do is in the short term buy a cheap AP and create a new interface on pfsense for a 'dirty' network. Then put the xbox on that new AP/IP range. Then i can enable UPnP just for that new ip range.

              Thank you.

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @yeleek
                last edited by

                Yeah if you have a spare interface - sure you could do that.

                But to be honest - might be better to just put any money you would spend on some cheap AP towards a real AP with big boy features ;)

                But sure if you have some old wifi router laying around - then sure you could do that..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.