| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision |
| docs:guide-user:firewall:upnp:miniupnpd [2022/06/04 13:32] – [config upnpd 'config'] ansuel | docs:guide-user:firewall:upnp:miniupnpd [2024/09/03 21:51] – [NAT-PMP/PCP] copied from upnp_setup page stokito |
|---|
| | ''config_file'' | string | no | //(none)// | Use the specified configuration file if present. If specified the uci options are not used, except that external_iface determines the iptables table used. | | | ''config_file'' | string | no | //(none)// | Use the specified configuration file if present. If specified the uci options are not used, except that external_iface determines the iptables table used. | |
| | ''download'' | integer | no | //(none)// | Bandwidth available for traffic coming in from the external interface in kilobytes per second. Note that this only information given to clients, it doesn't control the speed. | | | ''download'' | integer | no | //(none)// | Bandwidth available for traffic coming in from the external interface in kilobytes per second. Note that this only information given to clients, it doesn't control the speed. | |
| | | ''upload'' | integer | no | //(none)// | Bandwidth available for traffic out the external interface in kilobytes per second. Note that this only information given to clients, it doesn't control the speed. | |
| | ''enable_natpmp'' | boolean | no | ''1'' | Enable NAT-[[https://tools.ietf.org/html/rfc6886|PMP]] and [[https://tools.ietf.org/html/rfc6887|PCP]]. | | | ''enable_natpmp'' | boolean | no | ''1'' | Enable NAT-[[https://tools.ietf.org/html/rfc6886|PMP]] and [[https://tools.ietf.org/html/rfc6887|PCP]]. | |
| | ''enable_upnp'' | boolean | no | ''1'' | Enable UPnP. | | | ''enable_upnp'' | boolean | no | ''1'' | Enable UPnP. | |
| | ''external_iface'' | string | no | //(auto)// | External interface. The default is to autodetect the first interface with a default route, which usually is ''wan''. | | | ''external_iface'' | string | no | //(auto)// | External interface. The default is to autodetect the first interface with a default route, which usually is ''wan''. | |
| | ''external_iface6'' | string | no | //(auto)// | External ipv6 interface. The default is to autodetect the first interface with a default route, which usually is ''wan6''. | | | ''external_iface6'' | string | no | //(auto)// | External ipv6 interface. The default is to autodetect the first interface with a default route, which usually is ''wan6''. | |
| | ''external_ip'' | ipv4addr | no | //(none)// | Manually specified external IP - if not specified the default ipv4 address of the external interface is used.| | | ''external_ip'' | ipv4addr | no | //(none)// | Manually specified external IP - if not specified the default ipv4 address of the external interface is used. Conflicts with ''use_stun'' option. | |
| |''internal_iface'' | string | no | ''lan'' | Space separated list of internal interfaces (lans) | | |''internal_iface'' | string | no | ''lan'' | Space separated list of internal interfaces (lans) | |
| | ''log_output'' | boolean | no | ''0'' | Log messages normally sent to stderr/out to syslog. | | | ''log_output'' | boolean | no | ''0'' | Log messages normally sent to stderr/out to syslog. | |
| | ''secure_mode'' | boolean | no | ''1'' | Secure mode; client can only redirect an incoming port to the client itself (same IP as the request comes from). | | | ''secure_mode'' | boolean | no | ''1'' | Secure mode; client can only redirect an incoming port to the client itself (same IP as the request comes from). | |
| | ''serial_number'' | string | no | //(none)// | Specify serial number for XML Root Desc. | | | ''serial_number'' | string | no | //(none)// | Specify serial number for XML Root Desc. | |
| | ''upload'' | integer | no | //(none)// | Bandwidth available for traffic out the external interface in kilobytes per second. Note that this only information given to clients, it doesn't control the speed. | | | ''use_stun'' | boolean | no | ''0'' | Use the STUN server to resolve an external IP. Conflicts with ''external_ip'' option. | |
| | | ''stun_host'' | string | no | //(none)// | The STUN server to use e.g. ''stun.cloudflare.com'' or ''stun2.l.google.com''. | |
| | | ''stun_port'' | integer | no | ''3478'' | The STUN server port. | |
| | ''upnp_lease_file'' | string | no | //(none)// | Store active UPnP redirects in a lease file (specified), like DHCP leases. | | | ''upnp_lease_file'' | string | no | //(none)// | Store active UPnP redirects in a lease file (specified), like DHCP leases. | |
| | ''system_uptime'' | boolean | no | ''1'' | Use system uptime as UPnP uptime instead of miniupnpd daemon uptime. | | | ''system_uptime'' | boolean | no | ''1'' | Use system uptime as UPnP uptime instead of miniupnpd daemon uptime. | |
| | ''int_ports'' | portrange | no | ''0-65535'' | Range of ports on the internal side (destination) for this rule. Can be x, x-y, or x:y. | | | ''int_ports'' | portrange | no | ''0-65535'' | Range of ports on the internal side (destination) for this rule. Can be x, x-y, or x:y. | |
| |
| | |
| | ===== NAT-PMP/PCP ===== |
| | |
| | To enable NAT-PMP and disable the UPnP edit the ''/etc/config/upnpd'' file: |
| | |
| | <code> |
| | option 'enable_natpmp' '1' |
| | option 'enable_upnp' '0' |
| | </code> |
| | |
| | |
| | Or you can do this with following command: |
| | |
| | <code> |
| | uci set upnpd.config.enable_natpmp=1 |
| | uci set upnpd.config.enable_upnp=0 |
| | /etc/init.d/miniupnpd restart |
| | </code> |
| |
| ===== Notes ===== | ===== Notes ===== |
| After installing and enabling, do not forget to restart the firewall. | After installing and enabling, do not forget to restart the firewall. |
| | |
| |
| ===== Security ===== | ===== Security ===== |
| CAUTION: mixing up WAN and LAN interfaces may introduce [[https://community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities|security risks]]! See also [[https://www.kb.cert.org/vuls/id/184540|Incorrect implementation of NAT-PMP in multiple devices]]. | CAUTION: mixing up WAN and LAN interfaces may introduce [[https://community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities|security risks]]! See also [[https://www.kb.cert.org/vuls/id/184540|Incorrect implementation of NAT-PMP in multiple devices]]. |
| |