Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:upnp:miniupnpd [2024/09/03 21:05] – [config upnpd 'config'] stun stokitodocs:guide-user:firewall:upnp:miniupnpd [2024/09/03 21:51] – [NAT-PMP/PCP] copied from upnp_setup page stokito
Line 31: Line 31:
 | ''config_file'' | string | no | //(none)// | Use the specified configuration file if present.  If specified the uci options are not used, except that external_iface determines the iptables table used. | | ''config_file'' | string | no | //(none)// | Use the specified configuration file if present.  If specified the uci options are not used, except that external_iface determines the iptables table used. |
 | ''download'' | integer | no | //(none)// | Bandwidth available for traffic coming in from the external interface in kilobytes per second.  Note that this only information given to clients, it doesn't control the speed. |   | ''download'' | integer | no | //(none)// | Bandwidth available for traffic coming in from the external interface in kilobytes per second.  Note that this only information given to clients, it doesn't control the speed. |  
 +| ''upload'' | integer | no | //(none)// | Bandwidth available for traffic out the external interface in kilobytes per second. Note that this only information given to clients, it doesn't control the speed. |
 | ''enable_natpmp'' | boolean | no | ''1'' | Enable NAT-[[https://tools.ietf.org/html/rfc6886|PMP]] and [[https://tools.ietf.org/html/rfc6887|PCP]]. | | ''enable_natpmp'' | boolean | no | ''1'' | Enable NAT-[[https://tools.ietf.org/html/rfc6886|PMP]] and [[https://tools.ietf.org/html/rfc6887|PCP]]. |
 | ''enable_upnp'' | boolean | no | ''1'' | Enable UPnP. | | ''enable_upnp'' | boolean | no | ''1'' | Enable UPnP. |
 | ''external_iface'' | string | no | //(auto)// | External interface. The default is to autodetect the first interface with a default route, which usually is ''wan''. | | ''external_iface'' | string | no | //(auto)// | External interface. The default is to autodetect the first interface with a default route, which usually is ''wan''. |
 | ''external_iface6'' | string | no | //(auto)// | External ipv6 interface. The default is to autodetect the first interface with a default route, which usually is ''wan6''. | | ''external_iface6'' | string | no | //(auto)// | External ipv6 interface. The default is to autodetect the first interface with a default route, which usually is ''wan6''. |
-| ''external_ip'' | ipv4addr | no | //(none)// | Manually specified external IP - if not specified the default ipv4 address of the external interface is used.|+| ''external_ip'' | ipv4addr | no | //(none)// | Manually specified external IP - if not specified the default ipv4 address of the external interface is used. Conflicts with ''use_stun'' option. |
 |''internal_iface'' | string | no | ''lan'' | Space separated list of internal interfaces (lans) | |''internal_iface'' | string | no | ''lan'' | Space separated list of internal interfaces (lans) |
 | ''log_output'' | boolean | no | ''0'' | Log messages normally sent to stderr/out to syslog. | | ''log_output'' | boolean | no | ''0'' | Log messages normally sent to stderr/out to syslog. |
Line 44: Line 45:
 | ''secure_mode'' | boolean | no | ''1'' | Secure mode; client can only redirect an incoming port to the client itself (same IP as the request comes from). | | ''secure_mode'' | boolean | no | ''1'' | Secure mode; client can only redirect an incoming port to the client itself (same IP as the request comes from). |
 | ''serial_number'' | string | no | //(none)// | Specify serial number for XML Root Desc. | | ''serial_number'' | string | no | //(none)// | Specify serial number for XML Root Desc. |
-| ''use_stun'' | boolean | no | ''0'' | Use the STUN server to resolve an external IP. |+| ''use_stun'' | boolean | no | ''0'' | Use the STUN server to resolve an external IP.  Conflicts with ''external_ip'' option. |
 | ''stun_host'' | string | no | //(none)// | The STUN server to use e.g. ''stun.cloudflare.com'' or ''stun2.l.google.com''. | | ''stun_host'' | string | no | //(none)// | The STUN server to use e.g. ''stun.cloudflare.com'' or ''stun2.l.google.com''. |
 | ''stun_port'' | integer | no | ''3478'' | The STUN server port. | | ''stun_port'' | integer | no | ''3478'' | The STUN server port. |
-| ''upload'' | integer | no | //(none)// | Bandwidth available for traffic out the external interface in kilobytes per second. Note that this only information given to clients, it doesn't control the speed. | 
 | ''upnp_lease_file'' | string | no | //(none)// | Store active UPnP redirects in a lease file (specified), like DHCP leases. | | ''upnp_lease_file'' | string | no | //(none)// | Store active UPnP redirects in a lease file (specified), like DHCP leases. |
 | ''system_uptime'' | boolean | no | ''1'' | Use system uptime as UPnP uptime instead of miniupnpd daemon uptime. | | ''system_uptime'' | boolean | no | ''1'' | Use system uptime as UPnP uptime instead of miniupnpd daemon uptime. |
Line 62: Line 62:
 | ''int_ports'' | portrange | no | ''0-65535'' | Range of ports on the internal side (destination) for this rule.  Can be x, x-y, or x:y. | | ''int_ports'' | portrange | no | ''0-65535'' | Range of ports on the internal side (destination) for this rule.  Can be x, x-y, or x:y. |
  
 +
 +===== NAT-PMP/PCP =====
 +
 +To enable NAT-PMP and disable the UPnP edit the ''/etc/config/upnpd'' file:
 +
 +<code>
 +        option 'enable_natpmp' '1'
 +        option 'enable_upnp' '0'
 +</code>
 +
 +
 +Or you can do this with following command:
 +
 +<code>
 +uci set upnpd.config.enable_natpmp=1
 +uci set upnpd.config.enable_upnp=0
 +/etc/init.d/miniupnpd restart
 +</code>
  
 ===== Notes ===== ===== Notes =====
 After installing and enabling, do not forget to restart the firewall. After installing and enabling, do not forget to restart the firewall.
 +
  
 ===== Security ===== ===== Security =====
 CAUTION: mixing up WAN and LAN interfaces may introduce [[https://community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities|security risks]]! See also [[https://www.kb.cert.org/vuls/id/184540|Incorrect implementation of NAT-PMP in multiple devices]]. CAUTION: mixing up WAN and LAN interfaces may introduce [[https://community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities|security risks]]! See also [[https://www.kb.cert.org/vuls/id/184540|Incorrect implementation of NAT-PMP in multiple devices]].
  
  • Last modified: 2024/09/04 14:32
  • by stokito