Scheduled maintenance: Community will be offline Monday June 17th, 1:00 AM - 6:00 AM (PT)
New Member
Posts: 35
Registered: ‎12-06-2013
Kudos: 10
Solutions: 1
Accepted Solution

ERlite 1.5 upnp2 secure mode?

Hi.

I did a quick search but I didn't find any relevant info, so...

I'm currently running/testing 1.5 final on EdgeRouter lite, great work so far.

The pppoe offload is a treat Man Very Happy

I'm currently using the new upnp2 daemon, and looking for instructions on how to define ACLs for the service.

Can someone please shed some light on the relevant commands,

since the user guide is still on ver. 1.4?

Can I allow/dissallow port mapping requests from specific clients/ip addresses/smb names/subnets?

Thanks.


Accepted Solutions
Member
Posts: 276
Registered: ‎11-16-2013
Kudos: 104
Solutions: 15

Re: ERlite 1.5 upnp2 secure mode?

[ Edited ]

@Stickygears wrote:

Hi.

I did a quick search but I didn't find any relevant info, so...

I'm currently running/testing 1.5 final on EdgeRouter lite, great work so far.

The pppoe offload is a treat Man Very Happy

I'm currently using the new upnp2 daemon, and looking for instructions on how to define ACLs for the service.

Can someone please shed some light on the relevant commands,

since the user guide is still on ver. 1.4?

Can I allow/dissallow port mapping requests from specific clients/ip addresses/smb names/subnets?

Thanks.


I've thinked about to write a little primer, but have no time for it at this momen, if it will help, my basic config:

# show service upnp2 
 acl {
     rule 200 {
         action allow
         external-port 1024-65535
         local-port 0-65535
         subnet 192.168.2.0/24
     }
     rule 201 {
         action allow
         external-port 1024-65535
         local-port 0-65535
         subnet 192.168.1.0/24
     }
     rule 9000 {
         action deny
         description "Deny all"
         external-port 0-65535
         local-port 0-65535
         subnet 0.0.0.0/0
     }
 }
 listen-on switch0
 listen-on eth1
 nat-pmp enable
 secure-mode enable
 wan eth0

Rule 9000 is based on standard recommendation - deny to everyone who not allowed

Other two allows my home subnets (it's better if you will set big rule number to them as well, if you will need to set deny rule for specific ports or ips).

UPD (found some time Smiley LOL ): in fact ACL's are simple, if you will use recommended (default) values, allowing or disallowing rules can be set in couple commands:

1. Allow subnet (allow 192.168.1.0/24 devices to create upnp map for local ports from 0 to 65535 on external ports from 1024 to 65535)

set service upnp2 acl rule 200 action allow
set service upnp2 acl rule 200 subnet 192.168.1.0/24

2. Allow host 

set service upnp2 acl rule 201 action allow
set service upnp2 acl rule 201 subnet 192.168.1.123/32

3. Deny subnet 

set service upnp2 acl rule 100 action deny
set service upnp2 acl rule 100 subnet 192.168.2.0/24

4. Deny host 

set service upnp2 acl rule 101 action deny
set service upnp2 acl rule 101 subnet 192.168.1.132/32

5. Deny external port (by default port will be disallowed for all subnets and internal devices ports)

set service upnp2 acl rule 50 action deny
set service upnp2 acl rule 50 external-port 3074

One more thing: deny rules must be applied before allow rule (have lower rule number) or they will not work

View solution in original post


All Replies
Member
Posts: 276
Registered: ‎11-16-2013
Kudos: 104
Solutions: 15

Re: ERlite 1.5 upnp2 secure mode?

[ Edited ]

@Stickygears wrote:

Hi.

I did a quick search but I didn't find any relevant info, so...

I'm currently running/testing 1.5 final on EdgeRouter lite, great work so far.

The pppoe offload is a treat Man Very Happy

I'm currently using the new upnp2 daemon, and looking for instructions on how to define ACLs for the service.

Can someone please shed some light on the relevant commands,

since the user guide is still on ver. 1.4?

Can I allow/dissallow port mapping requests from specific clients/ip addresses/smb names/subnets?

Thanks.


I've thinked about to write a little primer, but have no time for it at this momen, if it will help, my basic config:

# show service upnp2 
 acl {
     rule 200 {
         action allow
         external-port 1024-65535
         local-port 0-65535
         subnet 192.168.2.0/24
     }
     rule 201 {
         action allow
         external-port 1024-65535
         local-port 0-65535
         subnet 192.168.1.0/24
     }
     rule 9000 {
         action deny
         description "Deny all"
         external-port 0-65535
         local-port 0-65535
         subnet 0.0.0.0/0
     }
 }
 listen-on switch0
 listen-on eth1
 nat-pmp enable
 secure-mode enable
 wan eth0

Rule 9000 is based on standard recommendation - deny to everyone who not allowed

Other two allows my home subnets (it's better if you will set big rule number to them as well, if you will need to set deny rule for specific ports or ips).

UPD (found some time Smiley LOL ): in fact ACL's are simple, if you will use recommended (default) values, allowing or disallowing rules can be set in couple commands:

1. Allow subnet (allow 192.168.1.0/24 devices to create upnp map for local ports from 0 to 65535 on external ports from 1024 to 65535)

set service upnp2 acl rule 200 action allow
set service upnp2 acl rule 200 subnet 192.168.1.0/24

2. Allow host 

set service upnp2 acl rule 201 action allow
set service upnp2 acl rule 201 subnet 192.168.1.123/32

3. Deny subnet 

set service upnp2 acl rule 100 action deny
set service upnp2 acl rule 100 subnet 192.168.2.0/24

4. Deny host 

set service upnp2 acl rule 101 action deny
set service upnp2 acl rule 101 subnet 192.168.1.132/32

5. Deny external port (by default port will be disallowed for all subnets and internal devices ports)

set service upnp2 acl rule 50 action deny
set service upnp2 acl rule 50 external-port 3074

One more thing: deny rules must be applied before allow rule (have lower rule number) or they will not work

New Member
Posts: 35
Registered: ‎12-06-2013
Kudos: 10
Solutions: 1

Re: ERlite 1.5 upnp2 secure mode?

Great.

Thanks. I appreciate the time you spend to write this (btw, this is wiki material if someone has access...).

My rules now look like:

acl {
            rule 100 {
                action deny
                external-port 1024-65535
                local-port 0-65535
                subnet 0.0.0.0/0
            }
            rule 200 {
                action allow
                external-port 1024-65535
                local-port 0-65535
                subnet 192.168.86.0/24
            }
        } 

so (to check my understanding), rule 100 above should be equivalent to a default "deny all",

and rule 200 should allow only the designated internal network to create port mappings via upnp2.

Correct?

Member
Posts: 276
Registered: ‎11-16-2013
Kudos: 104
Solutions: 15

Re: ERlite 1.5 upnp2 secure mode?

[ Edited ]

@Stickygears wrote:

Great.

Thanks. I appreciate the time you spend to write this (btw, this is wiki material if someone has access...).

My rules now look like:

acl {
            rule 100 {
                action deny
                external-port 1024-65535
                local-port 0-65535
                subnet 0.0.0.0/0
            }
            rule 200 {
                action allow
                external-port 1024-65535
                local-port 0-65535
                subnet 192.168.86.0/24
            }
        } 

so (to check my understanding), rule 100 above should be equivalent to a default "deny all",

and rule 200 should allow only the designated internal network to create port mappings via upnp2.

Correct?


Deny to all should be last rule in the list(and it's better to set external-port 0-65535, not default 1024-65535), in "one more thing" i've talked about rules what should exclude specific ports or hosts from networks where upnp is allowed

New Member
Posts: 35
Registered: ‎12-06-2013
Kudos: 10
Solutions: 1

Re: ERlite 1.5 upnp2 secure mode?

[ Edited ]

Ok, i fixed it according to your sample (deny all last), and it looks to play nice.

One question though:

Doesn't the "Deny to all should be last rule in the list" contradicts with the "deny rules must be applied before allow rule", or the default "deny all" is a special case?

Thanks.

EDIT:

Never mind, i re-read your above comment on "one more thing". All clear now.