Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
Emerging Member
Posts: 112
Registered: ‎12-06-2015
Kudos: 23
Solutions: 5

Re: uPnP in my usg

Thank you Man Happy
Member
Posts: 248
Registered: ‎12-21-2016
Kudos: 27
Solutions: 4

Re: uPnP in my usg

Hi all,

 

Any idea how to remove upnp rules?

 

thx

Mike

Emerging Member
Posts: 112
Registered: ‎12-06-2015
Kudos: 23
Solutions: 5

Re: uPnP in my usg

What rules? You mean turn off upnp?

I would assume that you remove the config file (or the part about upnp) and then reprovision your gateway
Member
Posts: 248
Registered: ‎12-21-2016
Kudos: 27
Solutions: 4

Re: uPnP in my usg

Hi. Via upnp a couple of rules have been added. They cannot be edited (which makes sense...) but also there is no delete option.
So I wonder how I can remove such rules..

Disabling upnp is an option, but sounds more like the last and ultimate resort.
SuperUser
Posts: 6,936
Registered: ‎01-10-2012
Kudos: 3592
Solutions: 343

Re: uPnP in my usg


mbrust wrote:
Hi. Via upnp a couple of rules have been added. They cannot be edited (which makes sense...) but also there is no delete option.
So I wonder how I can remove such rules..

Disabling upnp is an option, but sounds more like the last and ultimate resort.

Well, you get one half of it - they can't be edited because they are automatic.  That's also why they can't be deleted.  I've not seen any implementation of UPNP that let you edit individual rules.  That's kind of the point of automatic stuff like this.


Which is also why stuff like this is a really bad idea.  I'll use UPNP only if the ports required arn't documented, take note of what get's configured then turn it off and go manually create the rules I need. 

 

Yes, it's a bit more hassle but there is pleanty of malware out there that tries to open up stuff via UPNP - and anyone with basic knowledge of UPNP can easily manipulate it for whatever they want.  If you care about your firewall being effective it's best to skip UPNP and configure the rules yourself.  

When you receive a solution to your question/issue, don't forget to mark your thread as solved and to give kudo's to the people who have helped you out!

Having wifi problems? Take a look here first: https://help.ubnt.com/hc/en-us/articles/221029967-UniFi-Debugging-Intermittent-Connectivity-Issues-on-your-UAP
Highlighted
Member
Posts: 248
Registered: ‎12-21-2016
Kudos: 27
Solutions: 4

Re: uPnP in my usg

Thank you for the guidance, Eric.
I think to use upnp for troubleshooting only, temporarily, sounds like a good approach!
Regular Member
Posts: 509
Registered: ‎04-22-2016
Kudos: 94
Solutions: 39

Re: uPnP in my usg

@mbrust

In the current unstable controller 5.6.3 UPnP can switched on/off in the GUI.

20170421_150910.png

 

 

 

 

New Member
Posts: 8
Registered: ‎09-09-2014
Solutions: 1

Re: uPnP in my usg


cempa wrote:

@mbrust

In the current unstable controller 5.6.3 UPnP can switched on/off in the GUI.

20170421_150910.png

 

 

 

 


Man, I wish this would hurry and be released.  I've been trying to follow the directions to edit the config.properties file, and I'm pure Windows, so things are both confusing and problematic b/c of line endings.

Member
Posts: 248
Registered: ‎12-21-2016
Kudos: 27
Solutions: 4

Re: uPnP in my usg

Agree. I am running now 5.6.7 in my private environment and I am very happy with this release.
New Member
Posts: 1
Registered: ‎07-24-2017

Re: uPnP in my usg

[ Edited ]

I may be necroing this or it may be redundant... just wanted to add some useful information all in one place.

 

If you have a USG and utilize the dual WAN functionality it's possible to activate UPNP2 for both WAN using the config.gateway.json file like so:

 

    "service": {
                "upnp2": {
                        "listen-on": [
                                "eth1"
                        ],
                        "nat-pmp": "enable",
                        "secure-mode": "enable",
                        "wan": "eth0,eth2"
        }
    }
}

 

 

If you want to do this via the putty console first login to a session then use the following commands:

configure
set service upnp2 listen-on eth1
set service upnp2 wan eth0,eth2
set service upnp2 nat-pmp enable
set service upnp2 secure-mode enable
commit
save
exit

 

You actually type exit to leave "configuration mode" the session will still be open.

If you want to see what this did to your configuration then use this command:

mca-ctrl -t dump-cfg
You can copy/paste this output if needed or output it to a file:

mca-ctrl -t dump-cfg > config.txt

 

 

Once this is completed you can force a provision or reboot the router to ensure the changes are active.

There is a "Force Provision" button on the Config -> Manage Device screen.

 

To verify that UPNP2 is working open another putty session to your router and type the following command:

show upnp2 rules

 

If it comes back with output like the below example it's working:

 

Firewall pin holes
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.X          udp dpt:xxxxx

NAT port forwards
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:xxxxx to:192.168.1.X:xxxxx
 pkts bytes target     prot opt in     out     source               destination

 

 

 

For mine to be persistent I had to add it into my config.gateway.json using the first text in this reply.

The file is located at C:\Users\[username]\data\sites\[sitename]\config.gateway.json

 

 

If you want to remove either UPNP (version 1) or UPNP2 I believe you can use this command:

delete service upnp

delete service upnp2

 

Also make sure to remove it from your config.gateway.json file.

 

 

To clear automatic rules entered by UPNP or UPNP2 you just need to clear the iptables.

This can be completed by restarting the router or using the following command:

clear connection-tracking

Reply