by Frex

Universal Plug'n'Play (UPnP) is a technology introduced by Microsoft that allows for easy configuration of port forwarding. Nowadays it is used by many programs, such as video conference software, internet phones, BitTorrent clients, which rely on it to get proper access to the Internet. UPnP is also used by some game consoles, such as the Xbox 360 and the Playstation 3.

If Port Forwarding is not set up properly, performance for these programs can be impaired, up to the point where some or all functionalities are unusable. Universal Plug'n'Play basically allows a program to ask the router to open the necessary ports, without any intervention from the user.

This is possible because the UPnP server will honor every request from any program, without making any check. For this reason, there is a security risk associated with enabling UPnP on your router: technically a worm or malware program could use this function to compromise security for the entire LAN.

Thus, it is recommended to set up port forwarding manually whenever possible, and leave UPnP disabled. However, in some cases dynamic port forwarding is required and manual port forwarding becomes impractical, leaving the user with no other option than to enable UPnP.

Backfire, the current stable version of OpenWRT relies on miniupnpd to provide UPnP support. To enable it, follow these instructions:

1. Connect to the router interface, for a default install click the following link http://192.168.1.1
2. Select the Administration mode
3. Now click on Overview > LuCI components
4. Install the package luci-app-upnp
5. Now click on Services > UPNP
6. Put a check mark on Enable UPNP, save and apply.

Because of a bug, miniupnpd isn't activated automatically and you'll have to do manually. Until this bug gets fixed, you'll have to do the following.

1. From within LuCI, click on Services > Initscripts.
2. Scroll down to miniupnpd
3. Click on Enable (this will make miniupnpd start automatically on subsequent reboots)
4. Click on Start

The same operation can be performed from a shell:

root@OpenWrt# /etc/init.d/miniupnpd enable
root@OpenWrt# /etc/init.d/miniupnpd start

Click on Status > Firewall. If UPnP has been properly enabled, the chains zone_wan_forward and zone_wan_prerouting will both contain an entry named "miniupnpd". Additionally if you have any UPnP application working, you will be able to find their port mappings. Please note if you have just enabled UPnP, your application may need to be restarted, in order to reconfigure the firewall.

NAT-PMP is a technology similar to UPnP that originates from Apple. Unlike UPnP, it is currently an IETF standard, and a number of Windows and Linux applications support it. NAT-PMP is supported in backfire, although in older Release Candidates it can only be enabled manually. From a shell, edit /etc/config/upnpd file and add the following line:

        option 'enable_natpmp' '1'

Also, you need to apply changeset 25251: it's basically a matter of editing /etc/init.d/miniupnpd, something you can do directly on your live router using nano; please be advised that failing to apply the patch correctly miniupnpd might stop working correctly.

Finally, you may need to execute the following command:

root@OpenWrt:~# uci set upnpd.config.enable_natpmp=1
root@OpenWrt:~# /etc/init.d/miniupnpd restart

From a shell, issue the command:

root@oberon:~# logread | grep -i "\-pmp"

If NAT-PMP is enabled you'll see something like this:

Mar 24 21:16:59 OpenWrt daemon.notice miniupnpd[2631]: Listening for NAT-PMP traffic on port 5351

Otherwise you will see no message.

As UPnP provides no authentication mechanisms, it is commonly regarded as one giant security hole. A great deal of concern was also generated by the discovery of a buffer overflow vulnerability in the UPnP stack of Windows XP in 2001, which made it possible to obtain SYSTEM level access, and some institutions recommended disabling it altogether. For an historical perspective, see this page from Gibson Research.

It is also been speculated that the design flaws in UPnP would lead to development of a new class of attacks which relied on UPnP. More information about this and possible exploits can be found on UPnP Hacks.

It should be pointed out that, after over ten years since its first deployment, most of these concerns have deflated and the much anticipated UPnP armageddon has failed to materialize. UPnP is currently in wide use with no particular consequences: still, as every network service, it increases the attack surface of a system, and should not be used if not necessary.

According to some sources, NAT-PMP is a simpler and thus safer design than UPnP. For an example, see this page on Playcontrol. If your applications support both UPnP and NAT-PMP, you may want to disable UPnP and rely on NAT-PMP only. To do so, edit your /etc/config/upnpd accordingly:

        option 'enable_natpmp' '1'
        option 'enable_upnp' '0'