Feature Request: Allow/Deny use of upnp to specific devices on the LAN

[comet]

This came up because of a discussion on another board in this forum, but basically I would like to see a way to specify to only certain devices (such as game consoles) and absolutely nothing else are allowed to use upnp.  I don't know if this is possible because I have no idea how upnp works to begin with, but if it is possible then what I would like to see is the ability to create a list of devices (either identified by IP address or MAC address, whichever is easiest) that are allowed to use upnp (or if it's a deny list, then devices on the list would be denied access to upnp, but an allow list would be much easier to work with for most people since usually only a few devices need upnp).  Any device not listed on the allow list (or specifically denied on a deny list) would not be able to use upnp.

The reason for this is that upnp has been known for many years to be a security vulnerability, and many people disable it entirely for that reason, but that then causes problems with game consoles and maybe certain other specific devices.  So, if upnp could be allowed only for those devices that actually need it, and disallowed for everything else, then there would be no worry that (for example) malware running on a desktop computer could open a port for nefarious reasons.

Please note that I am just now trying to get into using something like OPNsense and I am not really up on the intricacies of networking - all my previous experience has been with off-the-shelf routers.  So it would not help someone like me to suggest that there is some convoluted way that this can be accomplished, unless there are "cookbook" style instructions that show step by step exactly how to do it.  That's why I wish there were just a simple way to make an allow or deny list and check a box to use it, if that's not something that would be very hard to implement.

[xinnan]

upnp can be enabled per interface.  These may be physical interfaces like the ports on the back of your opnsense or virtual interfaces + vlans.

You might need to spend $25 for a cheap managed switch if your opnsense only has 2 ports. 

Vlans can be difficult to conceptualize but you will get it if you try. 

Using tagged vlans is actually a great reason to use opnsense.  Powerful feature.

Lets say you decide to use VLANs, which would be smart (I was dumb).

You would just create virtual interfaces that equat to tagged vlans.  Then tag the ports on your switch according to what they connect to.  Then you can turn on upnp or not per virtual interface at your whim.  You can also firewall off the virtual interfaces from each other. 

BTW - Its already a feature. 

[comet]

upnp can be enabled per interface.  These may be physical interfaces like the ports on the back of your opnsense or virtual interfaces + vlans.

You might need to spend $25 for a cheap managed switch if your opnsense only has 2 ports. 

Vlans can be difficult to conceptualize but you will get it if you try. 

Using tagged vlans is actually a great reason to use opnsense.  Powerful feature.

Lets say you decide to use VLANs, which would be smart (I was dumb).

You would just create virtual interfaces that equat to tagged vlans.  Then tag the ports on your switch according to what they connect to.  Then you can turn on upnp or not per virtual interface at your whim.  You can also firewall off the virtual interfaces from each other. 

BTW - Its already a feature.

YOU AGAIN!!! Spouting more of your nonsense and gobbledygook.

Since you don't seem to take a hint, let me be more direct:  Please don't reply to anything I post.  Your replies are not helpful and you totally miss the point. You leave totally irrelevant comments on things that don't concern you.  In this case, I asked for a specific feature. You are not a developer, so you don't have any say in whether such a feature will be implemented.  Therefore you have absolutely nothing useful to say on this topic, and all you are trying to do is make yourself look oh-so-smart because you can figure out convoluted ways to do things that many other users (especially new users) neither can nor want to understand.  Just because there is a difficult way to do something doesn't mean it's not worthwhile to make it easier, otherwise we'd still be using a hand crank to start our automobiles.

The reason I asked for this feature was to make it simple for users to block the use of upnp by all devices except those that really need it.  That this can MAYBE be done by purchasing additional hardware and using a complicated configuration misses the whole point, because that's not simple, it's both difficult and costly.  Maybe not for those very experienced in networking, but certainly for many users.  Nobody ever asked a software developer for a way to make it harder to do something (except for a way to make it harder for hackers to get into your system, or something like that), yet that seems to be what you hear when you start to reply to a post.  Then you type paragraphs that are totally useless to anyone, and just annoying.

If you really think the methods you use are so great, why don't you document them in excruciating detail so that people can understand what the hell you are talking about.  Otherwise your replies are just unwanted noise. Saying "Vlans can be difficult to conceptualize but you will get it if you try" is not helpful because it's in no way related to the feature request, and you're not explaining how to use vlans for this specific purpose.  You might as well say "You can build a rocket ship that will take you to the moon using parts found in an automobile junkyard" - while that MIGHT be true, most people would have no idea how to do it.

What I asked for is definitely NOT already a feature.  OPNsense does have many useful features, many of which probably started as feature requests.  Why not make it simple for users to have a bit of extra security by only allowing certain specific devices to access upnp, rather than every device on the network.

By the way there is one other problem with your "add another interface" idea - if the router is not right next to the device that needs upnp, now you have to run an entire new network cable between that device and the router, and in some homes that could be quite costly.  Whereas if you can limit access by ip address or mac address, your device stays on the same network as everything else and you don't need to spend a penny.  In some homes a game console will be in an upstairs bedroom while the router is in the basement.

I would really appreciate it if you would refrain from replying to anything I may post in the future, because everything you have written so far has been useless and exceedingly annoying as far as I'm concerned.

[xinnan]

I get your anger.  I do.  My son likes security also.  He also loves STEAM )-:
Took me a while to figure out why I needed to replace my switchs.  I'm a slow learner.
It's the same reason why the rules in a firewall have interface tabs and not device tabs.
But sure - Not a problem.  I will just read along silently.  Should be interesting.   

[comet]

I get your anger.  I do.

No, you don't because you're still not a developer, and you're still replying.

I am requesting a specific feature that would make life a lot easier for many users.  If you can't add that feature, or explain why it can't/won't be added (NOT why YOU may think I don't need it), then your post isn't relevant to this thread.

The other reason you tick me off is because much of what you post appears to just be bragging, like you are in effect saying "Hey, look at me, I'm so smart and you're so stupid because I can figure out complicated workarounds and you can't!"  Which may be true, but it's obnoxious when you come off that way.  If you wanted to be helpful you would at least post HOW you do these things instead of just posting that you CAN do them, keeping in mind that you can't assume much in the way of prior knowledge on the part of the reader. And the other thing is, when someone specifically states upfront that they do not wish to do a particular thing (such as allow every device on the LAN to use upnp) and you totally ignore that and say they should just do the very thing that they are adamant that they don't want to do, that is super annoying.

The point you keep missing is that a game that has no problem working WITHOUT upnp being enabled on an off-the-shelf router from a big box store should also be able to work in the same way under a software router such as OPNsense (and it well might work in OPNsense, I won't be able to try it until sometime this weekend at the earliest.  But it didn't work in that other software).  One should not need to enable upnp, buy extra hardware, run additional network cable, or have a degree in networking to make it all work.  But that said, I have read enough to realize that if you have more than one of the same game console on your network, you might need to use upnp to get them to work simultaneously, and that's why I thought that if you absolutely must use upnp, it would be great if you could limit it to just those devices that actually require it without making it available to the entire network.

(For anyone else reading this, part of this refers to a conversation in another thread.)

[xinnan]

Sigh.  I'm sure your feature will be there soon. 

[ChrisH]

YOU AGAIN!!! Spouting more of your nonsense and gobbledygook.

He suggested a perfectly reasonable solution.

You leave totally irrelevant comments on things that don't concern you.

No, he tries to help. You know, as you do on forums. If the functionality of a feature can be fulfilled with existing means, the devs can concentrate on things that aren't.

Then you type paragraphs that are totally useless to anyone, and just annoying.

To you, maybe. You think you are the only one who reads this thread?

By the way there is one other problem with your "add another interface" idea - if the router is not right next to the device that needs upnp, now you have to run an entire new network cable between that device and the router, and in some homes that could be quite costly.

See, that's what VLANs are meant for. Separating connections without running additional cables. Cool, eh?

That said, a little googling turns up this:
http://www.tomshardware.co.uk/answers/id-2349408/disable-upnp-client.html
Try blocking ports UDP/1900 and TCP/5000 on the OPNsense box via firewall rules, and open them up only for those devices that you want to use UPnP.

[comet]

YOU AGAIN!!! Spouting more of your nonsense and gobbledygook.

He suggested a perfectly reasonable solution.

Another newbie chimes in.  Again, unless you are a developer, you really have no business chiming in on this thread (not in the way you have), because you have no say in whether this feature will be enabled.

Just because there is a difficult or hard to understand method that MIGHT work doesn't mean it couldn't be made more user-friendly.  If the developers feel that it is a waste of time to make things easier for users (particularly when it comes to increasing security) that's one thing.  But I don't get why, in this forum, other "newbies" seem to feel it's okay to usurp the role of a developer or an administrator.

I do appreciate the link to the Tom's Hardware article, unfortunately that doesn't explain how to set up that type of port blocking in OPNsense.  What you and xinnan don't seem to appreciate is that some users of OPNsense have never touched a software package such as this before; our entire prior experience is with off-the-shelf routers, and honestly the documentation that exists seems to be written for advanced users, and doesn't really explain some of the ways things are done very well.  For example you mention VLANs which I do not understand at all, but then again for right now I'm just trying to get this thing set up to replace an Asus router and I get frustrated that things that are drop dead simple on the Asus seem to be so complicated in OPNsense.  Maybe someday I will understand all this stuff but all I'm really trying to get is a little assistance for new users built into the web GUI.

With regard to the port blocking, I could set it up the way I might think it should work, but with my luck whatever rules I made wouldn't do a damn thing and would still allow every device on the LAN to use upnp.  I just don't feel real secure about having to guess how such rules should be created.

[xinnan]

The magic words on a forum are "OK.  How do I do that?"  Try it.  Everyone will help.
If you have multiple devices you want to apply this rule to, might ask how to create aliases.
Malware can be crafty though, like spoofing IPs and it might only block some of the threats. 
Dumb switches really limit what the firewall can do for you in a fool-proof way.

[comet]

The magic words on a forum are "OK.  How do I do that?"  Try it.

I do that when I am talking to someone that I think might be capable of giving help I can understand, and not spouting obfuscated nonsense that is way over the head of a new user.

You'll notice I haven't asked you that.  Don't hold your breath.

Generally, if someone else is a newbie like me, and especially if their previous posts have come off like a lot of gibberish, I figure asking them for help would put me in the situation of the blind leading the blind.  I like conversing with people who can give clear, understandable answers, and not just try to show off how much they know to impress I don't know who, but leave new users wondering what on earth they're babbling about.

However, since you think I should ask questions, here's one for you:  "How do I get someone who's not a developer and who has no say whatsoever about what feature requests will be acted on to stop replying to a thread about a feature request?"

[ChrisH]

Another newbie chimes in.

Well, at least I actually know how to use this product. If that makes me a "newbie", what exactly are you?

Again, unless you are a developer, you really have no business chiming in on this thread

It's a public forum. You don't get to decide who posts where and who doesn't.
If you don't like that, you can always write emails or get paid support.

But I don't get why, in this forum, other "newbies" seem to feel it's okay to usurp the role of a developer or an administrator.

Because we want to help. Isn't that nice?

do appreciate the link to the Tom's Hardware article, unfortunately that doesn't explain how to set up that type of port blocking in OPNsense.  What you and xinnan don't seem to appreciate is that some users of OPNsense have never touched a software package such as this before; our entire prior experience is with off-the-shelf routers, and honestly the documentation that exists seems to be written for advanced users, and doesn't really explain some of the ways things are done very well.

Maybe you should learn how to use OPNsense first, and THEN rush off and demand new features? Just a thought.

With regard to the port blocking, I could set it up the way I might think it should work, but with my luck whatever rules I made wouldn't do a damn thing and would still allow every device on the LAN to use upnp.  I just don't feel real secure about having to guess how such rules should be created.

Sorry, but then you have no business administrating a firewall.
I agree the OPNsense documentation is a bit high-level, but demanding a clicky-clicky feature for every functionality you don't understand is not a sensible approach.

[fabian]

=================
MODERATOR NOTE
=================

Hi,

sorry to disturb you here but I have to ask you to keep friendly to each other. Insults or other bad behaviour is not tolerated here (in extreme situations, an account gets blocked).
The forum answers usually come from private individuals who use their free time in order to help other people.
You may get an alternative solution or a solution not fitting into your network setup if your question was not specific enough.

==========================
Information on Feature Requests
==========================


Feature request should go to the plugins issue tracker here: https://github.com/opnsense/plugins/issues/
Create a new issue looking like that:
Title: net/upnp: your problem here
Write: add a verbose description what is not working and why this feature is needed.

If there is somebody willing to add the feature it may be added.
The maintainer of the os-upnp plugin is Franco, who is a core maintainer so his time to work on this plugin might be very limited.

Plugin in the plugins repository:
https://github.com/opnsense/plugins/tree/master/net/upnp

[comet]

Maybe you should learn how to use OPNsense first, and THEN rush off and demand new features? Just a thought.

Where, exactly, did I DEMAND anything?  The very title of this thread starts with "Feature Request".

=====

Feature request should go to the plugins issue tracker here: https://github.com/opnsense/plugins/issues/
Create a new issue looking like that:
Title: net/upnp: your problem here
Write: add a verbose description what is not working and why this feature is needed.

If there is somebody willing to add the feature it may be added.
The maintainer of the os-upnp plugin is Franco, who is a core maintainer so his time to work on this plugin might be very limited.

Thank you so much for this information, I had wondered if there was a better place to submit a feature request but I hadn't found it.  I do realize that someone has to be willing to add the feature, and I had no expectation that someone would just drop everything to work on it, it was just a suggestion really.  What ticked me off was the apparent attitude of a couple of people (who are newbies just like me) that if there's already a hard way to do something, nobody should ever suggest that it be made easier.  I just don't understand that mentality, because if it weren't for the desire of people to make things easier, neither computers nor software would exist in the first place.

Thank you again, now that I know where the issue tracker is I won't be posting in this thread anymore.

[franco]

Comet, your intentions are honourable, the execution a wee bit less so. We are here in a sharing and learning mood and like to keep it that way. There are varying degrees of knowledge, no doubt, but when we start asserting we know more than others we go down a slippery slope as seen here. If there are non-helpful replies, they are non-helpful to you, but maybe not for others. An open mind and suspended judgement go a long way to takle the actual questions: what is required to implement this feature? Firewall rules? Upnp Settings in its config? Half of the time I have to look this up as well and more replies help root out the community need. Very helpful to contributors.


Cheers,
Franco

[ljm42]

what I would like to see is the ability to create a list of devices (either identified by IP address or MAC address, whichever is easiest) that are allowed to use upnp (or if it's a deny list, then devices on the list would be denied access to upnp, but an allow list would be much easier to work with for most people since usually only a few devices need upnp).  Any device not listed on the allow list (or specifically denied on a deny list) would not be able to use upnp.

Another newbie here. Apologies in advance if I'm misinterpreting something, but... I think OPNsense already does what you're looking for.

I have 17.7.7 with the UPNP plugin installed.  Under Services -> Universal Plug and Play -> Settings, it looks like you would put a checkmark next to "Default deny" and then fill in up to four exceptions. The help shows the expected format.

If the xbox is at 192.168.1.50, then it looks like the setting would be:
  allow 1024-65535 192.168.1.50 1024-65535
At that point, the xbox should be the only device on the network able to use UPNP.

Or am I missing something?