Following my recent purchase and deployment of a pfSense SG-4860 I’ve been working my way through the wealth of settings to get everything up and running. While taking a break I fired up my Playstation 4 and then found it wouldn’t connect out, a quick check showed it was trying to leverage ‘Universal Plug and Play’ which is a protocol that allows a client device to request ports be opened on a firewall device for communication. As it was vital I resolve this issue as quickly as possible I jumped back onto my pfSense appliance to remedy the situation.
First off let’s get a little background on what Universal Plug and Play (UPnP) is as well as NAT Port Mapping Protocol (NAT-PMP) which is configured along with UPnP.
According to the Open Connectivity Foundation (the UPnP Forum ceased to exist and handed responsibility over to OCF) UPnP offers the following –
The UPnP architecture supports zero-configuration and automatic discovery whereby a device can:
- Dynamically join a network
- Obtain an IP address
- Announce its name
- Convey its capabilities upon request
- Learn about the presence and capabilities of other devices
- Leave a network smoothly and automatically without leaving any unwanted state information behind
NAT-PMP is described as follows –
NAT Port Mapping Protocol (NAT-PMP) is a network protocol for establishing network address translation (NAT) settings and port forwarding configurations automatically without user effort.
Good old Wikipedia has links you may find interesting –
- https://en.wikipedia.org/wiki/Universal_Plug_and_Play
- https://en.wikipedia.org/wiki/NAT_Port_Mapping_Protocol
Risks
It is important to mention that any service which allows a client device to dynamically open ports on a firewall can pose a risk to the network. UPnP & NAT-PMP are really aimed at home networks where users are unlikely to have the skills required to manage the router/firewall filtering rules. For them it is far easier to allow devices to negotiate and manage this. If we consider a corporate network then typically there is an administrator who manages the router/firewall and determines which ports should be allowed. This protocol set doesn’t use any form of authentication either. Think about what an attacker could do if they manage to compromise an internal endpoint and then use UPnP to punch holes in your firewall.
UPnP & NAT-PMP Basic Configuration
Now we can configure basic UPnP & NAT-PMP by just ticking 3 boxes and selecting the interfaces. This results in a setup that allows any device on the specified internal interfaces to conduct UPnP operations. For many home setups this probably works OK, as mentioned previously you really don’t want to be running this sort of service on a corporate network.
To access the UPnP & NAT-PMP settings in pfSense browse to the ‘Services’ menu and then select ‘UPnP & NAT-PMP’ from the drop-down list.
Configuring the following options will give us our basic setup.
- Enable: Enabled UPnP & NAT-PMP ticked
- UPnP Port Mapping: Allow UPnP Port Mapping ticked
- NAT-PMP Port Mapping: Allow NAT-PMP Port Mapping ticked
- External Interface: [select your external interface in my example this is WAN]
- Interfaces: [select the interfaces where UPnP/NAT-PMP clients exist]
UPnP & NAT-PMP Advanced Configuration
OK so we have covered the most basic setup, now it’s time to do something a bit more interesting and configure our service to only allow specific devices to access the UPnP & NAT-PMP functionality.
- Enable: Enabled UPnP & NAT-PMP ticked
- UPnP Port Mapping: Allow UPnP Port Mapping ticked
- NAT-PMP Port Mapping: Allow NAT-PMP Port Mapping
ticked - External Interface: [select your external interface in my
example this is WAN] - Interfaces: [select the interfaces where UPnP/NAT-PMP
clients exist] - Default Deny: Deny access to UPnP & NAT-PMP by default ticked
The ‘Default Deny’ will as the name implies automatically deny any UPnP & NAT-PMP requests from clients meaning we need to specify clients in an ACL (access control list) list that can take advantage of this functionality. In this way we have a degree of control over who we let take advantage of UPnP. This is my preferred way of running the service and I would recommend others do the same wherever possible.
The ACL format is pretty simple, let me give the syntax and then an example.
Syntax –
[allow or deny] [external single port or range of ports] [single IP address or a range] [internal single port or range]
Examples –
- allow 1024-65535 192.168.2.2 1024-65535
- allow 17654 192.168.1.0/24 55000-65535
Here we have a screenshot from pfSense – as you can see I have allowed access to 2 hosts across all ports. Of course it’s up to you to decide how you want to secure your environment.
Just remember to click ‘Save’ when you’ve finished configuring everything.
Hopefully the above has proven useful, remember this is just my example and you should make sure you understand all of the risks and implications of any configuration changes.
Hey Alex,
I recently decided to set up a pfSense virtual machine on my ESXi server and intended to connect and segment my home network, physical lab gear and Cisco VIRL/GNS3 worlds with it. There were a few reasons (all subjective) I decided to go with pfSense instead of Sophos UTM Home, Untangle or any of the other virtual options available to me but knowing you may blog about your SG-4860 from time to time is a bonus to making that call. :-)
Fritz
Hey Fritz,
I’m absolutely loving the latest versions of pfSense – really happy with the hardware setup I have for it too. Definitely intend to write more posts on the topic and welcome any feedback or requests from readers.
Alex
Hey Alex,
Question about the auto deny.
When I have that ticked with an ACL in place the ACL Client (PS4 in the case) can’t open any ports.
With it unticked it works fine.
Have any ideas why this might be?
Hey Arron,
I’m assuming the PS4 has a static IP assigned to guarantee it has the IP listed in your UPnP-NAT-PMP ACL? Again, guessing you have defined a port range in the ACL and included the relevant internal interfaces higher up on the configuration page? I can only say it sounds like you’ve got something wrong or missing in the configuration right now. If you have screenshots or a list of your configuration I’m happy to take a look.