pfSense Universal Plug and Play UPnP NAT-PMP Configuration

Following my recent purchase and deployment of a pfSense SG-4860 I’ve been working my way through the wealth of settings to get everything up and running. While taking a break I fired up my Playstation 4 and then found it wouldn’t connect out, a quick check showed it was trying to leverage ‘Universal Plug and Play’ which is a protocol that allows a client device to request ports be opened on a firewall device for communication. As it was vital I resolve this issue as quickly as possible I jumped back onto my pfSense appliance to remedy the situation.

First off let’s get a little background on what Universal Plug and Play (UPnP) is as well as NAT Port Mapping Protocol (NAT-PMP) which is configured along with UPnP.

According to the Open Connectivity Foundation (the UPnP Forum ceased to exist and handed responsibility over to OCF) UPnP offers the following –

The UPnP architecture supports zero-configuration and automatic discovery whereby a device can:

  • Dynamically join a network
  • Obtain an IP address
  • Announce its name
  • Convey its capabilities upon request
  • Learn about the presence and capabilities of other devices
  • Leave a network smoothly and automatically without leaving any unwanted state information behind

NAT-PMP is described as follows –

NAT Port Mapping Protocol (NAT-PMP) is a network protocol for establishing network address translation (NAT) settings and port forwarding configurations automatically without user effort.

Good old Wikipedia has links you may find interesting –

 

Risks

It is important to mention that any service which allows a client device to dynamically open ports on a firewall can pose a risk to the network. UPnP & NAT-PMP are really aimed at home networks where users are unlikely to have the skills required to manage the router/firewall filtering rules. For them it is far easier to allow devices to negotiate and manage this. If we consider a corporate network then typically there is an administrator who manages the router/firewall and determines which ports should be allowed. This protocol set doesn’t use any form of authentication either. Think about what an attacker could do if they manage to compromise an internal endpoint and then use UPnP to punch holes in your firewall.

 

UPnP & NAT-PMP Basic Configuration

Now we can configure basic UPnP & NAT-PMP by just ticking 3 boxes and selecting the interfaces. This results in a setup that allows any device on the specified internal interfaces  to conduct UPnP operations. For many home setups this probably works OK, as mentioned previously you really don’t want to be running this sort of service on a corporate network.

To access the UPnP & NAT-PMP settings in pfSense browse to the ‘Services’ menu and then select ‘UPnP & NAT-PMP’ from the drop-down list.

Services UPnP & NAT-PMP

 

Configuring the following options will give us our basic setup.

  • Enable: Enabled UPnP & NAT-PMP ticked
  • UPnP Port Mapping: Allow UPnP Port Mapping ticked
  • NAT-PMP Port Mapping: Allow NAT-PMP Port Mapping ticked
  • External Interface: [select your external interface in my example this is WAN]
  • Interfaces: [select the interfaces where UPnP/NAT-PMP clients exist]

Services UPnP & NAT-PMP Settings

 

 

UPnP & NAT-PMP Advanced Configuration

OK so we have covered the most basic setup, now it’s time to do something a bit more interesting and configure our service to only allow specific devices to access the UPnP & NAT-PMP functionality.

  • Enable: Enabled UPnP & NAT-PMP ticked
  • UPnP Port Mapping: Allow UPnP Port Mapping ticked
  • NAT-PMP Port Mapping: Allow NAT-PMP Port Mapping
    ticked
  • External Interface: [select your external interface in my
    example this is WAN]
  • Interfaces: [select the interfaces where UPnP/NAT-PMP
    clients exist]
  • Default Deny: Deny access to UPnP & NAT-PMP by default ticked

Services UPnP & NAT-PMP Settings

     

    The ‘Default Deny’ will as the name implies automatically deny any UPnP & NAT-PMP requests from clients meaning we need to specify clients in an ACL (access control list) list that can take advantage of this functionality. In this way we have a degree of control over who we let take advantage of UPnP. This is my preferred way of running the service and I would recommend others do the same wherever possible.

    The ACL format is pretty simple, let me give the syntax and then an example.

    Syntax

    [allow or deny] [external single port or range of ports] [single IP address or a range] [internal single port or range]

    Examples

    • allow 1024-65535 192.168.2.2 1024-65535
    • allow 17654 192.168.1.0/24 55000-65535

    Here we have a screenshot from pfSense – as you can see I have allowed access to 2 hosts across all ports. Of course it’s up to you to decide how you want to secure your environment.

    UPnP Access Control Lists

     

    Just remember to click ‘Save’ when you’ve finished configuring everything.

     


    Hopefully the above has proven useful, remember this is just my example and you should make sure you understand all of the risks and implications of any configuration changes.

    4 thoughts on “pfSense Universal Plug and Play UPnP NAT-PMP Configuration”

    1. Hey Alex,

      I recently decided to set up a pfSense virtual machine on my ESXi server and intended to connect and segment my home network, physical lab gear and Cisco VIRL/GNS3 worlds with it. There were a few reasons (all subjective) I decided to go with pfSense instead of Sophos UTM Home, Untangle or any of the other virtual options available to me but knowing you may blog about your SG-4860 from time to time is a bonus to making that call. :-)

      Fritz

      Reply
      • Hey Fritz,

        I’m absolutely loving the latest versions of pfSense – really happy with the hardware setup I have for it too. Definitely intend to write more posts on the topic and welcome any feedback or requests from readers.

        Alex

        Reply
    2. Hey Alex,

      Question about the auto deny.
      When I have that ticked with an ACL in place the ACL Client (PS4 in the case) can’t open any ports.
      With it unticked it works fine.

      Have any ideas why this might be?

      Reply
      • Hey Arron,

        I’m assuming the PS4 has a static IP assigned to guarantee it has the IP listed in your UPnP-NAT-PMP ACL? Again, guessing you have defined a port range in the ACL and included the relevant internal interfaces higher up on the configuration page? I can only say it sounds like you’ve got something wrong or missing in the configuration right now. If you have screenshots or a list of your configuration I’m happy to take a look.

        Reply

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.