In a previous article, I described how to configure port forwarding in pfSense. But what if port forwarding could be done automatically? That is the object of the Universal Plug and Play Protocol and Nat Port Mapping Protocol, and both are supported by pfSense. In this article, I will explain how to configure pfSense UPnP and NAT-PMP protocols.
UPnP and NAT-PMP Explained
Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other’s presence on the network and establish functional network services for data sharing, communications, and entertainment. It is intended primarily for residential networks without enterprise class devices (the reasons for this will become apparent soon) and is primarily used in Microsoft systems. The concept of UPnP is an extension of plug-and-play, a technology for dynamically attaching devices directly to a computer.
Among other things, UPnP provides a solution for NAT traversal via its implementation of the Internet Gateway Device Protocol. Many routers and firewalls expose themselves as Internet Gateway Devices, allowing any local UPnP control point to perform a variety of actions, including retrieving the external IP address of the device, enumerate existing port mappings, and add or remove port mappings. By adding a port mapping, a UPnP controller behind the IGD can enable traversal of the IGD from an external address to an internal client. UPnP uses UDP port 1900 and TCP port 2869.
NAT Port Mapping Protocol (NAT-PMP) is another means of accomplishing what UPnP does. It was introduced by Apple in 2005 as an alternative to IGD. NAT-PMP allows a computer in a private network to automatically configure the router to allow parties outside the private network to contact it. It automates the process of port forwarding. Included in the protocol is a method for retrieving the public IP address of a NAT gateway. NAT-PMP runs over UDP port 5351.
Configuring pfSense UPnP and NAT-PMP
As it happens, both UPnP and NAT-PMP are supported by pfSense 2.0. Enabling pfSense UPnP and NAT-PMP is relatively easy as well. To enable these services, first navigate to Services -> UPnP & NAT-PMP. Check the “Enable UPnP & NAT-PMP” check box. Below that, check either “Allow UPnP Port Mapping“, “Allow NAT-PMP Port Mapping“, or both. At “Interfaces (generally LAN)“, select an interface (or hold down the CTRL key while clicking to select multiple interfaces). Then press the “Change” button to change the settings. You have now configured pfSense UPnP and/or NAT-PMP.
There are several additional options that are worth noting. Below “Interfaces”, you can specify a “Maximum Download Speed” (in Kbits/s). You can also specify a “Maximum Upload Speed” (also in Kbits/s). “Override WAN address” can be used to override the miniupnp listening address. “Traffic Shaping Queue” allows you to specify an already-defined traffic shaping queue (for more information, see parts one, two, and three of my series on traffic shaping). Checking “Enable Log Packets” will keep a log of UPnP and NAT-PMP traffic. Checking “Use system uptime instead of UPnP and NAT-PMP service uptime” will use the system’s uptime in the logs. Checking “By default deny access to UPnP & NAT-PNP” will block UPnP and NAT-PNP traffic except for traffic specifically allowed in the below “User specified permissions“. There, you can define up to four permissions in the following format: [allow or deny][external port or range][internal IP address or IP address/CIDR][internal port or range].
pfSense UPnP and NAT-PNP: Potential Security Risks
Now that I have described pfSense UPnP and NAT-PNP and how to configure them, I suppose it is only fair to note that enabling these services and allowing devices to make and modify their own firewall rules has some serious security implications. In January 2013, the security company Rapid7 reported on a six-month research program in which a team scanned for signals from UPnP-enabled devices announcing their availability for internet connect. Some 6900 products from 1500 companies at 81 million IP addresses responded to their requests. 80% of the devices are home routers; others include printers, webcams, and surveillance cameras. With this in mind, it is little wonder that UPnP is not targeted many at home routers and not enterprise-level networking equipment, as IT departments would likely be wary of deploying equipment with such glaring security vulnerabilities. I do not know of any similar studies covering NAT-PMP devices, but I would assume this has more to do with the greater popularity of UPnP than it has anything to do with NAT-PMP devices being more secure. It might be prudent to dedicate a separate interface to UPnP and/or NAT-PMP devices. It might be even more prudent to use the “By default deny access to UPnP & NAT-PNP” feature and only allow specific pfSense UPnP and NAT-PMP traffic.