[Plugin] UPnP Monitor


ljm42

Recommended Posts

Plugin Name: UPnP Monitor. Install using Community Applications.

Minimum Unraid version: 6.8.0

Source code: https://github.com/ljm42/unraid-upnp


This plugin gives visibility into the UPnP activity on your network.

  • It uses the upnpc client that ships with Unraid to contact the UPnP server running on your router to get a list of all the UPnP port forwards that have been setup on your network.
  • You can review the list and take action (limited) if there are any that you do not expect to see.
  • The plugin offers a debug mode if you would like to see the exact commands that it runs to get the data. I may remove this at some point.
  • There is also a refresh button to get the latest data from the router without reloading the whole page.

 

Notes / Caveats:

  • The UPnP client is disabled by default in Unraid, you can enable it on the Settings -> Management Access page.  Unless you do that, this plugin will not be useful.

    • Note: In Unraid 6.8.0 you also need to have the WireGuard plugin installed in order to see the option to enable UPnP. Starting with 6.8.1 this is no longer necessary.

  • Similarly, if you have disabled UPnP on your router then this plugin will not be useful.
  • I only run IPV4, so it is possible that the plugin will not parse IPV6 addresses properly. If you notice any parsing problems, please PM me the output of the debug screen and I'll take a look. 


UPnP and Security

Many people feel that UPnP is a security risk because it requires no authentication - any application on your network is able to forward a port through the router. On the flip side, it is super convenient :) 

If you are running UPnP on your network, you can take the following steps to take to reduce your risk (no warranty or guarantee is implied):

  1. Update your router's firmware. Older versions of UPnP had security issues so it is important to stay fairly current. In general, if your router isn't getting regular updates you should probably replace it.
  2. If your router has an option for "secure mode UPnP", enable it. This makes it so that a computer on your network can only forward a port to itself. Without this, any computer on the network can forward a port to any other computer, which is definitely a security concern. In some routers this may be enabled by default with no option to disable it.
  3. High-end routers like pfSense and OPNsense allow you to restrict which IP addresses are allowed to make UPnP calls to setup port forwards. You can use this to limit your risk by only allowing trusted computers to do this.
  4. Review the list of active UPnP port forwards so you are aware of how it is being used. Your router may or may not provide this functionality. That is the purpose of this plugin.
  5. Delete any UPnP port forwards you no longer want. This plugin assumes your router is running in "secure mode", so it will only let you delete port forwards that point at Unraid's main IP address. 
    To delete port forwards that point to other IP addresses you would need to look for that option on your router. You may be able to delete them en masse by disabling/enabling UPnP on the router, or rebooting it.
    Of course, this will not prevent them from being created again in the future. For that you need a router that allows the restrictions mentioned in item 3 above, or simply disable UPnP on the router.

 

Edited by ljm42
Link to comment
8 minutes ago, Toobie said:

Hi @ljm42 - thanks for the plugin.

I wanted to test this but of course, as may a lot of users, my upnp client is disabled.

The hint with the management page is good, but I dont have any upnp options in there?!

Im using 6.8.0.

 

grafik.thumb.png.69d14c3dc7cace384856963a37e1f8af.png

The line shows up there if Dynamix Wireguard is installed

Link to comment
On 1/4/2020 at 2:40 PM, Squid said:

The line shows up there if Dynamix Wireguard is installed

 

On 1/4/2020 at 2:45 PM, Toobie said:

A bit difficult or? But yes, worked. Thx.

Ah, so upnpc is disabled by default and you need to install the Wireguard plugin to enable it. Interesting. I will update the OP. Thanks!

 

Edit: Starting with Unraid 6.8.1, the Wireguard plugin is no longer required.

Edited by ljm42
  • Like 1
Link to comment
  • 1 year later...

Not working for me for some reason, I'm on PFSense with UPnP turned on for the Servers IP.

 

Here's the logs it generated.

 

Command
timeout 12 stdbuf -o0 upnpc -m br0 -l 2>&1
Status
0
Results
upnpc : miniupnpc library test client, version 2.1.
 (c) 2005-2018 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://10.0.0.2:8096/dlna/9b902c51-b640-4805-9413-713cac1323ab/description.xml
 st: urn:schemas-upnp-org:device:MediaServer:1

 desc: http://10.0.0.2:8096/dlna/9b902c51-b640-4805-9413-713cac1323ab/description.xml
 st: uuid:9b902c51-b640-4805-9413-713cac1323ab

 desc: http://10.0.0.2:8096/dlna/9b902c51-b640-4805-9413-713cac1323ab/description.xml
 st: upnp:rootdevice

 desc: http://10.0.128.114:9080
 st: upnp:rootdevice

 desc: http://10.0.128.123:9080
 st: upnp:rootdevice

 desc: http://10.0.1.11:80/plugin/discovery/discovery.xml
 st: upnp:rootdevice

 desc: http://10.0.1.10:80/plugin/discovery/discovery.xml
 st: upnp:rootdevice

 desc: http://192.168.122.1:34400/device.xml
 st: upnp:rootdevice

UPnP device found. Is it an IGD ? : http://10.0.0.2:8096/
Trying to continue anyway
Local LAN ip address : unset
GetConnectionTypeInfo failed.
GetStatusInfo failed.
GetLinkLayerMaxBitRates failed.
GetExternalIPAddress failed. (errorcode=-3)
 i protocol exPort->inAddr:inPort description remoteHost leaseTime
GetGenericPortMappingEntry() returned -3 (UnknownError)
Determination
->gateway is [10.0.0.1]

->No IGD device found
->UPnP not available on this network.

 

Link to comment
  • 1 year later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.