UPnP port forwarding

Hi everyone,

UPnP port forwarding (don’t confuse with UPnP Integration) is a useful tool in my Playstation or Plex, it means the the port are automatically open in my router and close when not needed removing the not ideal necesity of configure the port forwarding manually in the router.

I know it’s not difficult but that service exists, is there a way to activate it in Home Assistant or HassOS?

I’ve never done something similar, and I guess that “MiniUPnP Project” could be a start point, but adding this feature optional or be able to activate it with ssh commands could be great. I don’t exactly know the security issues.

Thanks.

I suspect the answer you’ll get is that you should be in control of that yourself as putting an insecure HA on the internet is a disaster waiting to happen. UPNP from a security perspective is really insecure, especially if the users aren’t technical competent and across how easily abused it can be.

If you want an example of how not to implement UPNP, look up that search engine that allows you to access peoples home CCTV systems that use a) upnp on by default b) the default port, c) the default login credentials and they dont even know people can watch them.

2 Likes

Well, is clear for me that UPnP port forward should never be “default” rather implementable. But how is my Plex or Playing Call of Duty in my playstation not “safe”?

There is this feature that you open a “random port” where I guess you need some kind of cloud service how is able to keep track of which port is open… But IDK.

Since my router has already UPnP port forward activate and working for other services; I don’t see the security different compare with just manually open a random port (not default) to access my HA remotely.

Do you see a different? Thanks.

Yeah I do, those services enable UPNP to run a very specific service and allow a cloud connector services to concentrate requests back towards you network, as you said the cloud service is responsible for working out how to interact with the random port opened. Someone scanning your public IP wont get very far attempting to poke those pinholes in the firewall.

Services that allow users to interact directly with them (not via a cloud service) are much higher risk for malicious actors trying to break into them. These are fixed ports as random wont help the user much when accessing their own service. That on its own is not a huge issue, but couple that with newbies, an insecure default setup, and what HA can be used to actuate.

IMO to consider allowing users to have UPNP, it needs to be a proper workflow; make user aware their instance will be accessible by anyone on the internet, do the users accounts have minimum password strengths, is fail2ban enabled, and [preferably] is a reverse proxy enabled, setup correctly, and validating the domain being accessed.

OR just use Nabu Casa if you don’t have the skills to do those few things.

I wanna to ask you, I have a random port pointing to 8123, how is that more secure than using UPnP? Or what’s the different?

I undertand your point. And because you are talking about security your are probably right, but I fail to see the different security problem from me opening one port or make that opening automatic…

It’s equally insecure. You really should be using a reverse proxy to do this and a specific port forward.

As @DavidFW1960 said, that’s not any more secure.

The security problems with UPnP is that it allows literally everything inside your network to punch holes in your firewall as it wishes. With the amount of random cheap Chinese tat most people have in their house that connects to WiFi, this is what poses the risk.

Random port vs HA standard port, I’m willing to concede I think does help. I don’t use the standard external port as it significantly reduces scans hitting my box (in the magnitude of 95%+). It stops the script kiddies from attacking your machine, but not ones that are actually any good at hacking.

Kind of like putting an alarm system sticker on your front window of your house. You just need to be more secure than the most insecure house on the street to have some effect, e.g. they get broken into not you. That doesn’t mean it wont ever happen.

My point of manual vs UPNP stems from a process that requires some level of technical understanding to expose your HA instance to the internet, requires a bit of technical and hopefully some security know how. A UPNP checkbox that non-technical people can click without any understanding of what they are doing is dangerous. As mentioned above, if there is a proper workflow to impart a minimum level of knowledge on the user, and a minimum security standard to enable it, I don’t see it as much of a big deal.

I see, but I have UPnP activated in my router, so the apps I use it can easily open “holes”. Is that bad?

Yeah, definitely not a “check box” but I fail to see the evil in the use of UPnP when is already activated a being use by another apps.

@DavidFW1960 @Silicon_Avatar I use the duckdns and “NGINX Home Assistant SSL proxy” addons, is that what you call a “reverse proxy”? That redirect my traffic to 80 to 443, but don’t open the 80 nor 443 ports, another one for the remote access.

Can you explain a bit what’s is the way to that more secure reverse proxy configuration?

Thanks to all of you.

I would say yes. Others may say no. Most modern security experts also say yes; it’s not as much of a problem as it was in the past, but still an unnecessary risk. If you know what ports you need open, just do it yourself. It likely isnt more than a half dozen.

My modem shows as a upnp device in home assistant, so I get a logged entry for WAN connected. I just use that to fire the miniupnpc application and it automatically maps the required ports every time my modem is rebooted or hard reset. This way home assistant will never lose it’s incoming connections.

I had to add it as a cron since the modem seemingly removes it after a day.