What is UPnP?
UPnP (Universal Plug and Play) is a network protocol that allows devices to open ports without requiring always-enabled static port forwards.
Why Would I Use UPnP?
UPnP simplifies network configuration by allowing clients to open and close ports on-demand as needed. The most common use case is for gaming consoles, for optimal online gaming performance. While it eases optimal functionality of UPnP-enabled clients, there are also security risks inherent in allowing clients to open ports without restriction. While many routers do not offer any ability to restrict UPnP, Alta routers can restrict which networks, devices, and ports are permitted through strict mode. We encourage taking advantage of this functionality to limit the security impact of UPnP.
How to Enable UPnP?
- Start on the Network tab at manage.alta.inc
- Click the Route10 icon
- Click your WAN interface (W1)
- Click the Pencil icon next to your WAN drop-down
- Enable the UPnP toggle
- If desired, adjust the UPnP VLANs to reflect the only VLANs allowed to leverage UPnP
- For example, Guest networks/VLANs should not have the ability to leverage UPnP for the sake of security and best practices
- Click Save
Note that UPnP can only be enabled on one WAN interface. The nature of how the protocol functions does not allow for multiple WANs.
What is UPnP Strict Mode?
UPnP Strict Mode is an Alta Labs exclusive feature that allows you to restrict what devices are allowed to dynamically open ports. In leveraging UPnP Strict Mode, you can still enjoy the flexibility of UPnP while maintaining the highest level of security possible. UPnP with strict mode is arguably more secure than static port forwards, since UPnP forwards are only enabled when needed, where static port forwards leave the port open at all times.
How do I enable UPnP Strict Mode?
Enabling the UPnP Strict Mode globally:
- Start on the Network tab at manage.alta.inc
- Click the Route10 icon
- Click your WAN interface (W1)
- Click the Pencil icon next to your WAN drop-down
- Enable UPnP Strict Mode
- Click Save
In this state, no clients will be permitted to use UPnP. Permitted clients must be expressly configured next.
Allow a Client to Leverage UPnP under Strict Mode:
As a prerequisite for using Strict Mode, the client must be given a “sticky” IP address. A sticky IP address is simply a reserved IP from the DHCP pool, ensuring that the client gets the same IP address every time they are on the network, regardless of how long they’ve been disconnected from the network. The DHCP server will never provide that address to a different device unless the sticky assignment has been removed.
- Start on the Devices tab at manage.alta.inc
- Click the icon of the desired device
- Provide the sticky IP address
- The device’s IP can be copied and pasted or manually entered
- Toggle UPnP, and populate UPnP Ports if desired. If UPnP Ports is left blank and the toggle is enabled, the device will be allowed to open any port to itself. The UPnP Ports field can be populated with a single port, or a dash-delimited range of ports like 1024-65535.
- Click Save
- Repeat for any additional devices
Related to
Comments
0 comments
Please sign in to leave a comment.