I would agree that it is a security hole for an ISP. UPnP would let me do my own forwards for just about any port I want, including SSH, telnet and web. For that matter, I could just be selfish and port map every port from 1024 through 65535 to my IP, completely killing access to anyone else.
In an ISP environment, the best option really is to disable UPnP if you are doing NAT. -- Adam Kennedy Network Engineer Omnicity, Inc. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Marlon K. Schafer Sent: Monday, August 02, 2010 10:43 AM To: WISPA General List Subject: Re: [WISPA] XBOX live, NAT, and UPnP Man that sucks. We turn off upnp on ALL routers. I've always been told that it's a big security hole. Thoughts on that? marlon ----- Original Message ----- From: "Josh Luthman" <[email protected]> To: "WISPA General List" <[email protected]> Sent: Monday, August 02, 2010 7:29 AM Subject: Re: [WISPA] XBOX live, NAT, and UPnP I don't seem to have any issues with double or triple NAT. When I was working with MT to fix the upnp issue with Xboxes. I have it marked as 4.6 with modifications (it was an unofficial 4.6 they gave me) so I would say 4.7 or higher should enable Xbox upnp. Even this requires a public IP on the Mikrotik to remove even nice strict (I think it's called open?). Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Mon, Aug 2, 2010 at 10:07 AM, Kurt Fankhauser <[email protected]> wrote: > So does anyone here have any customers that use XBOX live and bark to you > about you NAT? Apparently the XBOX live service is very picky about being > behind any NAT device and its ability to make connections to other > servers. > From what I gathered is that the LIVE service uses Universal Plug and Play > (UPnP) to get around this but the question I have is. If your doing > masquerade on a Mikrotik Core Router should you enable UPnP on that > device? > Or should I just issue public IP's to the customer that games and let them > worry about it? And if you have UPnP enabled on the core router and then > do > a double-NAT through the customers Linksys router with UPnP enable does > that > not work because of the double-NAT? > > > > Kurt Fankhauser > WAVELINC > P.O. Box 126 > Bucyrus, OH 44820 > 419-562-6405 > www.wavelinc.com > > > > > > > > > -------------------------------------------------------------------------------- > WISPA Wants You! Join today! > http://signup.wispa.org/ > -------------------------------------------------------------------------------- > > WISPA Wireless List: [email protected] > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ > -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: [email protected] Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: [email protected] Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: [email protected] Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
