Force use of NAT-PMP instead of uPnP with your non-synology router.

Currently reading
Force use of NAT-PMP instead of uPnP with your non-synology router.

16
4
NAS
DS1815+ DS918+
Operating system
  1. Windows
Mobile operating system
  1. iOS
I hope this thread doesn't devolve into a uPnP crucifixion discussion, that has been covered before.
But here goes.

For those of that you need for some reason to use the function in Synology NAS that opens uPnP ports - don't, use this alternative instead.
Some of you will be lucky and find that the synology router wizard sets to NAT-PMP - for the rest of us it doesn't unless synology added it to its router database.

Simply:
  1. login with an SSH client
  2. navigate to /etc/portfoward
  3. use sudo vi router.conf to edit the router.conf
  4. change the following lines in the file:
    1. support_change_port=yes
    2. support_router_upnp=yes
    3. support_router_natpmp=yes
    4. router_type=natpmp
  5. leave all other lines as-in

Now instead of using uPnP NAT-PMP will be used.

Note your router has to support nat-pmp for this to work.
Note if you set upnp to no in the next file the remote access wizards will never use it! Not even accidentally....
Note this only affect the daemon in the synology OS this won't affect packages, docker containers etc that have upnp disabled.

Hopefully this helps some of you with your upnp mitigation strategies.
 
It is highly irresponsible to use this guide for all users who do not understand the vulnerabilities of network devices.

Reason:
Due to the increase in security measures, many routers manufacturers have introduced a strict policy of using NAT-PMP protocol on an on-demand basis.
Such an interference with the security of the router's operation can cause a high vulnerability in the operation of your network.

If you decide to use this guide in general, then only if you will return back the original settings immediately after using such NAT-PMP protocol service. I hope that your router has all these settings in “no” state. If no, for a better sleep my recommendation is to lock the mentioned settings to “no” value.

Conclusion:
this attempt to reduce security will actually help you check the state of your router's settings.If you have enabled (yes state) UPnP as well as NAT-PMP, then change the setting to "no" state. As soon as possible.
 
No one suggested that all-users should use this guide. Some people need to use upnp / nat-pmp.
No one is asking or advocating that you or anyone else turn on nat-pmp or upnp in your environment.

For those that need to allow devices to open ports, shifting to nat-pmp can help change the attack surface in positive way due to the way it closed ports after the timeout period that upnp doesn't.

This doesn't change the way the router handles nat-pmp - this forces a synology NAS to use NAT-PMP in preference to uPnP (or only NAT-PMP).

Your proselytizing and condescension isn't helpful, we all get you hate upnp (with some good reasons) and think those that turn it on are stupid about how they make their risk judgements. That's their call to make, not yours.

Nice link for the nat-pmp scanner; though as it is looking for ".. all computers with routable IPv4 addresses that are not firewalled from the internet on port 5351/udp.. " i am not sure what your point is - that one should disable nat-pmp on devices that are connected to internet without a firewall? Personally I would focus on the advice to only connect computers to the internet by placing them behind a firewall.
 
No one will hate your network setup. It’s your choice.
But we need care about people who don’t understand a consequences of shooting into dark. My post has been clearly targeted to this group. Pls. read with an understanding.

Others, who can use SSH daily don’t need your guide, because they use every kind of NAT setup manually in router (by GUI or by SSH).
 
we all get you hate upnp (with some good reasons) and think those that turn it on are stupid about how they make their risk judgements. That's their call to make, not yours
I wouldn't say stupid, rather there is often a willingness to make things easy without fully understanding the implications. That's not to say that this is solely the responsibility of the end-user; In the interest of making a product easy to use there can be neglect in explaining how this ease of use is being achieved: it's down to the vendor to fully explain what features and settings do, and their impact to security, performance, etc etc. Also these explanations should be in language that their target customer can easily understand (and they should state what is their target customer, in terms that less experience people can understand).

My second point would be that the shipped default features should be secure and then enabling features should provide alert and information for the impact of doing so.


Having said this there's always STUN and the plethora of Web service with reverse-client connection tunnels (e.g. used by QuickConnect) that avoid needing UPNP and NAT-PMP.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

If there will be, you will have to deploy them using Docker as 3rd party apps/services.
Replies
5
Views
4,540
It was a long Journey would love to explain however will be out of town for a week don't want to give it...
Replies
5
Views
3,478
If I couldn't set my ISP modem/router in bridge mode: I'd rather order a managed switch, hook it up...
Replies
7
Views
7,009

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top