Adventures with DD-WRT
Part 6: UPnP and NAT-PMP

DD-WRT ships with a UPnP implementation built-in. However, according to multiple posts I've found, the implementation seems to be kind of broken. There are a sufficient number of applications that fail to operate with DD-WRT's chosen UPnP daemon that many users in the community have worked around it.

DD-WRT_UPnPSetting

To see it for myself, I tried an unscientific assortment of applications that use UPnP, and some did indeed have problems.

After reading further about the problem, I read that both Tomato and OpenWRT already replaced their old UPnP implementation with a different one called MiniUPnP. This one actually seems to work for everybody and also appears to be used by some commercial routers too. And for the DD-WRT users working around the built-in implementation, installing MiniUPnP seems to be a popular solution.

But the other thing that grabbed my attention is that MiniUPnP also supports NAT-PMP. For those who haven't heard of NAT-PMP (NAT Port Mapping Protocol), it is basically a simple and sane replacement of UPnP for automating the process of creating port mappings in NAT. It's no secret that Microsoft's UPnP is kind of a mess. It is extremely complicated which has implications for implementations, security, robustness, and interoperability. So the same people who brought us Zeroconf, has brought us a new open standard called NAT-PMP which basically does what UPnP tries to do, but in a much saner and simpler way.


The draft standard can be found here:

http://tools.ietf.org/html/draft-cheshire-nat-pmp-03

Considering it is a technical draft standard, it reads very well. It tries to not be a UPnP bashing document, but does need to bring up UPnP to help underscore important points. Thus it can come off as a UPnP bashing document which in my opinion really adds to the entertainment value.

Well, one thing that has surprised me is that even though NAT-PMP was only introduced a few years ago, it already seems to be widely adopted by software applications. Most applications that support UPnP also now support NAT-PMP. For example, I did a quick, unscientific search through various Bittorrent clients, and every one I found had NAT-PMP support

And of course, since I run a lot of Apple related software, NAT-PMP support is a big plus. So MiniUPnP is looking really desirable to me.


Criticisms Addressed

So before I go on, I know somebody is going to complain that I should not be enabling any of these things and should resort to manual port forwarding. Well, that's just impractical for the software I want to run and not really any more secure. With regular port forwarding, I have to pick a designated computer for the service. But this isn't practical because there are many times the software needs to be run from different computers. For example, different people behind my router may like to run iChat or Skype. This would require me to know who's running what and when and I would have to manually change the forwarding every time. I would also have to remember to close the ports when they are done. With UPnP/NAT-PMP, well behaved applications will automatically close the ports when they shutdown. And for misbehaving programs or programs that were not shut down cleanly, NAT-PMP is supposed to automatically close the ports after a lease expiration (analogous to DHCP). I think that is way more secure than hoping I remember to close them manually.

So instead of port forwarding, has anybody ever tried to setup port triggering for iChat? I have. It is a pain. There are so many ports to deal with, that on my old D-Link and Netgear routers, I completely exhausted the pre-allotted table entry slots for that one application. So I didn't even get to other applications like Skype, or Bittorrent clients, or an ever changing list of video games. And in iChat's case, I was lucky Apple bothered to document it. I don't expect all the software apps I run to clearly (and correctly) document this information for me. And then this doesn't address those applications which randomize their ports for various reasons. This whole process is slow, error prone, and in the practically speaking, really no safer than automated port mappings.

And if you are concerned that a rogue/compromised computer inside your network starts opening all the ports to your other computers, you are being silly because at that point it is much easier to have that computer just attack all the other computers directly instead of some strange coordinated, convoluted attack through the router. (Also, in NAT-PMP, for extra safety/paranoia, it is theoretically possible to prevent other devices from opening ports for anything other than itself.)


So because DD-WRT's UPnP doesn't fully work, and because I would like to move to NAT-PMP as much as possible, I decided to install MiniUPnP. This requires leaving DD-WRT's implementation disabled and installing MiniUPnP manually. Also be warned that you don't get to use the nice DD-WRT GUI interface to see the currently open ports. You must log into the terminal to do that since DD-WRT has no integration for MiniUPnP.

If I had known about all this sooner and knew Tomato had already switched, I probably would have installed Tomato instead. But considering how much time I already invested getting everything else running, I wanted to see if I could get MiniUPnP installed.

So next time, we will walk through the process of actually installing MiniUPnP.

Links:

Part 5: Installing Optware & Avahi (Zeroconf) (previous)

Part 7: Installing MiniUPnP (next)


Copyright © PlayControl Software, LLC / Eric Wing