upnpd: AddPortMap: ...

[GoogleCodeExporter]

Hi!

I'm using p6 version of your firmware and recently i'm having a problem/issue. 
My router is adding on its own some port forwarding to my local computers. How 
is that possible ? 

Here is few lines from my log:
Dec 29 10:26:01  upnpd[940]: Failure in GateDeviceDeletePortMapping: 
DeletePortMap: Proto:UDP Port:49394 
Dec 29 10:26:03  upnpd[931]: Failure in GateDeviceDeletePortMapping: 
DeletePortMap: Proto:TCP Port:49394 
Dec 29 10:26:08  upnpd[931]: AddPortMap: Prot: UDP ExtPort: 49394 Int: 
192.168.1.104.49394
Dec 29 10:26:10  upnpd[940]: AddPortMap: Prot: TCP ExtPort: 49394 Int: 
192.168.1.104.49394

I can see these ports in PORT FORWARDING log and how can i remove them ??. I 
tried using IPTABLES but couldn't do it.

Original issue reported on code.google.com by zboq2...@gmail.com on 29 Dec 2011 at 11:17

[GoogleCodeExporter]

Hello!

Please look at syslog )) You've answered at your question yourself )
UPnPd (http://en.wikipedia.org/wiki/Upnp) is a daemon which which is able to 
open ports to WAN if any application requests this option. For example, when 
you use skype, any media applications in your network, play games etc.
Of course you can disable this option as it is not very safe to use it.
Follow this page http://my.router/Advanced_WAN_Content.asp, there is 'Enable 
NAT-UPnP?' option. Choose 'No' and apply. That's it ;)

Original comment by d...@soulblader.com on 29 Dec 2011 at 4:08

[GoogleCodeExporter]

Thank You for your replay. 

Disabling NAT-UPNP will make transmission remote gui not connecting to my 
router from WAN right ? and that's not what i want ;). Any other sugesstions ?. 
I have looked in my laptop which process is using that port and it turns out 
that it's svchost (netsvcs). Don't know why it's doing that.
Last thing, can you tell me correct iptables command to disable that ports from 
ssh ??

Original comment by zboq2...@gmail.com on 29 Dec 2011 at 5:24

[GoogleCodeExporter]

There is another way to set Transmission "visible" from WAN. Follow this link 
http://my.router/Advanced_VirtualServer_Content.asp 
first, enable port forwarding if it is not enabled/
Then write a rule below:

serv. name    port range         local ip       local port   protocol
-------------------------------------------------------------------
can_be_any     9091         your_router_ip(local)    9091      TCP

This works only in p6 firmware. Please, see wiki page for details.

svchost - I suppose you're using windows os. This service searches for network 
devices such as local printers, scanners, media servers and so on. Windows is 
always asking for name of device via netbios. I don't know really, but I think 
you can't disable this service on win.

I'm sorry, where do you want to disable ssh? It we are talking about router, 
then I'm sure it is absolutely safe to use ssh in your local network. By 
default, the port is opened to local network only. If you'll try to connect to 
device from internet, router will drop these packets. So, normally ssh uses 22 
port or sometimes 2222, telnet 23 (telnet is non-safe application!!). If you'd 
like to disable it at all follow to System settings 
(http://my.router/Advanced_System_Content.asp) set it to off, and apply.

Original comment by d...@soulblader.com on 29 Dec 2011 at 5:56

[GoogleCodeExporter]

about ssh, maybe i have written it incorectly. I wanted to use ssh in my local 
network to login to router and that using it disable those ports with iptables 
command.

Question: In wiki You wrote that to use transmission from WAN we need to enable 
NAT-UPNP and later add a rule to forward transmission port to router and also 
change the S10iptables because forwarding ports to router is disabled by 
deafult. Above You wrote that I don't need to enable NAT-UPNP so which one is 
it ??

Original comment by zboq2...@gmail.com on 29 Dec 2011 at 6:34

[GoogleCodeExporter]

I'm sorry, it was written for p2 then I adited it a little. 
I wrote -
to enable nat upnp  - I think it's easier for people who never worked on Linux 
to enable smth. in web iface, that write any iptables rules. 

then it is written to edit /opt/etc/init.d/S10iptables, a bug was found that 
router couldn't forward ports in virtual server to itself. It was fixed in p6. 
Now there is no need to use this script for transmission, but it still exists 
for some special needs...

So actually, I need to update wikis, but I completely have no time to do that. 
Sorry =/
It will be updated next week on new year's weekend...

Please sorry my English.. I think I haven't got it again. Do you want to use 
some service (ssh) and close port to this service by iptables? But it will be 
impossible to use this service for you too as port is closed. You know, if 
you've got strong password (more than 8 chars. with smth. like !, #<>?&. I mean 
some special chars, don't worry access will be denied to everyone who wants to 
practice in hacking.

Original comment by d...@soulblader.com on 29 Dec 2011 at 7:59

[GoogleCodeExporter]

Ok, I get it now with the iptables and web interface. Actually i did port 
forwarding in both web interface and iptables so i think i'm gonna remove it 
from s10iptables script ;-).

About ssh......, I have written in the first post that i have tcp and udp ports 
forwarded do my local computer (192.168.1.104.49394). All i wanted to do is 
login to router using ssh and disable that forwarding. I tried to do that using 
rule similar to the one i S10iptables: 
iptables -D FORWARD -p tcp --destination-port 49394 -j ACCEPT 
but it doesn't work (says someting that there is no port like that forwarded or 
there is some mistake in the rule). So to be clear, I didn't want to close ssh 
port obiously, I wanted to use ssh to close ports opened by upnpd :). I hope i 
have explained it enough.

Btw. Thanks for work your doing with this router. I had a lot of problems with 
mine from the day i bought it. I was even thinking about returning it, but now 
it works flawlessly with your firmware :D. One think though, can i watch 
something using upnp on my tv that is seeding in transmission at the same time 
??. Yesterday i had a serious crash of the router after doing that. Internet 
was working but i coudn't get to it using ssh or web gui and upnp also stopped 
working after that. I had to power off and on to get it working again. But 
thats maybe not should be asked in this thread. Sorry for that.

Original comment by zboq2...@gmail.com on 29 Dec 2011 at 8:54

[GoogleCodeExporter]

Hello! Ok, I see now, thank you! Yes if you want manage transmission downloads 
from the internet, there is no need to use S10iptables. If you have already 
added to script some rules, you should remove them, or just comment them with 
'#'.

If you give this rule to iptables most likely it will return an error message. 
There is a service on your Windows host, which similar to upnpd in router. 
Router allocates a dynamic port. I think you shouldn't close it. Windows OS 
updates its firewall such way. It also uses netbios to find network devices and 
asks a found device name. I think you should check microsoft documentation to 
be sure it is safe.

Yes, there you can watch iptv when transmission is running. I'm afraid I can't 
give you the exact settings, but IGMP snooping should be set to 'On', Hardware 
nat - 'On'.
(check here - http://192.168.130.254/Main_IPTStatus_Content.asp its status).
If you a device which process stream flow can't deal with UDP, then you  should 
activate proxy service on router.
follow here http://192.168.130.254/Advanced_IPTV_Content.asp (i'm on p7 now)
enable this option - 'Enable multicast routing?' 
then set 'IPTV UDP Multicast в HTTP Proxy порт.'  to 4022 for example. 
I'll try to do   wiki help page for this.
Best wishes! ;)

Original comment by d...@soulblader.com on 30 Dec 2011 at 1:23

• Changed state: Done

[GoogleCodeExporter]

Hello!

In the begining i would like to thank you for all your replies to my
problem.
Since this issues status is done and i don't want to start a new one i'm
writing directly to your email.

Yestarday, i had partial crash of the router again. There was the same
problem after using dlna. I was unable to login through ssh, web and i
didn't have access to hdd connected to it. But internet worked though.
Since i can't connect to router at this point, I can't do any diagnostic
and don't know what is cousing that. The only way to get router back to
normal is power off and on and after that it works fine.

Is there a way to look through general log after restart to see if there is
something that may help ??

btw, i'm still at p6 firmware ;).

Original comment by zboq2...@gmail.com on 5 Jan 2012 at 10:45