Enable uPNP on the Unifi USG PRO

[Thor]

Hello, meh I thought this option would be in the GUI, but I cannot seem to find it.

Does anyone here use the Unify Security Gateway PRO?

I need to enable uPNP, I need some guidance please.

 

[Sinbad]

http://bfy.tw/CJm7

 

[Thor]

For others who may face this issue in the future: https://help.ubnt.com/hc/en-us/articles/205146040-UniFi-config-properties-File-Explanation

They should really add it to the GUI ffs.

 

[SauRoNZA]

For others who may face this issue in the future: https://help.ubnt.com/hc/en-us/articles/205146040-UniFi-config-properties-File-Explanation

They should really add it to the GUI ffs.

It's an enterprise product.

uPNP is for Home use.

So it's not something that really needs to be there in the first place.

 

[Thor]

It's an enterprise product.

uPNP is for Home use.

So it's not something that really needs to be there in the first place.

Until you need remote desktop abilities into office machines.

 

[Sinbad]

Until you need remote desktop abilities into office machines.

wtf, you don't use uPNP for that.

You put in specific firewall rules as needed.

 

[Thor]

wtf, you don't use uPNP for that.

You put in specific firewall rules as needed.

nomachine.com

 

[Thor]

I guess I can setup the firewall rules manually, but uPNP is nice for quick testing. (Note this is not deployed in production yet)

 

[SauRoNZA]

Until you need remote desktop abilities into office machines.

Erm, no.

Never ever do you want to use uPNP for that.

It’s designed to dynamically punch holes in the firewall from the inside for people who have no idea how firewalls work.

 

[SauRoNZA]

I guess I can setup the firewall rules manually, but uPNP is nice for quick testing. (Note this is not deployed in production yet)

And that’s how horribly insecure situations come about... because of “quick testing”.

It should have taken you less time to setup a manual firewall rule than typing the first post in this thread.

So there’s nothing “quick” about it. And a whole lot of potential pain down the road If you operate like this regularly.

 

[Thor]

Erm, no.

Never ever do you want to use uPNP for that.

It’s designed to dynamically punch holes in the firewall from the inside for people who have no idea how firewalls work.

Correct, see post above.
This won't be for production I can reassure you.

 

[SauRoNZA]

Correct, see post above.
This won't be for production I can reassure you.

Doesn’t matter if it’s for testing.

Do it properly from the start.

How do you limit it to a particular test case if you are making global changes on your edge router?

Ever single device behind it can open ports on the firewall now.

 

[Thor]

Doesn’t matter if it’s for testing.

Do it properly from the start.

How do you limit it to a particular test case if you are making global changes on your edge router?

Ever single device behind it can open ports on the firewall now.

Test lap is literally my Telkom LTE modem for WAN -> USG Pro -> Ubiquiti 48 Port Gigabit 2 SFP 2SFP+ 750W PoE -> Dummy PC (blank windows testing various remote desktop apps)

Then I have my main workstation on VDSL on a completely separate network. I use the work station to connect into the "test lab" and test it out.

So far I could not manage to let this particular remote desktop app connect in tweaking the firewall on the controller/USG so I wanted to make sure this shiat actually works thus override the USG by enabling uPNP and see if it works. I then monitored the traffic and know what to open now on the firewall.

It worked perfectly for me.

 

[SauRoNZA]

Test lap is literally my Telkom LTE modem for WAN -> USG Pro -> Ubiquiti 48 Port Gigabit 2 SFP 2SFP+ 750W PoE -> Dummy PC (blank windows testing various remote desktop apps)

Then I have my main workstation on VDSL on a completely separate network. I use the work station to connect into the "test lab" and test it out.

So far I could not manage to let this particular remote desktop app connect in tweaking the firewall on the controller/USG so I wanted to make sure this shiat actually works thus override the USG by enabling uPNP and see if it works. I then monitored the traffic and know what to open now on the firewall.

It worked perfectly for me.

Surely it has logging capability where you could have just viewed the denied ports?

 

[Genisys]

uPNP? May I offer you a normal ADSL modem with all traffic going to your PC?

What is the point of a Firewall if you are anyway just opening all the ports? Why not just put your Modem into DMZ in this instance? Will probably offer similar levels of security.

 

[SauRoNZA]

uPNP? May I offer you a normal ADSL modem with all traffic going to your PC?

What is the point of a Firewall if you are anyway just opening all the ports? Why not just put your Modem into DMZ in this instance? Will probably offer similar levels of security.

It doesn't work like that.

Incoming connections are only opened from Outgoing uPNP-enabled devices/applications that request it.

A hell of a lot better than turning your firewall off or allowing all traffic in.

It's not as secure as manually configuring the firewall, but it's nothing like leaving it wide open either.

 

[Thor]

Surely it has logging capability where you could have just viewed the denied ports?

In hindsight I could have done that. Either way this worked fine for me, guess I also subconsciously wanted to mess with the thing's configuration files to see what happens in the background so just needed an excuse

 

[SauRoNZA]

In hindsight I could have done that. Either way this worked fine for me, guess I also subconsciously wanted to mess with the thing's configuration files to see what happens in the background so just needed an excuse

This post says otherwise...

"They should really add it to the GUI ffs."

But yes in future monitoring the logs for Block/Deny and change accordingly.

 

[Thor]

This post says otherwise...

"They should really add it to the GUI ffs."

But yes in future monitoring the logs for Block/Deny and change accordingly.

I still feel it should be in the GUI, I want more control whether that is good or bad should not be their choice, but my own.

----
I must say this Ubiquity ecosystem is life! Imagine how long it would take if you had to setup a separate server to manage all this, Vlans, subnets etc.

----------
With that said, I am still very new to all this, one question I have is what does Unify (with the USG) offer and what does it not offer.

In otherwords with this setup, is there still a need for something like PFsense?

 

[Sinbad]

I still feel it should be in the GUI, I want more control whether that is good or bad should not be their choice, but my own.

----
I must say this Ubiquity ecosystem is life! Imagine how long it would take if you had to setup a separate server to manage all this, Vlans, subnets etc.

----------
With that said, I am still very new to all this, one question I have is what does Unify (with the USG) offer and what does it not offer.

In otherwords with this setup, is there still a need for something like PFsense?

No.

the USG and pFsense are not all that different, actually. Just a linux (or bsd) based minimalist OS, with some IP firewalling and routing modules enabled, plus some management stuff.