Broadband help

kdmcm · ‎16-04-2023

Hi.

I'm trying to look at the UPnP features of my FAST5364. Specifically, the count of WAN data up/down, so I can display it in my IoT front end alongside a number of other statistics of my house.

The UPnP features for External IP and WAN Status seem to work very consistently, but I really want KiB/s sent and KiB/s received. It used to work sometimes, but recently, it seems to have stopped working altogether. I used to be able to obtain that data, but only for a few hours after I reboot the router. Then, they just sat a 0 until the next time I power cycle.

I read elsewhere that this is a feature I'd have to get enabled by an OCE. Is this something you can help with, please?

Thanks.

kdmcm · ‎17-04-2023

I'm happy enough to open ports; I have one already for monitoring my 3D printer, thanks. I'd considered UPnP to be perfectly safe since "everyone" uses it and its enabled by default, but you give a compelling reason to switch it off!!

KeithFrench · ‎17-04-2023

If you do need any PF help, I can provide that. Whilst I do not have all the devices you have, I have ways of opening any TCP/UDP port & testing it on my own Sagemcom.

Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they?

kdmcm · ‎17-04-2023

Heh heh. Yes, of course. Nobody but me can really support all the IoT weirdness in my home! This router caters for the masses and hides all the otherwise confusing / dangerous settings (and rightly so). Thanks again.

KeithFrench · ‎17-04-2023

The Enable UPnP IGd turns UPnP off or on, so keep it disabled. Then configured static port forwarding rules.

All UPnP does is allow a device to create these same PF rules anyway. Anything that works via UPnP should therefore work with the far more secure Port Forwarding. One caveat though, these are your devices & I cannot have tested all possible devices as I am just a customer myself & do not have any budget for this.

Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they?

kdmcm · ‎17-04-2023

Hardware version 3.00, Hub version SG4K100136, GUI version 5.6.1.

Oooh. interesting. So, this vulnerability would require something malicious on the inside to open a port. Duly noted. I was wondering how my outgoing Software Defined Radio traffic was getting to FrlightRadar24 without my poking a hole in the firewall for it; it may be doing that itself?

OKay, I double-checked my terminology. The feature I'm hoping to use is something within UPnP/IGD. It allows my Home Assistant instance to see KiB/s sent and KiB/s received. I did read elsewhere on this forum that it was enabled by default and could only b switched off by an OCE. (I presume that's a TalkTalk employee.) I have now found the Enable UPnP IGd setting. It is enabled.

Can you help me understand the Advertisement Period and Advertisement TTL settings, please?

Is there a (better) alternative way to programatically establish the router's WAN throughput, please?

Thanks for your time.

KeithFrench · ‎16-04-2023

The Sagemcom FAST5364 allows you to enable or disable UPnP via the UI. What firmware version is this running?

In my opinion, you should never enable UPnP, as there are some serious vulnerabilities with this feature.

Any malware etc that manages to infect a device on your local network can utilise UPnP, just like legitimate applications can. Whilst a router normally blocks incoming connections, preventing some malicious access, UPnP could allow a malicious process to bypass the firewall entirely. What it does is to create some temporary port forwarding in the router to allow certain TCP or UDP ports through the router's firewall and direct them to a local device's IP address.

There is no mitigating this problem, because UPnP treats all local applications as trustworthy and allows them to forward ports. The only way to make uPnP secure is to disable it.

The much safer approach, in my opinion, is to use Port Forwarding & leave UPnP disabled.

Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they?

Broadband help

FAST5364 UPnP features intermittent