plugins icon indicating copy to clipboard operation
plugins copied to clipboard
verified publisher icon opnsense

Allow disabling of secure_mode for UPnP

Open nashant opened this issue 2 years ago • 4 comments

This will allow the disabling of secure mode for miniupnpd.

My reasoning for this is to allow upnp port forwarding of kubernetes services where the client requesting the port forward will not have the same IP as that in the request.

nashant avatar Dec 29 '23 07:12 nashant

Hi,

In general ok but the storage value is the inverted value so the default can be retained as yes? That would be better to clean up to avoid future interpretation issues on changes regarding the topic.

Cheers, Franco

fichtner avatar Dec 29 '23 09:12 fichtner

Would you be happier if I just made it $upnp_config['disable_secure_mode'] rather than $upnp_config['secure_mode']?

nashant avatar Dec 29 '23 16:12 nashant

The most robust solution is to invert the storage value for GUI display. I just wanted to confirm the issue with you. I can take over that part in January if you don’t beat me to it. There are a few examples of this in the core code… I think on the services: router advertisements page for example.

Cheers, Franco

fichtner avatar Dec 29 '23 16:12 fichtner

Currently the daemon only uses the secure_mode option for UPnP IGD with IPv4, not for IGD with IPv6 and PCP. Note that NAT-PMP does not have a THIRD_PARTY option, so secure mode is always on.

The maintainer has rejected the pull requests to make this option universal for IGD with IPv6 and PCP. However, the undocumented pcp_allow_thirdpartyoption (which works the other way around) has been added to the sample configuration for the daemon. However, there is still no configuration option to disable the secure mode for IGD and IPv6.

Perhaps the maintainer should reconsider the rejection to avoid having to add/maintain multiple options in the different router UIs.

Please let me know what you think of the suggestion?

Self-Hosting-Group avatar Jan 24 '24 21:01 Self-Hosting-Group

Hi @nashant.

Thank you for your contribution.

I am preparing a PR, you can see the changes here: https://github.com/opnsense/plugins/compare/master...Self-Hosting-Group:plugins:service-improvements

Let me know if you like the other reverse wording and also the application to PCP and if you think it could then replace this PR.

Self-Hosting-Group avatar Jan 28 '25 14:01 Self-Hosting-Group

Yeah, that looks good to me. Wording makes sense. I'll close this in favour of that

nashant avatar Jan 28 '25 14:01 nashant