In a previous post, I outlined how to segment each port of an ASUS RT-N16. Now, I’ll go over the details of implementing uPnP on one or more segments.
First off, autobot on the DD-WRT forums posted the code and binary for MiniUPnPd (link). The script and binary provided are great. However, the startup script downloads the latest version of the shell script and the binary via HTTP from the google code site. Although these scripts offer a very easy way to get uPnP up and running quickly, this is a BAD idea. For one, if you are going to do something like this, use HTTPS. Second of all, it’s not a very good idea to allow a script that you have no control over the content of, to be copied and executed by your router on boot every time your router is restarted. Instead, if you have some free space on the router, it’s probably better to store static copies of the scripts in the JFFS (the Journaling Flash File System).
Here are the steps to get this working:
1.) Install the BIG build. In order to enable JFFS, I had to install the BIG build (also known as mega). The mini build had the option for JFFS support, but when I enabled it I still couldn’t write files to /jffs/. So, I upgraded from Mini to Mega. First I installed Mini, then I downloaded the binary for Mega. I updated Mega by going to Administration –> Firmware Upgrade. Select the binary for BIG and click Upgrade. Upgrade may take 5 min…
2.) Enable jffs: In the web interface. Go to Administration –> Management. Find jffs Support and select Enable. Click Save. Apply Settings. Now you can store files to the /jffs/ directory on the router.
3.) Verify uPnP is disabled in DD-WRT. Go to NAT/QoS –> UPnP. Make sure UPnP Service is set to Disable.
4.) Upload the miniunpd files to the router. Telnet/SSH to the router. Change directory to /jffs/. Now, download the miniupnp files, here and here. (NOTE: The shell script and configuration file are not the originals – I made updates to them – Specifically, I reference the config file in the shell script which has uPNP turned on for the .11 and .13 networks, turned it off for everything else, and a few other small updates. The originals can be found here and here.) You can follow the directions below to copy down autobot’s files, and you can override with my .sh and .conf files if you would like (whatever you want to do).
wget http://hackthecode.googlecode.com/files/miniupnpd.sh -O /jffs/miniupnpd/miniupnpd.sh
wget http://hackthecode.googlecode.com/files/miniupnpd.conf -O /jffs/miniupnpd/miniupnpd.conf
wget http://hackthecode.googlecode.com/files/miniupnpd.gz -O /jffs/miniupnpd/miniupnpd.gz
The part that allows you to control which segment is allowed to use uPnP is in the .conf file. Specifically, these lines allow/deny access to the specified segments:
allow 1024-65535 192.168.11.0/24 1024-65535 allow 1024-65535 192.168.13.0/24 1024-65535 deny 0-65535 192.168.12.0/24 0-65535 deny 0-65535 192.168.14.0/24 0-65535 deny 0-65535 192.168.15.0/24 0-65535
It’s recommended to add this line at the end of the rules:
deny 0-65535 0.0.0.0/0 0-65535
NOTE: In the configuration file, I disable uPnP for the .12 and .14 networks (you can enable/disable uPnP for whatever networks you want).
5.) Edit the startup script of the router to start miniunpd on boot. In the DD-WRT web interface, go to Administration –> Commands. Under the Startup section, click Edit. At the end of the startup commands, add the following:
Click Save Startup.
When you restart the router, MiniUPnPd should be running for the networks that you specified in the configuration file.