Automatic Router Config issue

[hielschf]

NAS TS-439, FW 4.0.2; Router AVM FritzBox 7390 FW 5.50

Scenario:
I want to make my local LAN available through internet via OpenVPN and myQNAPCloud(only used as DDNS service).
I setup my VPN server and client, I allow UPNP (router setting) in router and NAS.
Everything works fine.
When i open the "automatic router config" panel I see the list of configured port forwardings "QTS, secure QTS, Webserver, secure Webserver, ... VPN".
I don't want to open services to internet outside the VPN so I uncheck all the forwardings except for VPN and then I click 'apply to router". NAS says success and a cross check in the router web interface shows only this one port forwarding is configured.

Observation:
When I open the myQNAPCloud tab again (after popup the Autom. Router Config area shows some "ongoing check" animation" the NAS seems to re-configure the router again and all activated services (webser, secure webserver...) get their own portforwarding again!
It is shown in the list of forwardings in NAS and router!

This is a security problem. I want all these services but only via VPN.

PS: if this issue is already known or there is a topis in this forum already: excuse me!

[pwilson]

NAS TS-439, FW 4.0.2; Router AVM FritzBox 7390 FW 5.50

Scenario:
I want to make my local LAN available through internet via OpenVPN and myQNAPCloud(only used as DDNS service).
I setup my VPN server and client, I allow UPNP (router setting) in router and NAS.
Everything works fine.
When i open the "automatic router config" panel I see the list of configured port forwardings "QTS, secure QTS, Webserver, secure Webserver, ... VPN".
I don't want to open services to internet outside the VPN so I uncheck all the forwardings except for VPN and then I click 'apply to router". NAS says success and a cross check in the router web interface shows only this one port forwarding is configured.

Observation:
When I open the myQNAPCloud tab again (after popup the Autom. Router Config area shows some "ongoing check" animation" the NAS seems to re-configure the router again and all activated services (webser, secure webserver...) get their own portforwarding again!
It is shown in the list of forwardings in NAS and router!

This is a security problem. I want all these services but only via VPN.

PS: if this issue is already known or there is a topis in this forum already: excuse me!

So disable UPnP in your Router, and manually forward your unindentified VPN manually in the Router. Security issue solved - Permanently.

[hielschf]

hmmm.... I agree. And if I remove the ethernet cable from the router *all* security issues are solved ...

I mention that a offered feature/function is not working correctly maybe. Is QNAP aware of it? And I share my findings with other users...

[pwilson]

hmmm.... I agree. And if I remove the ethernet cable from the router *all* security issues are solved ...

I mention that a offered feature/function is not working correctly maybe. Is QNAP aware of it? And I share my findings with other users...

I have no idea is QNAP is aware of it or not, perhaps you should ask them. (I, like you, view UPnP as a security issue, so I deliberately disable it in my Router, just as I suggested to you in my last message).

UPnP security is non-existent. UPnP requests from inside your network will be honoured at the Router (if UPnP is enabled), whether the request came from you or not. Many malware programs, such as keyloggers and password stealers will attempt to force UPnP connections through your Router to deliver your data to somewhere in the cloud, where the hacker can access it.

Once UPnP is disabled in the Router, this issue is resolved. Continue to leave UPnP enabled on your other devices, so that network discovery etc works as expected. Disabling UPnP at the router will still allow discovery within your network, it simply won't permit UPnP initiated Port-Forwarding at the Router.

There are a large number of Routers that that will even permit UPnP to be initiated from the WAN side of the Router, and this is completely insecure. Google the subject of "UPnP insecurities", it will complete your education on the subject.

[schumaku]

Update to the current Firmware for your NAS model 4.0.5 - if the issue persists, chime back....

Sent from my Nexus 5 using Tapatalk