To rephrase this somewhat less offensively (I am the author) "I realised a potential solution but decided the drawbacks of disabling uPnP were larger than the potential risk keeping uPnP enabled poses". My household makes use of many different services that would need to be port forwarded one by one in order to keep everything working, and some games just punch whatever port they like using uPnP so it's hard to keep playing those with it disabled. Sysadminning at home is only fun for a short while, I do this stuff at work, I'd rather keep my home setup as simple as I can help it.
As usual, various solutions are available, I described one here. Disabling uPnP is an option for some, and I encourage those who want to go that route to go that route.
I think some people miss the point of the article. That a NAS like Terramaster F2-210 shouldn't open ports externally and if they do there should be options to turn this feature off.
I agree with bunnyfoofoo’s conclusion - maybe not the tone but certainly the conclusion. It’s tough to trust an article that makes security claims while ignoring so many self imposed security holes.
I'm sorry, I didn't mean to come off as offensive. I agree that it would be bothersome to convert from uPnP to non-uPnP, but you really only need to set it up once. Then any new devices you add to your network don't require individual workarounds.
It's fine, I wasn't personally offended nor should you feel like you need to censor yourself. It's really difficult to justify turning uPnP off when you can't necessarily control every application that runs on your network. My wife is going to get rather annoyed when whatever video conferencing software she uses stops working, and I'm gonna get mad when the game I want to play doesn't work - which is why I engage in a somewhat fruitless fight with the stuff I can control to keep the uPnP port punching under control somewhat.
It's definitely a bug in the nas that it continues to punch ports no matter how it is configured. Plenty of software gives you the option of not punching ports.
FWIW I have never had upnp enabled and I don't recall any cases where it's caused a problem for me. Certainly my wife and I are on videoconferences all day and they work fine. I am completely with you that I can't have network configurations that make the network unusable, confusing, or inconvenient for my family, but are you sure that upnp falls into that category? I'm sure you have different applications than I do, but I think we're pretty normal...
This article pissed me off so I went to check on uPNP and I had disabled it when moving into this home. Never had any problem where uPNP was the solution, we have gamers, video calls, VPNs, BitTorrent, etc etc. all work fine. We even have a printer that works. I think it is calling home to Google or HP or whatever.
I build secure communications solutions for a living, so I'm speaking from experience.
Any solution worth its salt doesn't want or need UPnP on your network, it doesn't need anything other than for you to let it hit the internet and for the traffic to come back the other way.
I also run and have run other solutions in my day to day working from home and private life, many SIP flavours, Teams, Zoom (once, because it was the only option), Jitsi, BBB, Google Duo, Hangouts, Houseparty they all work with no effort from me.
There is a lot of hypothetical about what will and won't work, but take it or leave it when I say that some of us, the people building these solutions, have a bit of a clue about networking and how to build solutions around security best-practice.
I also game online with PC, Nintendo Switch and PlayStation 4/5, not one has given me issues, nor have I needed any custom firewall rules for the consoles.
My wife works from home on a government issues laptop, she's never complained of issues with video conferencing or her work VPN.
There may be some exceptions, sure, but it's less of an issue than people think.
You are responding to His blog, and He shared His reasoning.
Go find your own examples on your network. Even better if you can’t find anything and have UPNP disabled.
Isn't it more difficult to justify keeping it on when you can't trust devices not to, literally as the article shows, punch gaping holes in your network? 4 ports and if you didn't know too look...
At a bare minimum, if you MUST have uPnP, then those devices need to be on their own "unsafe" network with another network further in or next to it that has uPnP disabled.
Actually, I also found grandparent's (bunnyfoofoo) tone offensive. It's borderline derogatory, since it disregards the situation of the original author in many levels, plus everyone fixates on the wrong point.
UPnP has its security implications, but it doesn't mean that random appliances can just open ports through it without any settings whatsoever.
Everybody has the freedom to have opinions and free to express them, however we shouldn't disregard other person's situation while expressing our opinion. Talking about theoretical best practices is always easy in a vacuum.
Addendum: I want to congratulate bunny for trying to learn from his/her mistakes, for being honest and sincere. I wanted to leave it here since there's no other way to contact. I also made a lot of mistakes and HN taught me how to discuss this stuff, so you're at the right place.
To be very exact, being offended is a choice, in that nobody can offend you if you don't let them. You can always choose to not take offense. (The statement in question does seem rude and dismissive to me, however.)
I think it's pretty clear than the author believes he may have offended people with his statement, and is rephrasing in a more precise manner to avoid confusion.
