@“Ach!lles”
True that there are certain workloads that need it… and most times admins will run those servers isolated as much as possible via firewalls or dmz from the sensitive services as the best uPNP is still a huge security attack surface that has had a history as black as flash for exploits
@dragonmel said:
you will find zero IT professionals that would allow upnp to run on an edge appliance … its just stupid
I agree with this statement you made earlier.
@dragonmel said:
@“Ach!lles”True that there are certain workloads that need it… and most times admins will run those servers isolated as much as possible via firewalls or dmz from the sensitive services as the best uPNP is still a huge security attack surface that has had a history as black as flash for exploits
Removing Plex for a moment, there should be no firewalls using UPnP for port-mapping in any commercial environment–as that negates having a firewall in the first place. Servers tend to have a static port that needs to be opened or port-mapped via NAT manually.
I was inferring to client-side applications which perform best with dynamic port mapping. Such client-side applications are Skype, FaceTime, Xbox and Playstation. These are the top widespread client-side applications that need UPnP/NAT-PMP to fully function as intended by their respective developers. They are a pain to deal with but thats why I like pfSense for its ability to apply ACLs to UPnP and NAT-PMP.
@“Ach!lles”
I ‘think’ you agree with everything I am trying to say and I am agreeing with everything you are trying to say
UPNP - BAD
allowing your edge firewall ( the router in home networking speak) to be swiss cheesed at will without admin control or at least oversight… BAD
99.9% of home environments… upnp … VERY BAD
enterprise firewalls, creative subnetting, traffic isolation, client and protocol filters… etc… help reign in " Problem Child’ services that require upnp type connections… if appropriatly admined by networking professionals… and even then… 3rd party security evals ususally can find holes and expoits… (worth double their consulting fees usually)
pretty much sum up a overly complicated subjet… ? — beer time!
I have lots of examples of the router taking up to close to a minute to respond to an SSDP search - so uPNP very unreliable and a port forward and manually specified port is solid - so long as the local IP is reserved and does not change
I am looking at lots of diagnostics to see if we can handle bad router behaviours better for uPNP
@dragonmel said:
@“Ach!lles”
allowing your edge firewall ( the router in home networking speak) to be swiss cheesed at will without admin control or at least oversight… BAD99.9% of home environments… upnp … VERY BAD
enterprise firewalls, creative subnetting, traffic isolation, client and protocol filters… etc… help reign in " Problem Child’ services that require upnp type connections… if appropriatly admined by networking professionals… and even then… 3rd party security evals ususally can find holes and expoits… (worth double their consulting fees usually)
Not much you can do about that. Gaming is a multi billion dollar industry and for the most part UPnP is required. I don’t see that changing. The best one can do is:
I personally create different zones for those purposes where UPnP/NAT-PMP is secured further with ACLs. The bulk of the population don’t care about that. For god sakes, how many people do not lock the doors to their homes and cars. Those who care like yourself will take the necessary steps to secure your life. Those that do not will become a victim at some point.
@“Ach!lles”
well said…
or as I like to say… the more the world is engineered to be idiot proof… evolution will just devolve a better idiot…
I would rather see full networking controls in plex so that I can control every aspect
better server side analysis/display of network states, client connectons etc
basically an adult version … if only in an advanced menu to control plex
have a switch …
autopilot… plex controls everything for those that dont want to learn or put in the effort
expert mode … for those that care, know what they are doing, and want to monitor their server
plexpy is lightyears better at monioring my server than plex itself and it only scratches the surface of what we need
I love PlexPy!
@“Ach!lles”
imagine if there were a server monotoring pane
with network statistics, routes, latency graphing, external/internal bandwith totals… etc
for each active client, just like in plexpy, a window with progress, bandwith, resolution, etc… clicking on it would bring up even more info… like plexpy, transocode status, MDE desicion tree on why its transcoding in plain english… client requested origninal, bandwith required 30k exceeds limit, transcoding to 720 4k bandwidth auto quality engaged… etc…
@“Ach!lles”
I run observium in a VM… wouldnt it be nice if plexpy could graph out all that juicy snmp data coming from my router, and linux snmp feeds!! JUICY…
one pane of glass instead of opening 4 web bowser sessions to see what is going on…
@dragonmel said:
@“Ach!lles”I run observium in a VM… wouldnt it be nice if plexpy could graph out all that juicy snmp data coming from my router, and linux snmp feeds!! JUICY…
one pane of glass instead of opening 4 web bowser sessions to see what is going on…
Observium is a nice project.
A little addition… Make sure you don’t have your VPN turned on… That makes a huge difference with this issue. LOL I’m an idiot.
