UniFi – Enabling UPnP on Ubiquiti Security Gateway / Adjusting MTU and MSS Clamping
The UniFi kits is truly amazing and I classify it a “prosumer” device – simply as it has near enterprise networking features at fairly reasonable consumer level pricing. Although the learning curve is initially steep, the capabilities are seemingly endless.
Although fine-tuning a network setup does not necessarily apply to a home-installations, you should really tweak your already sophisticated Ubiquiti gear as much as possible.
MTU and MSS Clamping
If you are as old as I am, you will remember how during the dialup modem days we tweaked MTU sizes to avoid fragmentation and packet retransmission which resulted in slower throughput on that 28.8K dialup modem. MTU fragmentation still plays a role, although with today’s low latency network infrastructure (fibre, ADSL, VDSL) retransmission might not be as visible as in the past.
As a start run a MTU test by visting the following site: http://www.letmecheck.it/mtu-test.php which will then highlight your largest MTU size:
Depending on your connectivity the maximum MTU size will most probably be 1480 (such as in my case with fibre connectivity) or 1500 (which would be most likely a ethernet connection). If your maximum MTU size is not 1500, you should adjust your USG configuration to “clamp down” the maximum MTU size. This can currently not done via the GUI on the CloudKey controller and you will need to SFTP into the controller (I use Transmit on OS X):
SFTP access is enabled by default and you just need to enter the same credentials you use when connecting to the controller. You will then need to navigate to the “/srv/unifi/data/sites/default” directory as shown below (the directory-name under “sites” might be different to “default” depending on your setup):
In the above directory, you create a config.gateway.json file which contains custom configuration for your USG and then paste the following content into the file:
"interface-type": [ "all" ],
"listen-on": [ "eth1" ],
On line #6 adjust the mss value to the value as displayed in the MTU test shown as part of the “The actual size of the payload (data) will be limited to: 1448” (and subtract 8).
On line #12 adjust the wan interface – this is typically eth0. On line #13 adjust the mtu size to the maximum value reported in the MTU test.
From line #17 onwards we will also increase DNS cache-size and enable UPNP on the UniFi Security Gateway’s WAN interface to be passed through to the LAN interface which will then allow UPNP to broadcast onto your network.
Why enabling UPnP matters
UPnP stands for “Universal Plug and Play” and allows an application to automatically forward a port on your router or gateway, saving you the hassle of forwarding ports manually. There has been much debate about UPnP being a security risk as any application on your network can open ports to the outside world and some people refer to UPnP as a system for “dumb people, incapable of configuring port forwarding rules”.
If you do not use Skype or play games on PS4, Xbox or Steam there should really be no reason to use UPnP if you are paranoid. UPnP avoids the hassle of manually configuring port-forward rules and keeping track of which ports should be forwarded can become quite a challenge. There are many console games which will actually only properly work with UPnP enabled (especially if you have multiple consoles on the same network).
The real security challenge with UPnP is that if a virus, trojan, worm or other malicious program gets on your network which then will be capable of opening ports to the outside world, bypassing your firewall entirely. As an example, a Trojan horse could install a remote control program on your computer and open a port for it in your router’s firewall, allowing 24/7 access to your computer from the Internet. If UPnP was disabled, the program could not open that port, but might be able to bypass the firewall in other ways and phone home.
Since UPnP assumes that local programs are trustworthy (such as your PS4 or games running on it, or Skype), it allows them to forward ports. It is really up to the user to ensure that malicious programs do not run on the home-network (use malware scanners and antivirus software and do not download pirated software).
Once you enable UPnP, you will however be able to monitor port forwarding stats via the UniFi Insight function:
In the above example you will notice that port 39485 (Skype) is forwarded from anywhere to my computer. The same Insight function will show you any rogue ports/forwarding rules and you can then at least take action to remove any malicious applications.
Activating your config.gateway.json changes
Creating the config file on the USG is not enough to effect the changes and activate MTU/MSS and UPnP. You can either restart the USG (which takes time) or simply make a change to the USG (I typically just create a dummy port-forward rule, apply it, provision it and afterwards delete it):
The above port-forward configuration also shows you how you could manually enable forwarding rules. The problem however is that you will not be able to configure multiple forward rules to multiple IPs inside your network (i.e. if you have multiple PS4s, you will only be able to port-forward to one device).