<!–#set var="article_header" value="UPnP-Enabled Routers:
Ready for Prime Time?” –>
The article first appeared on SmallNetBuilder.
Copyright© Tim Higgins 2002. All rights reserved.
Introduction
With Windows XP well into deployment and more manufacturers starting to beat the drum about how wonderful life is with a UPnP-enabled router, I thought I’d see whether UPnP really is something that you just won’t want to live without in your Internet sharing device. If you don’t know what UPnP is, or even if you do, you may want to read our UPnP FAQ before diving into this NTK, since the basics and background of UPnP are covered there. Or, if you’re the impatient type and just want the bottom line on what I found, you can get it here.
Notes, Caveats, Warnings!
- This is my first time doing any serious playing with both Windows XP networking and UPnP. Therefore, some of my observations may be old news to many readers. I apologize if I repeat what may be common knowledge, or if I’ve missed something or gotten it wrong. I’ll be happy, of course, to update this article with any corrections I receive.
- I checked with Microsoft, D-Link, and Linksys to see if there were any descriptions of what I should look for during my testing. I received responses from all, but the information was at a marketing “features” and “benefits” level and not at the detailed “User Manual” level that I was hoping for.
- I also searched through the Windows XP help (which turned out to be more helpful than I thought it would be… once I learned where to look), and hit Google in hopes of finding someone who had already been down this path and could give me some guidance. I didn’t have much luck with these sources either.
After checking with my vendor contacts, I found there were only a few UPnP-enabled routers that I could get my hands on, so I chose the Linksys BEFSR41 (with firmware 1.42.3 or higher) and the D-Link DI-804 (with firmware V4.67 or higher) for the bulk of my testing. With routers in hand and Windows XP Home installed on one of my test machines, I set out to see what I could see.
(Additional routers that support UPnP are: MultiTech RF550VPN and D-Link’s DI-604 with 2.0f firmware update).
Grab your Partner!
Since I’d heard so much about how a Windows XP computer and a UPnP-enabled router were supposed to find each other no matter how the XP client was set up and without requiring any reboots, I thought I’d poke at that, first.
I took my trusty, but aging, Compaq 1650 laptop that I’d recently loaded with Windows XP Home and that was happily connected to my SMC7008 main router (and the Internet) via a Linksys PCM100H1 HomeLink Phoneline + 10/100 Network PC card (yes, that’s a strange choice, but my trusty generic 10Mbps PC card Ethernet NIC died during my experiments). Windows XP had installed the NIC, using the latest drivers downloaded from Linksys, and configured it with the default assortment of services as shown in Figure 1 below.
Figure 1
XP had set the NIC to “Obtain an IP address automatically”, and the adapter had successfully leased IP address information from the SMC router in the 192.168.3.XXX subnet, and was added to the the Network Connections window, as shown in Figure 2 below.
Figure 2
Tip: You must have the TCP/IP protocol installed, set to “Obtain an IP address automatically,” and no Gateway or DNS information entered in the TCP/IP properties. This is the default setting for Windows XP, but not for earlier OSes.
If you manually set your IP address or other TCP/IP properties, UPnP will not override those settings and may not automatically connect to your UPnP-enabled router.
So far, though, no UPnP magic had been invoked because the SMC7008 is not UPnP-enabled. So I left the Network Connections window open, unplugged the Compaq’s Ethernet cable from the SMC, plugged it into the D-Link DI-804, and waited to be amazed. After about ten seconds or so, the Network Connections window began morphing and after about half a minute had changed to what you see in Figure 3.
The Linksys was slower to appear in the Network Connections window, taking about a minute to finish its configuration.
Figure 3
Hmmm… a new icon. Let’s go check it out!
The Internet Connection
This Internet Connection icon’s appearance in the Network Connections window is the first indication you get of a connection to a UPnP enabled router or Internet Gateway Device (IGD). It’s also the way that you access some of the router information and properties that UPnP makes available to you.
Tip: If you’ve used XP’s Internet Connection Sharing feature, you’ve probably already seen this icon and are familiar with what is does. XP uses essentially the same interface elements for UPnP enabled routers.
Double clicking on the Internet Connection icon (or right-clicking and selecting Status) brings up its Status window, which is a little more interesting. Most of what you see in this window is described in the XP Help topic “Internet Connection Sharing Discovery and Control overview,” so I’ll just focus on my “discoveries”.
The screenshots below show the Internet Connection Status windows for the D-Link router (Figure 4), and the Linksys (Figure 5). You can tell from the shots that the Linksys router had been turned on just a short time before I took the screenshot, but of special note is the difference in Speed reported by the two products.
Figure 4 – D-Link DI-804
XP Home’s Help explains that this number is “…the speed in megabits per second (Mbps) at which the adapter with Internet Connection Sharing enabled is capable of operating,” not the actual speed of data flowing to/from the Internet. Given that information, the D-Link product is reporting the correct number, and the Linksys appears to have a firmware bug (it should have also reported 10Mbps). I’ve asked Linksys to explain the 3.2Mbps number, and so far, they haven’t been able to explain it.
Figure 5 – Linksys BEFSR41
Moving on, clicking the Properties button on the Status screen brings up the Internet Connection Properties window shown in Figure 6. Not much here, except for the checkbox that allows you to have an icon appear in the system notification area (that’s the System Tray to Win98 folks…) when the connection is active, and the button that brings you to the more interesting Advanced Settings windows.
Figure 6 – Internet Connection Properties
Tip: System notifications are off by default, so be sure to check the “Show icon in notification area when connected” box if you want to be alerted to changes in networking connections.
Before we move on to look at what’s behind the “Settings” button, though, let’s first spend a moment on UPnP’s NAT Transversal feature.
Come Transverse my NAT
When I first heard about the feature, it made me very nervous (and still does). Could I trust something that automatically opened holes in my router’s firewall? Would it work? How reliable would it be? Would it tell me what it was doing? Could I control it?
I found that I was pretty much on my own in answering these questions and had to rely on net searching with Google and poking around in the XP Help documentation to piece together a picture of what NAT Transversal is supposed to do. I’ve added links to the most useful information that I found here in our Links section (both are Microsoft documents), but let me summarize the key points of what you should know:
- The present Version 1 NAT Transversal API (Application Programming Interface) provides the following functions:
- Determine if a NAT is present;
- Get the external IP address of the NAT, i.e. the router;
- Get the static port mapping information for a specific external port, if it is mapped;
- Add a static port mapping, unless the external port is previously assigned;
- Enable or disable a specific port mapping without deleting it;
- Edit the user-friendly description of a static port mapping;
- Delete a static port mapping;
- Obtain a list of static port mappings for the local network;
- Applications do the “heavy lifting” in managing port mappings, using the API functions listed in Point 1. The router is more a “slave” than a “master,” so UPnP doesn’t add much value to a router without applications that know how to use UPnP features.
- UPnP enabled Internet Gateway Devices or IGD‘s (Microsoft’s UPnP term for routers and similar devices) currently support port mappings of infinite duration only. This means the mappings can’t be set with a router-controlled time-out. It also means that IGD’s are not smart enough to detect “zombie” mappings, i.e. ports left opened by abnormally terminated applications. If the application that used UPnP NAT Transversal to open ports in an IGD crashes, the ports will stay open until the next time that application is used.
It was pretty clear that I needed to find some NAT Transversal-savvy applications to use in my testing. But when I asked D-Link, Linksys, and Microsoft for a list of applications that supported NAT Transversal, I didn’t really get one and couldn’t find one anywhere on the web. I did learn that XP’s Windows Messenger, Remote Desktop Connection, and Remote Assistance features supported it, and that various Microsoft games were in the process of adding support for it, too. But I couldn’t get reliable information on UPnP support in applications from any vendor other than Microsoft. So, because XP insists on launching Messenger every time it starts up, I used it to check out NAT Transversal. Let’s get to it!
This is “Advanced”?!
The Advanced Settings window is where you really get to see whether UPnP delivers the promised goods in making Internet sharing easy. From what I saw in these two products, UPnP has a long way to go to reach that goal. But let me save the editorial comments for later and focus on what I found.
The Linksys BEFSR41 was loaded with firmware 1.42.6 Mar 11, 2002, and the D-Link DI-804 with firmware V4.67(2002/12/20).
Figures 7 and 8 once again show the D-Link and Linksys “Advanced Settings” windows, and you can see that the two products are very different in what they provide.
Figure 7 – D-Link DI-804
Figure 8 – Linksys BEFSR41
The DI-804’s screen (cryptically) shows that Windows Messenger had automatically opened two Services (Microsoft’s term for ports) and enabled them. I ran a port scan for the listed ports against the 804’s WAN port and found, indeed, that the ports were open. When I quit Messenger, the port mappings were not just disabled (which would have been indicated by removing the check marks in the boxes), but removed, i.e. no Services were listed in the Advances Settings window. So that’s what NAT Transversal looks like in action!
Figure 9 – D-Link Service Setting info
Selecting the first service and clicking “Edit” brought up the window shown above in Figure 9. Note the use of different internal and external port numbers (common for some applications) and the use of the computer’s name instead of IP address.
The Linksys results, however, were disappointing. First, the router and Windows Messenger appeared to not pay any attention to each other, with no Messenger related Services appearing (refer to Figure 8 above). Under the same test conditions, the Linksys instead offered a menu of common Internet Services that could be enabled (note that all are disabled by default). But when I enabled the FTP (Port 21) service, then ran a port scan against it, the port wasn’t found to be open! I also tried enabling the HTTP (Port 80) service, with the same result. Probing further, I edited the FTP service and found that the IP address wasn’t even set to the XP computer’s IP address! Instead, it was set to 192.168.5.0 (it should have been set to 192.168.5.100 … at least they got the correct subnet). In all, a very disappointing result for the Linksys.
The Battle of the Services!
Because UPnP adds another way to modify port mappings, I decided to check out how well changes in Service settings (manual port mappings) were coodinated between UPnP and a router’s normal admin interface. Since I’d found the D-Link DI-804 to have the best UPnP implementation so far, I chose it as my guinea pig.
Tip: I first upgraded the 804 with 4.68 firmware, which turned it into the DI-804U, according to the new admin screen! I also found out that you’ll need to check that your version of Windows Messenger is 4.6.X. I discovered this when my new Dell 4100 laptop didn’t appear to be activating NAT Transversal for Messenger. It turned out that the Dell had come with the older 4.0 version of Messenger, which apparently doesn’t have the NAT Transversal feature baked in.
I found that a service added via the DI-804’s UPnP interface did not show up on the 804’s internal browser-based admin interface Virtual Server Settings page. The 804 did, however, properly establish the requested service and open the required ports, which I confirmed by port scanning the router. It also properly closed the ports when I removed the service via the UPnP Services interface. Another pleasant surprise was that the 804 didn’t have to be rebooted to add or delete the service, as it does when you change a Virtual Server setting via its normal Admin interface.
Similarly, a virtual server programmed on the 804’s admin interface did not show up in the UPnP Advanced Settings > Services. The required ports were again properly opened, however.
I next tried to add the same service via both methods. I found that I was able to add the same exact port mapping on both interfaces (same ports, same LAN IP) and did not get any warnings or complaints from UPnP or the 804. I was also able to remove or disable the port mapping from each interface, but the ports were not closed on the router until the mapping (service) was removed via both interfaces.
The bottom line is that, at least for the DI-804, UPnP and the 804’s browser admin interface don’t communicate with each other about port forwarding (services).
Tip: My advice here is pick an interface, either the UPNP Advanced Settings > Services interface, or your router’s admin screens if you’re going to open ports in your router’s firewall. Although it’s nice that you can open ports using both methods, the ports won’t be closed until you close or delete the mapping from the interface you used to open them with! If you forget that you opened a port with one interface, and then open it with the other, you’ll need to remember to go back and remove the mappings with both interfaces to close the ports.
But Wait… There’s More!
A helpful reader let me know that I missed a second UPnP-related feature because I hadn’t really enabled Windows XP’s UPnP features. The next screen shots show how to turn on this very exciting feature.
1) Open the Network Connections screen, and select the Advanced > Optional Networking Components… menu item. The window shown in Figure 10 will open.
Figure 10 – Optional Networking Components
2) Select Networking Services and click the Details button. The window shown in Figure 11 will open.
Figure 11 – Networking Services
3) Check Universal Plug and Play, click OK to close this window, then Next in the Optional Networking Components Wizard. The files will then install and the Wizard will go away.
Shortly after the Wizard completes, you will see a new icon in the System Notification area (the right hand side of the Taskbar at the bottom of your screen). For some reason, this icon appears only the first time you connect to a particular UPnP-enabled IGD. Its properties doesn’t have a “Show icon in notification area when connected” checkbox, either. But if you open My Network Places, you’ll see a new icon, as shown in Figure 12.
Figure 12 – My Network Places with UPnp IGD
Double-click on this icon (or right-click and select Invoke (?!)), and lo and behold, a browser window will open to the IGD’s main admin interface. Yes, it’s nice that the user won’t have to know the IP address of the admin interface to get to it, but why Microsoft, in its infinite wisdom, didn’t just put another button on the Internet Connection Properties window is a mystery to me. Right-clicking on the icon and selecting Properties will bring up a Window similar to that in Figure 13.
Figure 13 – UPnP Router properties
So, contrary to my conclusion from the first version of this article, it looks like UPnP does give the user a simple way to access the IGD’s real admin features… if you know where to look, and if you figure out how to enable UPnP.
A peek at the D-Link DI-604
As I was updating this article, D-Link issued a firmware update for their new, ultra-cheap DI-604. In addition to some needed bug fixes, version 2.0f firmware adds UPnP features, making the DI-604 the most inexpensive UPnP-enabled router available. But it looks like D-Link still has some work to do.
The My Network Places icon properties screen contains information about who really makes the DI-604, as shown in Figure 14.
Figure 14 – UPnP Router properties – D-Link DI-604
Figure 15 shows that the DI-604 has added some pre-made services to its automatically generated NAT-transversal selections.
Figure 15 – UPnP services – D-Link DI-604
But when I tried to use the pre-made services, I kept getting a pop-up that said that the router wouldn’t accept the changes. You should also note that unlike the NAT-Transversal services, the pre-sets don’t have the IP address filled in. So if you just checked the box for the service you want (which you’d expect that you could do since this interface is supposed to be the port-opening-for-Dummies one), you probably wouldn’t get the service… if this feature worked.
Summary, Conclusions, Recommendations
Basically, I’m not very impressed with UPnP’s tricks at this point in its development. Let me sum up what I’ve learned:
Summary of UPnP enabled Internet Gateway Device (IGD) capabilities |
|
What it does | What it doesn’t do |
1) Allows a UPnP enabled client to find and connect to an IGD if the client is set to “Obtain an IP address automatically.”
2) Automatically opens needed ports in the IGD firewall for applications that support UPnP NAT Transversal 3) Allows a user to define Services (open ports in the IGD firewall) without directly accessing an IGD’s admin interface. 4) Provides access to the IGD’s main admin interface via a My Network Places icon that has an obvious name. |
1) Let the user automatically know that ports have been opened in the IGD’s firewall and that security could be compromised.
2) Ask the user for permission before enabling NAT Transversal services. 3) Coordinate service addition, removal, and display between the UPnP and normal IGD admin interfaces 4) For non NAT-Transversal services, automatically determine the IP address for the service based on the computer that is establishing the service, or prompt the user to enter it. 5) Allow you to disable NAT Transversal separately from other UPnP services. 6) Automatically configure the IGD’s WAN connection properties, i.e. get connected to the Internet. 7) Guide the user in configuring the IGD’s WAN connection properties 8) Provide information about the IGD’s WAN IP information (IP address, DNS, Gateway) |
Since I didn’t check to see what happens when multiple UPnP-enabled clients request the same Service (port mapping), I can’t offer any insight into what happens. But from reading Microsoft’s UPnP papers, I will say that it looks like it is an issue that applications need to deal with, since Microsoft says that port conflict resolution isn’t the IGD’s problem.
Note that many of the items in the “doesn’t do” list above are not deficiencies in UPnP’s fundamental design, i.e. things it could never do, but are things that are caused by limitations in the present implementations of UPnP, UPnP-enabled IGDs, UPnP-enabled applications, or combinations of the three. But no matter what the reason, the [in my opinion] deficiencies are still there.
READ THIS! READ THIS! READ THIS! READ THIS! READ THIS! READ THIS!
I highlighted “Doesn’t do” Points 1, 2 and 3 because I think Microsoft has set a very bad precedent that I think they need to fix ASAP. I realize that Microsoft is trying to make things easier for the consumer and to help their customers get around some of the frustrations of dealing with the problems that NAT-based routers can cause with many applications (not to mention the time and money spent in the Tech Support calls related to those problems). But even your common Web-browser warns you when you are changing from a secure to a non-secure web page and can be set to block (or at least warn about) cookies, Java applets and other things that can cause security problems. Shouldn’t a user be warned and allowed to confirm an event that could potentially be even more damaging than a cookie?! Especially when many users take the time to ensure that their routers are configured so that they are as invisible as possible to port scans?
It is simply unacceptable (and especially in light of Microsoft’s alleged new company-wide focus on “trusted computing”) that NAT Transversal doesn’t provide warning and allow confirmation of opening holes in an IGD’s firewall or allow the user to disable that capability independent of disabling UPnP entirely. Given the capabilities of the UPnP API, Microsoft could even go further and have UPnP provide indications of opened ports whether or not they were set by NAT Transversal.
So c’mon Redmond, let’s get this fixed!
Recommendations?
I have two.
- Don’t make a router or other networking equipment purchase decision based on whether or not UPnP is supported. The technology needs time to mature, doesn’t provide a lot of added value due to the relatively few applications that support NAT Transversal, doesn’t provide enough user feedback and control of holes it opens in a IGD’s firewall, and implementations are buggy. It also seems that manufacturers are not knocking each over in a race to make their routers UPnP-enabled, so it looks like UPnP feature improvements will be slow in coming.
- If you must have a UPnP enabled router that properly handles NAT Transversal, your only choice is still the D-Link DI-804.