# This is the UPNP configuration file # WAN network interface ext_ifname={{ wan_interface }} {% if wan_ip is vyos_defined %} # If the WAN interface has several IP addresses, you # can specify the one to use below {% for addr in wan_ip %} ext_ip={{ addr }} {% endfor %} {% endif %} # LAN network interfaces IPs / networks {% if listen is vyos_defined %} # There can be multiple listening IPs for SSDP traffic, in that case # use multiple 'listening_ip=...' lines, one for each network interface. # It can be IP address or network interface name (ie. "eth0") # It is mandatory to use the network interface name in order to enable IPv6 # HTTP is available on all interfaces. # When MULTIPLE_EXTERNAL_IP is enabled, the external IP # address associated with the subnet follows. For example: # listening_ip=192.168.0.1/24 88.22.44.13 {% for addr in listen %} {% if addr | is_ipv4 %} listening_ip={{ addr }} {% elif addr | is_ipv6 %} ipv6_listening_ip={{ addr }} {% else %} listening_ip={{ addr }} {% endif %} {% endfor %} {% endif %} # CAUTION: mixing up WAN and LAN interfaces may introduce security risks! # Be sure to assign the correct interfaces to LAN and WAN and consider # implementing UPnP permission rules at the bottom of this configuration file # Port for HTTP (descriptions and SOAP) traffic. Set to 0 for autoselect. #http_port=0 # Port for HTTPS. Set to 0 for autoselect (default) #https_port=0 # Path to the UNIX socket used to communicate with MiniSSDPd # If running, MiniSSDPd will manage M-SEARCH answering. # default is /var/run/minissdpd.sock #minissdpdsocket=/var/run/minissdpd.sock {% if nat_pmp is vyos_defined %} # Enable NAT-PMP support (default is no) enable_natpmp=yes {% endif %} # Enable UPNP support (default is yes) enable_upnp=yes {% if pcp_lifetime is vyos_defined %} # PCP # Configure the minimum and maximum lifetime of a port mapping in seconds # 120s and 86400s (24h) are suggested values from PCP-base {% if pcp_lifetime.max is vyos_defined %} max_lifetime={{ pcp_lifetime.max }} {% endif %} {% if pcp_lifetime.min is vyos_defined %} min_lifetime={{ pcp_lifetime.min }} {% endif %} {% endif %} # To enable the next few runtime options, see compile time # ENABLE_MANUFACTURER_INFO_CONFIGURATION (config.h) {% if friendly_name is vyos_defined %} # Name of this service, default is "`uname -s` router" friendly_name= {{ friendly_name }} {% endif %} # Manufacturer name, default is "`uname -s`" manufacturer_name=VyOS # Manufacturer URL, default is URL of OS vendor manufacturer_url=https://vyos.io/ # Model name, default is "`uname -s` router" model_name=VyOS Router Model # Model description, default is "`uname -s` router" model_description=Vyos open source enterprise router/firewall operating system # Model URL, default is URL of OS vendor model_url=https://vyos.io/ {% if secure_mode is vyos_defined %} # Secure Mode, UPnP clients can only add mappings to their own IP secure_mode=yes {% else %} # Secure Mode, UPnP clients can only add mappings to their own IP secure_mode=no {% endif %} {% if presentation_url is vyos_defined %} # Default presentation URL is HTTP address on port 80 # If set to an empty string, no presentationURL element will appear # in the XML description of the device, which prevents MS Windows # from displaying an icon in the "Network Connections" panel. #presentation_url= {{ presentation_url }} {% endif %} # Report system uptime instead of daemon uptime system_uptime=yes # Unused rules cleaning. # never remove any rule before this threshold for the number # of redirections is exceeded. default to 20 clean_ruleset_threshold=10 # Clean process work interval in seconds. default to 0 (disabled). # a 600 seconds (10 minutes) interval makes sense clean_ruleset_interval=600 # Anchor name in pf (default is miniupnpd) anchor=VyOS uuid={{ uuid }} # Lease file location lease_file=/config/upnp.leases # Daemon's serial and model number when reporting to clients # (in XML description) #serial=12345678 #model_number=1 {% if rule is vyos_defined %} # UPnP permission rules # (allow|deny) (external port range) IP/mask (internal port range) # A port range is - or if there is only # one port in the range. # IP/mask format must be nnn.nnn.nnn.nnn/nn # It is advised to only allow redirection of port >= 1024 # and end the rule set with "deny 0-65535 0.0.0.0/0 0-65535" # The following default ruleset allows specific LAN side IP addresses # to request only ephemeral ports. It is recommended that users # modify the IP ranges to match their own internal networks, and # also consider implementing network-specific restrictions # CAUTION: failure to enforce any rules may permit insecure requests to be made! {% for rule, config in rule.items() %} {% if config.disable is not vyos_defined %} {{ config.action }} {{ config.external_port_range }} {{ config.ip }} {{ config.internal_port_range }} {% endif %} {% endfor %} {% endif %} {% if stun is vyos_defined %} # WAN interface must have public IP address. Otherwise it is behind NAT # and port forwarding is impossible. In some cases WAN interface can be # behind unrestricted NAT 1:1 when all incoming traffic is NAT-ed and # routed to WAN interfaces without any filtering. In this cases miniupnpd # needs to know public IP address and it can be learnt by asking external # server via STUN protocol. Following option enable retrieving external # public IP address from STUN server and detection of NAT type. You need # to specify also external STUN server in stun_host option below. # This option is disabled by default. ext_perform_stun=yes # Specify STUN server, either hostname or IP address # Some public STUN servers: # stun.stunprotocol.org # stun.sipgate.net # stun.xten.com # stun.l.google.com (on non standard port 19302) ext_stun_host={{ stun.host }} # Specify STUN UDP port, by default it is standard port 3478. ext_stun_port={{ stun.port }} {% endif %}