What is UPnP Port Forwarding?
Universal Plug and Play (UPnP) is a way of quickly forwarding the ports in use to other devices on a network automatically with one setting change and no additional configuration needed. UPnP Port Forwarding is widely used by many network devices, allowing them to communicate with each other more efficiently and to automatically create workgroups for data sharing, among other applications.
Is UPnP Port Forwarding safe?
UPnP is not a secure protocol. It uses network UDP multicasts, no encryption and no authentication. Since UPnP is not authenticated, one device could request port mapping for an another one. Hackers can abuse UPnP to attack through malicious files to infect your system and gain control. Despite its convenience, UPnP may expose your device to public networks and malicious attacks.
Our recommended connection methods
It is recommended that your QNAP NAS stay behind your router and firewall without a public IP address. You should disable manual port forwarding and UPnP auto port forwarding for QNAP NAS in your router configuration. The myQNAPcloud Link service provided by QNAP is a good way for most users to access their QNAP NAS. The transmission speed may be slightly slower because the traffic is relayed through QNAP’s servers.
Another recommendation is to enable the VPN server function on your router. When you need to access your QNAP NAS from the Internet, first connect to the VPN server on your router, and then connect to your QNAP NAS. Other alternative connection methods include enabling the VPN server on QNAP NAS by installing the QVPN Service app or deploying QuWAN, QNAP’s SD-WAN solution.
Actions to take if your NAS must open port to the Internet
If your QNAP NAS must be directly connected to the Internet, we recommend taking the following actions to strengthen your device and decrease the chance of being exposed:
- Put your QNAP NAS behind your router and firewall. Do not let your QNAP NAS obtain a public IP address. Turn off UPnP on QNAP NAS, manually set up port forwarding in your router configuration only for the network ports required by the QNAP NAS services you use.
- Disable any service that you are not using, such as Telnet, SSH, web server, SQL server, phpMyAdmin and PostgreSQL.
- Change default external (Internet side) port numbers, such as 21, 22, 80, 443, 8080 and 8081, to custom (random) ones. For example, change 8080 to 9527.
- Only use encrypted HTTPS or other types of secure connections (SSH, etc.).
- Install QuFirewall on your QNAP NAS and limit allowed IP addresses to a specific region or subnet.
- Set up a new administrator account, and disable the default admin account.
- Enforce a strong password policy for all NAS users, including the new administrator account you’ve just created.
- Configure MFA (2-Step Verification) on QNAP NAS.
- Enable automatic OS and app updates. You can schedule updates to avoid interrupting backup/sync or other tasks.
- Enable IP access protection to block IP addresses with too many failed login attempts.
Recommended solution >>
NAS remote access and network security solution: https://qnap.to/44h7hz