UPnP Multicast and NAT

[Pyneappel]

I live in a high rise apartment with a network jack in each unit and a DLink DAP-2553 as the default access point in each unit which provides a unique WiFi SSID for that unit. When I connect my computer I can see other computers and devices in the building. I guess the DAP 2553 is set up as more of a bridge.

To isolate myself from the rest of the building I replaced the DLink with a TPLink C7 Router NAT/Firewall device.

However, my mobile phone can still see Google Chromecast devices in the building. See; https://productforums.google.com/forum/#!topic/chromecast/Bmst3tOTn1s for a description of a similar issue.

I do have a Chromecast device myself, but don't use it much.

Is there a way I can configure the TPLink router so that it does not forward UPnP Multilink traffic, That it keeps my Chromecast on my LAN side of the NAT, and other people's on the WAN side of the NAT? I don't necessarily want to disable UPnP Multicast completely and not be able to use my Chromecast.

I know you may tell me to RTFM, but every vendor seems to have very different wording and ways of dealing with this UPnP. I'm not necessarily looking for an exact answer for the TPLink, but guidance for where to look in the admin screens, or if there are ports or something I can block in a more standard way to stop the traffic. I don't really understand how UPnP works and how it is able to tunnel through the NAT.

Thanks.

 

[qazzi]

did you try enabling the ap isolation in the TPLink? it worked for me. AP isolation (also known as 'Client Isolation' or 'Guest Mode').

 

[bill001g]

So I have used multicast for many years and am unsure how it is related to UPnP. In general you can not get outside a subnet without running PIM between devices. No ISP allows multicast on the internet....it has existed since the very beginning but nobody did much to support it outside a corporate network. Almost all multicast within a lan only uses IGMP and that can not cross a router boundary.

This almost has to be some hack to allow connection between routers not connected to the internet. Then again commercial routers do not support UPnP only the boxes you buy in the consumer stores called router support this.

You should be able to completely disable UPnP multicast support. In general you should be able to turn off all UPnP. This is mostly used by console games that do not use a central server to host multiplayer games. If you do not do this it is best to have UPnP turned off because there have been a history of exploits against this protocol. If you were to need any kind of server exposed to the internet it is generally safer to manually set the port forwarding.

....of course I will assume you are using different SSID and passwords for your network

 

[Pyneappel]

did you try enabling the ap isolation in the TPLink? it worked for me.

I don't think that is what I want. I still need my phone, tablet, computers, and chromecast within my apartment to talk to each other over the WiFi.

 

[Pyneappel]

Almost all multicast within a lan only uses IGMP and that can not cross a router boundary.

Thanks. Again, I apologize that I am not familiar with all the terms. IGMP is another term I see thrown around related to getting the Chromecast to work. Not sure if you have ever used one, but there are a whole list of settings that need tweaked depending on the router to get one to work;

https://productforums.google.com/forum/#!topic/chromecast/ZGm4p8VcpAU
https://support.google.com/chromecast/table/6207416?hl=en
https://techtourguide.wordpress.com/2015/01/15/optimizing-wireless-network-for-chromecast/

Is IGMP Snooping the same as IGMP Proxy?

My C7 v2 firmware version has a web page under "Forwarding" for UPnP:

UPnP Help

The Universal Plug and Play (UPnP) feature allows the devices, such as Internet computers, to access the local host resources or devices as needed. UPnP devices can be automatically discovered by the UPnP service application on the LAN.

Current UPnP Status - UPnP can be enabled or disabled by clicking the Enable or Disable button. This feature is enabled by default.

Current UPnP Settings List:

This table displays the current UPnP information.

App Description - The description about the application which initiates the UPnP request.
External Port - The port which the Router opened for the application.
Protocol - The type of protocol which is opened.
Internal Port - The port which the Router opened for local host.
IP Address - The IP address of the local host which initiates the UPnP request.
Status - Either Enabled or Disabled, "Enabled" means that the port is still active; otherwise, the port is inactive.

Click the Enable button to enable UPnP.

Click the Disable button to disable UPnP.

Click the Refresh button to update the Current UPnP Settings List

and under Network for IPTV:

IPTV Help

IGMP Proxy- If you want to watch TV through IGMP, please Enable it.

MODE

Automatic - There would be no change to the LAN ports, work with IGMP Proxy technology, allowing watch IPTV via wired and wireless connection.
Bridge - Assign an individual LAN port for IPTV set-top-box, which can get IP address from ISP directly, without any quality loss even when PCs connect with router are downloading torrents at maximum speed, since this LAN port is isolated from other NAT LAN ports.
802.1Q Tag VLAN - ISP would provide the networking service based on 802.1Q Tag VLAN technology. You can assign different VLAN Tag ID for different LAN ports, to connect PC, IPTV set-top-box or IP-phone. Please contact with you ISP to get the VLAN ID information.

UPnP is Enabled with nothing in the table.
IGMP is Enabled and the Mode is Automatic.

I guess I could try disabling IGMP Proxy? Perhaps that would still let my Chromecast work but not allow chromecasts from the WAN to appear on my phone.

 

[bill001g]

I would keep disabling stuff until it breaks your local chromecast and then you know you need to re enable it. I suspect it will be more you can see other people crap and they can not see yours.

It appears the router is allowing stuff though the wan port that you normally don't see in a more standard installation. If you had a actual ISP none of the multicast could cross between people. Because what you have is actually a lan and multicast is designed to cross that you can see other people stuff.

It is really bad when you have a apartment building acting as a ISP they generally have no clue. You are smart to run a router to defend yourself from your even more stupid neighbors who will likely get virus.

 

[qazzi]

did you try enabling the ap isolation in the TPLink? it worked for me.

I don't think that is what I want. I still need my phone, tablet, computers, and chromecast within my apartment to talk to each other over the WiFi.

i do understand but that is the only(which i found) that actually works. here is a reverse situation from yours.
https://supportforums.cisco.com/discussion/12024041/how-disable-access-pointap-isolation-also-known-client-isolation-or-guest-mode

 

[Pyneappel]

Well, I disabled IGMP and UPnP and nothing seems to have changed. I can still access my Chromecast, and still see this other person's. I can see info about their device such as its mac address, but since the traffic is coming in through a wired WAN port, I don't think I have a way to filter by that on this router. Oh well, first world problems.

 

[bill001g]

Normally my recommendation would be to try third party firmware like dd-wrt since most tp-link support it. From a quick look though there appears to be issues on a c7. There is talk of no 5g radio support. These are old posts so it may have been fixed...or it may still not be possible.