The 2nd link will test for UPNP exposure, which shouldn't show any issues since the FWG is kept up-to-date and isn't vulnerable to attacks (at least none published). With SQM enabled you should get an A or A+ on this test. Use the test linked below to see if you have any buffer bloat. Once the features from early access go downstream to stable you'll be able to give priority to things on a per device/port/IP, etc basis and that might help further. Have you configured it? If you have 1Gbps Up/Down then you shouldn't have to define any values, but I would just turn it on.
Which version of code are you running on your box? I believe SQM is in the stable branch now. When my kids game on their Xboxes I usually only see a single port forwarded. UPNP is forwarding the necessary ports I promise you. they list 53, which is DNS, and 80 which is HTTP. Those are ports that it needs to be able to talk on outbound. Yes, but the ports they listed don't need to be forwarded. Usually the fix is to have them put their device in bridge mode and disable NAT completely, but in some cases they won't and the only way around it is to use a VPN to tunnel around it. Even in cases where ISPs give you a real-world IP they can still be doing one-to-one NAT, "pinhole" NAT, or "publicly routed subnet" (looking at you AT&T) on their device, and this causes all sorts of issues with port forwarding. I have 60+ devices on my network with several VLANs but I don't bother putting my kids' 4 Xbox Ones on a different VLAN from the one their PCs are on and I leave UPNP enabled for that VLAN with zero issues.Įdit - I wanted to ask, you don't happen to be doing double NAT are you? Where your ISP provided modem/router is doing CGNAT.
Also, the Xbox One should be continuing to get updates to patch any vulnerabilities, and the FWG is being updated so the UPNP daemon running on it doesn't have any current vulnerabilities published. In fact, I'd argue that it will make you more insecure given that the ports will then *ALWAYS* be forwarded as opposed to being forwarded on an as needed basis. But disabling UPNP is not going to fix the issues you describe or make you more secure in this case. This is why you should put IoT devices on their own network and block traffic from that network to your other networks, because manufacturers don't keep their devices patched and leave them vulnerable, so they can be used as an attack vector to move laterally across networks. UPNP *can* be a security risk, but only if you have outdated devices on your network opening ports and it has unpatched security vulnerabilities, or you have a router with vulnerable versions of UPNP. I would use SQM to prioritize traffic for the Xbox by either giving it more bandwidth or, if you're on early access, setting it to high priority. Voice chat is likely going over UDP and you're probably having some type of congestion. I suspect devices like this are where the majority of your attack vectors will be and where on a flat network will allow lateral movement from bad actors. I agree that it is good practice to put other devices like light bulbs, printers, cameras, etc., as well as outdated devices (we have old Kindles that aren't patched any longer) on an IoT VLAN.
I don't want to move my kids' PCs or Xboxes into another VLAN because I don't want to route traffic north through the FWG to move east/west to backup their computers to my NAS or stream from my Plex server. I have 3 kids who game using Steam, Ubisoft, Blizzard, etc.
The reason many people need UPNP enabled on Windows 10 machines is so they can game or bittorrent. I consider an Xbox One, until it's End of Life, to be no different than a Windows endpoint, and moving it to a separate VLAN to be unnecessary for most users. I understand what you're saying, but I disagree that an Xbox One that is still receiving updates is risk enough to move to a different VLAN since it's basically Windows 10 modified.