UPnP Configuration
UPnP Configuration
Section titled âUPnP ConfigurationâTL;DR (Quick Start)
Section titled âTL;DR (Quick Start)âFor the impatient: enable UPnP for automatic port forwarding on your LAN.
/ip upnp set enabled=yes allow-disable-external-interface=no/ip upnp interfaces add interface=ether1 type=external/ip upnp interfaces add interface=bridge type=internalVerify with:
/ip upnp interfaces printOverview
Section titled âOverviewâWhat this does: UPnP (Universal Plug and Play) allows applications on your network to automatically request port forwarding without manual configuration. When a device requests a port mapping, RouterOS creates dynamic NAT rules to forward traffic.
When to use this:
- Gaming consoles (Xbox, PlayStation) requiring open NAT
- Voice and video applications (Skype, Discord)
- Peer-to-peer applications (BitTorrent, file sharing)
- Smart home devices needing external access
- Any application requiring inbound connections from the internet
Prerequisites:
- WAN interface with public IP address (or forwarded by upstream router)
- LAN interface where UPnP clients connect
- Applications that support UPnP/IGD protocol
Configuration Steps
Section titled âConfiguration StepsâStep 1: Enable UPnP
Section titled âStep 1: Enable UPnPâEnable UPnP and disable the security risk of external interface control.
/ip upnp set enabled=yes allow-disable-external-interface=noStep 2: Add External Interface
Section titled âStep 2: Add External InterfaceâConfigure your WAN interface as the external UPnP interface.
/ip upnp interfaces add interface=ether1 type=externalStep 3: Add Internal Interface
Section titled âStep 3: Add Internal InterfaceâConfigure your LAN interface as the internal UPnP interface.
/ip upnp interfaces add interface=bridge type=internalStep 4: Verify Configuration
Section titled âStep 4: Verify ConfigurationâCheck that both interfaces are configured correctly.
/ip upnp interfaces printExpected output:
Flags: X - disabled # INTERFACE TYPE FORCED-EXTERNAL-IP 0 ether1 external 1 bridge internalStep 5: Test UPnP
Section titled âStep 5: Test UPnPâFrom a client device, use an application that requests UPnP port mapping. Check created rules:
/ip firewall nat print where comment~"upnp"Common Scenarios
Section titled âCommon ScenariosâScenario: Gaming Console Open NAT
Section titled âScenario: Gaming Console Open NATâFor Xbox or PlayStation requiring âOpen NATâ status:
/ip upnp set enabled=yes allow-disable-external-interface=no/ip upnp interfaces add interface=ether1 type=external/ip upnp interfaces add interface=bridge type=internalThe console will automatically request needed ports for online gaming and voice chat.
Scenario: VLAN as Internal Interface
Section titled âScenario: VLAN as Internal InterfaceâWhen LAN clients are on a VLAN, specify the VLAN interface:
/ip upnp interfaces add interface=vlan100 type=internalDo not use the parent interface; use the VLAN interface directly.
Scenario: Multiple Internal Networks
Section titled âScenario: Multiple Internal NetworksâAdd multiple internal interfaces for different network segments:
/ip upnp interfaces add interface=bridge-lan type=internal/ip upnp interfaces add interface=bridge-guest type=internalScenario: Force External IP
Section titled âScenario: Force External IPâWhen your WAN interface has multiple IP addresses, specify which one UPnP should use:
/ip upnp interfaces set [find type=external] forced-external-ip=203.0.113.10Scenario: View Active Port Mappings
Section titled âScenario: View Active Port MappingsâCheck which ports have been dynamically mapped:
/ip firewall nat print where comment~"upnp"Example output:
5 D chain=dstnat action=dst-nat to-addresses=192.168.1.50 to-ports=3074 protocol=udp dst-port=3074 comment="upnp Xbox"Scenario: Disable UPnP for Security
Section titled âScenario: Disable UPnP for SecurityâIf you prefer manual port forwarding only:
/ip upnp set enabled=noVerification
Section titled âVerificationâCheck 1: Verify UPnP is Enabled
Section titled âCheck 1: Verify UPnP is Enabledâ/ip upnp printExpected: Shows enabled: yes.
Check 2: Verify Interfaces are Configured
Section titled âCheck 2: Verify Interfaces are Configuredâ/ip upnp interfaces printExpected: Both external and internal interfaces listed.
Check 3: Check for Dynamic NAT Rules
Section titled âCheck 3: Check for Dynamic NAT Rulesâ/ip firewall nat print where dynamicExpected: UPnP-created rules appear when clients request mappings.
Troubleshooting
Section titled âTroubleshootingâ| Symptom | Cause | Solution |
|---|---|---|
| UPnP requests fail | UPnP not enabled | Enable: /ip upnp set enabled=yes |
| No port mappings created | Wrong interface type | Verify external=WAN, internal=LAN interfaces |
| VLAN clients canât use UPnP | Parent interface used | Specify VLAN interface, not parent |
| Port 80/443/22 mapping fails | Ports in use by router | Error 729; these ports conflict with router services |
| âConflictWithOtherMechanismsâ error | Static NAT rule exists | Remove conflicting static rules or accept that manual rules take precedence |
| UPnP rules donât work | Rules placed after static rules | UPnP rules are dynamic; static rules above them take precedence |
| Gaming still shows âModerate NATâ | Multiple NAT (double NAT) | Ensure only one router does NAT; check ISP modem |
| Mappings disappear | Lease expired or reboot | Normal behavior; applications re-request mappings |
Security Considerations
- Always set
allow-disable-external-interface=no- Otherwise any LAN user can disable your WAN interface - UPnP has no authentication - Any device on your LAN can request port mappings
- Consider the security trade-off - UPnP convenience vs. potential for malware to open ports
- Monitor active mappings - Regularly check
/ip firewall nat print where dynamic - Isolate IoT devices - Use separate VLAN without UPnP for untrusted devices
Related Topics
Section titled âRelated TopicsâPort Forwarding
Section titled âPort Forwardingâ- NAT Masquerade - manual port forwarding and NAT rules
- Firewall Basics - securing your network
Network Services
Section titled âNetwork Servicesâ- DHCP Server - network discovery for UPnP devices
- IP Neighbors - discover UPnP-capable devices
Security
Section titled âSecurityâ- Firewall Address Lists - restrict UPnP clients
- IP Services - management access control
Reference
Section titled âReferenceâProperties Reference
Section titled âProperties Referenceâ| Property | Type | Default | Description |
|---|---|---|---|
enabled | yes/no | no | Enable UPnP service |
allow-disable-external-interface | yes/no | yes | Allow clients to disable WAN (security risk!) |
show-dummy-rule | yes/no | yes | Show placeholder rule in NAT table |
Interface Properties Reference
Section titled âInterface Properties Referenceâ| Property | Type | Default | Description |
|---|---|---|---|
interface | string | - | Interface name |
type | external/internal | - | Interface role (WAN or LAN) |
forced-external-ip | IP address | - | Force specific IP for mappings |
Command Reference
Section titled âCommand Referenceâ| Command | Description |
|---|---|
/ip upnp set | Configure UPnP settings |
/ip upnp print | Show UPnP configuration |
/ip upnp interfaces add | Add UPnP interface |
/ip upnp interfaces print | Show configured interfaces |
/ip upnp interfaces remove | Remove UPnP interface |
/ip firewall nat print where dynamic | View UPnP-created NAT rules |