UPnP Configuration
UPnP Configuration
Section titled “UPnP Configuration”TL;DR (Quick Start)
Section titled “TL;DR (Quick Start)”For the impatient: enable UPnP for automatic port forwarding on your LAN.
/ip upnp set enabled=yes allow-disable-external-interface=no/ip upnp interfaces add interface=ether1 type=external/ip upnp interfaces add interface=bridge type=internalVerify with:
/ip upnp interfaces printOverview
Section titled “Overview”
What this does: UPnP (Universal Plug and Play) allows applications on your network to automatically request port forwarding without manual configuration. When a device requests a port mapping, RouterOS creates dynamic NAT rules to forward traffic.
When to use this:
- Gaming consoles (Xbox, PlayStation) requiring open NAT
- Voice and video applications (Skype, Discord)
- Peer-to-peer applications (BitTorrent, file sharing)
- Smart home devices needing external access
- Any application requiring inbound connections from the internet
Prerequisites:
- WAN interface with public IP address (or forwarded by upstream router)
- LAN interface where UPnP clients connect
- Applications that support UPnP/IGD protocol
Configuration Steps
Section titled “Configuration Steps”
Step 1: Enable UPnP
Section titled “Step 1: Enable UPnP”Enable UPnP and disable the security risk of external interface control.
/ip upnp set enabled=yes allow-disable-external-interface=noStep 2: Add External Interface
Section titled “Step 2: Add External Interface”Configure your WAN interface as the external UPnP interface.
/ip upnp interfaces add interface=ether1 type=externalStep 3: Add Internal Interface
Section titled “Step 3: Add Internal Interface”Configure your LAN interface as the internal UPnP interface.
/ip upnp interfaces add interface=bridge type=internalStep 4: Verify Configuration
Section titled “Step 4: Verify Configuration”Check that both interfaces are configured correctly.
/ip upnp interfaces printExpected output:
Flags: X - disabled # INTERFACE TYPE FORCED-EXTERNAL-IP 0 ether1 external 1 bridge internalStep 5: Test UPnP
Section titled “Step 5: Test UPnP”From a client device, use an application that requests UPnP port mapping. Check created rules:
/ip firewall nat print where comment~"upnp"Common Scenarios
Section titled “Common Scenarios”Scenario: Gaming Console Open NAT
Section titled “Scenario: Gaming Console Open NAT”For Xbox or PlayStation requiring “Open NAT” status:
/ip upnp set enabled=yes allow-disable-external-interface=no/ip upnp interfaces add interface=ether1 type=external/ip upnp interfaces add interface=bridge type=internalThe console will automatically request needed ports for online gaming and voice chat.
Scenario: VLAN as Internal Interface
Section titled “Scenario: VLAN as Internal Interface”When LAN clients are on a VLAN, specify the VLAN interface:
/ip upnp interfaces add interface=vlan100 type=internalDo not use the parent interface; use the VLAN interface directly.
Scenario: Multiple Internal Networks
Section titled “Scenario: Multiple Internal Networks”Add multiple internal interfaces for different network segments:
/ip upnp interfaces add interface=bridge-lan type=internal/ip upnp interfaces add interface=bridge-guest type=internalScenario: Force External IP
Section titled “Scenario: Force External IP”When your WAN interface has multiple IP addresses, specify which one UPnP should use:
/ip upnp interfaces set [find type=external] forced-external-ip=203.0.113.10Scenario: View Active Port Mappings
Section titled “Scenario: View Active Port Mappings”Check which ports have been dynamically mapped:
/ip firewall nat print where comment~"upnp"Example output:
5 D chain=dstnat action=dst-nat to-addresses=192.168.1.50 to-ports=3074 protocol=udp dst-port=3074 comment="upnp Xbox"Scenario: Disable UPnP for Security
Section titled “Scenario: Disable UPnP for Security”If you prefer manual port forwarding only:
/ip upnp set enabled=noVerification
Section titled “Verification”Check 1: Verify UPnP is Enabled
Section titled “Check 1: Verify UPnP is Enabled”/ip upnp printExpected: Shows enabled: yes.
Check 2: Verify Interfaces are Configured
Section titled “Check 2: Verify Interfaces are Configured”/ip upnp interfaces printExpected: Both external and internal interfaces listed.
Check 3: Check for Dynamic NAT Rules
Section titled “Check 3: Check for Dynamic NAT Rules”/ip firewall nat print where dynamicExpected: UPnP-created rules appear when clients request mappings.
Troubleshooting
Section titled “Troubleshooting”| Symptom | Cause | Solution |
|---|---|---|
| UPnP requests fail | UPnP not enabled | Enable: /ip upnp set enabled=yes |
| No port mappings created | Wrong interface type | Verify external=WAN, internal=LAN interfaces |
| VLAN clients can’t use UPnP | Parent interface used | Specify VLAN interface, not parent |
| Port 80/443/22 mapping fails | Ports in use by router | Error 729; these ports conflict with router services |
| ”ConflictWithOtherMechanisms” error | Static NAT rule exists | Remove conflicting static rules or accept that manual rules take precedence |
| UPnP rules don’t work | Rules placed after static rules | UPnP rules are dynamic; static rules above them take precedence |
| Gaming still shows “Moderate NAT” | Multiple NAT (double NAT) | Ensure only one router does NAT; check ISP modem |
| Mappings disappear | Lease expired or reboot | Normal behavior; applications re-request mappings |
Security Considerations
- Always set
allow-disable-external-interface=no- Otherwise any LAN user can disable your WAN interface - UPnP has no authentication - Any device on your LAN can request port mappings
- Consider the security trade-off - UPnP convenience vs. potential for malware to open ports
- Monitor active mappings - Regularly check
/ip firewall nat print where dynamic - Isolate IoT devices - Use separate VLAN without UPnP for untrusted devices
Related Topics
Section titled “Related Topics”Port Forwarding
Section titled “Port Forwarding”- NAT Masquerade - manual port forwarding and NAT rules
- Firewall Basics - securing your network
Network Services
Section titled “Network Services”- DHCP Server - network discovery for UPnP devices
- IP Neighbors - discover UPnP-capable devices
Security
Section titled “Security”- Firewall Address Lists - restrict UPnP clients
- IP Services - management access control
Reference
Section titled “Reference”Properties Reference
Section titled “Properties Reference”| Property | Type | Default | Description |
|---|---|---|---|
enabled | yes/no | no | Enable UPnP service |
allow-disable-external-interface | yes/no | yes | Allow clients to disable WAN (security risk!) |
show-dummy-rule | yes/no | yes | Show placeholder rule in NAT table |
Interface Properties Reference
Section titled “Interface Properties Reference”| Property | Type | Default | Description |
|---|---|---|---|
interface | string | - | Interface name |
type | external/internal | - | Interface role (WAN or LAN) |
forced-external-ip | IP address | - | Force specific IP for mappings |
Command Reference
Section titled “Command Reference”| Command | Description |
|---|---|
/ip upnp set | Configure UPnP settings |
/ip upnp print | Show UPnP configuration |
/ip upnp interfaces add | Add UPnP interface |
/ip upnp interfaces print | Show configured interfaces |
/ip upnp interfaces remove | Remove UPnP interface |
/ip firewall nat print where dynamic | View UPnP-created NAT rules |