...
The UPnP protocol is used for many modern applications, like most of DirectX games, as well as for various Windows Messenger features like remote assistance, application sharing, file transfer, voice, video from behind a firewall.
...
Warning |
---|
If you do not disable the allow-disable-external-interface, any user from the local network will be able (without any authentication procedures) to disable the router's external interface |
UPnP Interfaces
Code Block |
---|
/ip upnp interfaces |
Property | Description |
---|
interface (string; Default: ) | Interface name on which uPnP will be running |
type (external | internal; Default: no) | UPnP interface type:- external - the interface a global IP address is assigned to
- internal - router's local interface the clients are connected to
|
forced-external-ip (Ip; Default: ) | Allow specifying what public IP to use if the external interface has more than one IP available. |
Note |
---|
In more complex setups with VLANs, where the VLAN interface is considered as the LAN interface, the VLAN interface itself should be specified as the internal interface for UPnP to work properly. |
...
Code Block |
---|
|
[admin@MikroTik] ip upnp> /ip firewall src-nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=ether1
[admin@MikroTik] ip upnp> |
To enable the UPnP feature:
Code Block |
---|
|
[admin@MikroTik] ip upnp> set enable=yes
[admin@MikroTik] ip upnp> print
enabled: yes
allow-disable-external-interface: yes
show-dummy-rule: yes
[admin@MikroTik] ip upnp> |
...
Code Block |
---|
|
[admin@MikroTik] ip upnp interfaces> add interface=ether1 type=external
[admin@MikroTik] ip upnp interfaces> add interface=ether2 type=internal
[admin@MikroTik] ip upnp interfaces> print
Flags: X - disabled
# INTERFACE TYPE
0 X ether1 external
1 X ether2 internal
[admin@MikroTik] ip upnp interfaces> enable 0,1 |
Now once the client from the internal interface side will send UPnP request dynamic NAT rules will be created on the router, example rules could look something similar to these:
Code Block |
---|
|
[admin@MTadmin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=ether1
1 D ;;; upnp 192.168.88.10: ApplicationX
chain=dstnat action=dst-nat to-addresses=192.168.88.10 to-ports=55000 protocol=tcp
dst-address=10.0.0.1 in-interface=ether1 dst-port=55000
2 D ;;; upnp 192.168.88.10: ApplicationX
chain=dstnat action=dst-nat to-addresses=192.168.88.10 to-ports=55000 protocol=udp
dst-address=10.0.0.1 in-interface=ether1 dst-port=55000
|
...