can't get upnp to work

RouterOS General
1

Status: SOLVED by Amm0, thank you!

Original post:

I can’t get upnp to work with RouterOS 7.12. It seems to enabled:

[admin@vno1-commbox] > /ip upnp print          
                           enabled: yes
  allow-disable-external-interface: no
                   show-dummy-rule: yes
[admin@vno1-commbox] > /ip upnp interfaces print
Columns: INTERFACE, TYPE
# INTERFACE  TYPE    
0 ether1     external
1 bridge     internal
[admin@vno1-commbox] >

… but upnpc doesn’t find it:

$ upnpc -l
upnpc : miniupnpc library test client, version .
 (c) 2005-2022 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
No IGD UPnP Device found on the network !

The same command successfully works in a different environment where upnp is configured correctly. I also confirmed bridge1 is the LAN bridge, and ether1 is WAN.

How can I fix/troubleshoot this?

Edit: thanks @rextended for showing how to print the full config, here is the export:

# 2023-11-15 00:10:49 by RouterOS 7.12
# software id = LGEL-KMAD
#
# model = RB5009UG+S+
# serial number = HE708ME3E8F
/interface bridge
add admin-mac=48:A9:8A:79:B5:08 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=00:CD:EF:01:23:45
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.189.33-192.168.189.254
add name=dhcp_pool1 ranges=192.168.193.33-192.168.193.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/snmp community
set [ find default=yes ] addresses=192.168.189.0/24
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.189.4/24 comment=defconf interface=bridge network=\
    192.168.189.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server
add address-pool=dhcp_pool1 interface=*B lease-time=10m name=dhcp1
/ip dhcp-server lease
add address=192.168.189.10 client-id=1:9c:bf:d:0:1f:1c mac-address=\
    9C:BF:0D:00:1F:1C server=defconf
add address=192.168.189.11 client-id=1:74:e6:b8:4c:fb:b7 mac-address=\
    74:E6:B8:4C:FB:B7 server=defconf
/ip dhcp-server network
add address=192.168.189.0/24 comment=defconf dns-server=192.168.189.4 \
    gateway=192.168.189.4 netmask=24
add address=192.168.193.0/24 dns-server=192.168.193.4 gateway=192.168.193.4
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.4.4
/ip dns static
add address=192.168.189.4 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat in-interface=ether1 port=80 protocol=tcp \
    to-addresses=192.168.189.1
add action=dst-nat chain=dstnat in-interface=ether1 port=443 protocol=tcp \
    to-addresses=192.168.189.1
add action=dst-nat chain=dstnat in-interface=ether1 port=22 protocol=tcp \
    to-addresses=192.168.189.1
add action=dst-nat chain=dstnat in-interface=ether1 port=53 protocol=udp \
    to-addresses=192.168.189.1
add action=dst-nat chain=dstnat dst-address=my.public.ip dst-port=443 \
    protocol=tcp to-addresses=192.168.189.1 to-ports=443
add action=masquerade chain=srcnat dst-address=192.168.189.1 out-interface=\
    bridge protocol=tcp src-address=192.168.189.0/24
add action=dst-nat chain=dstnat dst-address=my.public.ip dst-port=80 \
    protocol=tcp to-addresses=192.168.189.1 to-ports=80
add action=dst-nat chain=dstnat dst-address=my.public.ip dst-port=22 \
    protocol=tcp to-addresses=192.168.189.1 to-ports=22
add action=dst-nat chain=dstnat dst-address=my.public.ip dst-port=53 \
    protocol=udp to-addresses=192.168.189.1 to-ports=53
add action=dst-nat chain=dstnat dst-address=my.public.ip dst-port=53 \
    protocol=tcp to-addresses=192.168.189.1 to-ports=53
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=bridge type=internal
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/snmp
set enabled=yes location=vno1-commbox
/system clock
set time-zone-name=Europe/Vilnius
/system identity
set name=vno1-commbox
/system logging
add topics=upnp
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Can't get UPnP to work in RouterOS 7.14.1 (Worked in RouterOS 6.x)
2

Why do you need upnp, its like old insecure protocol…

3

Why can’t you understand that to get help you have to show how the device is configured, without the forum users having to retype it every time?
What’s so difficult to understand that if you don’t show the configuration of the apparatus, we aren’t fortune tellers???
Do an /export of the devices and explain everything better.

4

look for the reason in the client OS

5

I would love to! But I haven't seen good guidance on which command to run (ideally no more than a few). Can you advise on which details to return, and how, or a link with such guidelines?

Edit: it was right there in the post, sorry and thank you! Updated the original description.

6

All/either of those would work: upnp, nat-pmp and pcp. Mikrotik seems to support upnp only, so I use what I have.

I need this for tailscale.

7

As mentioned in the post, it works well, with the same machine, on a network that has upnp configured correctly.

8

Edit: moved the export to the first post.

9

That should be all you have to do in /ip/upnp. But still uses port 1900, so depending on filewall filter, it can be blocked there – why folks are asking for config “:export”.

I use a Python tool to check (from ssdpy package - https://ssdpy.readthedocs.io/en/latest/cli.html)

ssdpy-discover ssdp:all

And I see uPnP from RouterOS using 7.13beta1.

10

It’s the firewall. You may need to add your bridge3-iot to the LAN interface list to deal with firewall.

From CLI:

/interface list member add  interface=bridge3-iot list=LAN

(also in Interface > List in winbox to assign interfaces to interface-list)

11

bridge3-iot were trash/unused leftovers. Just removed all traces. Updated the export in the title.

Also, tried with ssdpy:

[nix-shell:~/code/nixpkgs]$ ssdpy-discover ssdp:all 

[nix-shell:~/code/nixpkgs]$ echo $?
0
12

In /ip/firewall/filter… trying disable the “fasttrack” rule & see if that changes anything. If that does, that be a clue.

13

I was in a different position after removing bridge3-iot: ssdpy-discover returned empty output, so did upnpc -l. However, I started seeing active upnp sessions in the firewall/NAT section after removing bridge3-iot, before this change. Disabling the fasttrack filter did not make the upnp tests pass.

I guess we can call this case closed, at least for now, since actual programs can use it. Thank you!

14

Meta question: (how) can I mark a question as solved?

15

It’s an icon on the header of a post that solves it.