mods: could this please be stickied as I believe this is a rather important issue that a number of hotspot providers may encounter or have already encountered without realising it, leading them to belive the mikrotik; rather than the configuration, was at fault.
Hello all,
After months of looking over the config for a certain device to determine what was causing it to stop responding to my ip accounting requests (http) from outside, I noticed that the Upnp implementation on the mikrotik has no rules in the hotspot section to allow it to reserve critical ports.
What I’d like to request is that this be a standard set of reserved port rules included in the hotspot configuration.
Or alternatively the ability to define what IP address the Upnp server(s) run(s) on.
I use upnp to allow nat-ed users on the inside of my network to open ports and allow whatever applications they wish to use the network for, to operate freely without need for any port forwarding from me.
However in the case where I have a hotspot, I believe that a certain range of ports (some or all of the following 21,22,23,25,53,80,161,162,443,1812,1813,8291 and 8728) should be held only for that hotspot otherwise (as I have now seen and can demonstrate) a user could easily map any of these ports back to themselves and capture the traffic sent through to them.
Another small bug note for mikrotik: in winbox if a single dynamic hotspot rule is selected you cannot disable it, however if the entire list is selected you can disable (or remove) all dynamic rules.
