I am running v6.36rc30 at the time this was typed.
Log into RouterOS GUI
Expand the “Firewall” sub-menu
Click on UPnP
Put check next to “Enable” and “Show Dummy Rule” and click APPLY
Click on “Interfaces” button
If no rules are listed click “Add New”
7.Put check in box next to “Enabled”, under Interface drop down select “bridge”, and select the bubble “internal” next to “Type”
Click “Apply”
That’s it. After pulling my hair out for hours, these simple settings allowed for my Plex server with default settings to see the outside world. If these steps don’t work for you, there are several other very complex fixes that have worked for others on here that you can search for.
UPnP is definitely something that is scanned for and exploited, and any ports it opens do in fact expose your plex server to attack, but this latter point is true even if you just made static pinholes in the firewall.
Try disabling the WAN interface in your UPnP settings to see if the Plex server is still reachable. If so, then keep it that way - it means that the router is not listening to UPnP on the public interface, which will help the security.
He performs a live demonstration of naughty things that can be done exploiting UPnP, including scanning the LAN, and setting up HTTP proxies to bounce connections off of them to hide his identity (by making it appear to be the other people’s routers).
You can limit who has access to your plex server by using filter rules in the firewall if you know what IP addresses they’ll be coming from.
Yes, UPnP is unsafe!
It will expose equipment on your LAN that is normally guarded by NAT and firewall rules.
UPnP is a protocol to allow equipment to “open ports” in a NAT router or firewall.
For example, multifunctional printers (scanner/fax/printer) or home NAS systems make themselves accessible to the
internet “because that is so convienent” (you can print from a mobile device or access your files from it) but many
users don’t realize that not only they themselves but the entire world has that access.
This has lead to the move that most routers (including MikroTik) now have disabled that UPnP function by default,
hoping that users will first study the implications before enabling it. In vain, of course.
These addresses change constantly. I don’t know anyone who has a static IP anymore. So this would be impossible. Mobile phones… Other DHCP ISP connections.
So basically I’m no less secure than I have been for the past few years with my $25 WiFi router I picked up at Fry’s. It would seem that no matter how a port is opened (UPnP or manually) there’s an element of risk.
I tried every other procedure I found on this forum and others and I couldn’t get it to work. The port UPnP choose for the outside world wasn’t 32400. It was some other random port. I wouldn’t expect Mikrotik to enable UPnP default since these routers are typically not going to be in the home environment except for network geeks.
Did you watch the video?
You need to be sure that your router will drop incoming UPnP requests from the Internet.
Perhaps your current firewall configuration handles this just fine - but it’s worth looking into just to make sure that you’re not wide open for 'sploits.
That is one thing. But you also need to know that enabling UPnP on the router may suddenly expose some devices that were hidden before, like that printer I mentioned.
You can find your printer has printed 200 black pages or pages with a big smiley one day, or that it has sent a scan of whatever was left on the glass plate to someone you don’t know.
(a TV current events show here aired a story some time ago about a group that searched IP space for a certain type of scanner/printer that by default tries to open ports using UPnP and they made scans from the devices they found, scored a number of scans from sensitive documents that were left on the scanner by their owners)
At least check the NAT table to see what ports have actually been opened and if there is some unknown device there.
Ok… I would like to know if there is a simple way to make my PLEX server work to the outside world when my IP is changing and their IP is changing on a regular basis?