Hi, I would like to block UPnP for two LAN IP addresses but I don’t understand how to do it …
I tried to block port 5000 TCP/UDP with chain input and forward but it still works, do I have to block others ports or protocols?
Thanks
Unless something changed, it should be 1900/udp and 2828/tcp, see http://forum.mikrotik.com/t/upnp-does-not-work-for-me/117139/6
Thanks Sob, unfortunately UPnP continues to work …
I did quick test with current 7.3.1 and it’s the same as it was before, ports didn’t change. When I block them, I see that they drop packets and UPnP client no longer works.
/ip firewall filter
add action=drop chain=input dst-port=1900 protocol=udp src-address=192.168.x.x
add action=drop chain=input dst-port=2828 protocol=tcp src-address=192.168.x.x
Although I’d probably rather use whitelist:
/ip firewall filter
add action=drop chain=input dst-port=1900 protocol=udp src-address-list=!allow_upnp
add action=drop chain=input dst-port=2828 protocol=tcp src-address-list=!allow_upnp
And allow_upnp list would be filled by DHCP server, using static leases:
/ip dhcp-server lease
add address=192.168.x.x mac-address=xx:xx:xx:xx:xx:xx address-lists=allow_upnp
Many thanks Sob, I was using src-port instead of dst-port 
You are right is the best solution!
PS. In my case I see packets only on port 1900 UDP
There are two steps, first uses port 1900 and only if it succeeds, then it continues with 2828. You can test it if you allow 1900 and block only 2828, then you’ll see that one blocking packets.