Mikrotik O.S. does not make requests of upnp or this is a bug?

leosmendes · May 1, 2016, 12:35pm

for the purpose of testing I have a network that has:

a PC with torrent client, getting ip from dhcp a mk_x86,

a PC with mk_x86 with dhcp server, nat and getting ip from dhcp of rb2011, UPnP is enabled and dhcp server interface set as internal, and dhcp client interface set as external.

one rb2011 getting internet ip by pppoe, nat and dhcp server. upnp is enabled and interfaces dhcp server set as internal and pppoe interface set as external.

in short, one pc with torrent client connected to mk_x86. mk_x86 connected to rb2011. rb2011 connected to the Internet;

pc with torrent client automatically maps ports on the firewall of pc with mk_x86. but mk_x86 no maps ports on rb2011, which leads me to believe that the upnp of mikrotik only accepts UPnP requests, but does not make requests upnp i am correct?

add 1: pc with torrent client conected directly to rb2011, upnp map ports normally.

Sob · May 1, 2016, 1:44pm

I think it’s correct behaviour, at least I’ve never heard about any “chained UPnP”.

jarda · May 1, 2016, 5:01pm

There is no upnp client in ros. Anyway why you would set up a router with firewall when you allow whatever device to open a hole in it?

leosmendes · May 1, 2016, 5:07pm

thanks for your reply but I will show you a more familiar scenario to this, it would save work to leave things a little better and more optimized.

I have a PC connected to internet mk_x86 doing nat, and pppoe server on my client interface.

my clients are connected to a network bridge, this network is connected to this interface pppoe server.

it happens that some clients I use sxt with nat. the sxt does not map the ports using UPnP in my mk_x86.

leosmendes · May 3, 2016, 11:43am

without the possibility of a support upnp client in the future?

Sob · May 3, 2016, 1:57pm

You can always ask MikroTik support or send them feature request.

Only from inside, so no big deal. You need the network secured primarily from outside access and it still is. To take advantage of UPnP, the “bad” device needs to be in LAN. And once it’s there, it doesn’t really depend on UPnP to do some harm or allow outside access to it.
All this request is about, is ability to use UPnP with double NAT. Which makes sense (if you think that double NAT itself might make sense). I’d rather push for brighter future with NAT-less IPv6, but sadly, the world is not there yet.

jarda · May 3, 2016, 2:05pm

You might be right. But I have rather upnp off and make the nat rules manually if it is really necessary.

Sob · May 3, 2016, 2:33pm

Me too, but if there’s e.g. home network with several devices and users and no real admin, UPnP is not bad. It might feel like it makes things even less secure than they already are, but I don’t think it will make real difference in the end.

romkus · May 23, 2016, 8:51am

I think it can be useful to have a command in RouterOS scripting like “fetch”, but for opening a port in an external NAT via UPnP. Has anyone seen such stuff?

jarda · May 23, 2016, 2:43pm

Yes. It can be useful in some scenarios. But it is not implemented.