I am currently pulling my hair out trying to get UPNP working. I’m trying to get it working so that I can have two Xbox consoles in the same house play nice and access the internet. It seems so simple reading the mikrotik manual and google articles but something must be escaping me. I enabled all three options under UPNP. I selected my internet interface as my external and my local interface as my internal. But my router still can’t by seen by any other devices. I cant see the router under windows network discovery. I used UNPN test and the router doesnt show up. Plus when I turn on a UNPN device no rules are created. Here are some rule prints for info…

[Cormacs@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=input action=accept protocol=icmp log=no log-prefix=“”

1 ;;; default configuration
chain=input action=accept connection-state=established,related
log=no log-prefix=“”

2 ;;; allow l2tp
chain=input action=accept protocol=udp dst-port=1701 log=no
log-prefix=“”

3 ;;; allow pptp
chain=input action=accept protocol=tcp dst-port=1723 log=no
log-prefix=“”

4 ;;; allow sstp
chain=input action=accept protocol=tcp dst-port=443 log=no
log-prefix=“”

5 ;;; default configuration
chain=input action=drop in-interface=Modem 1 log=no log-prefix=“”

6 ;;; default configuration
chain=forward action=fasttrack-connection
connection-state=established,related log=no log-prefix=“”

7 ;;; default configuration
chain=forward action=accept connection-state=established,related
log=no log-prefix=“”

8 ;;; default configuration
chain=forward action=drop connection-state=invalid log=no
log-prefix=“”

9 ;;; default configuration
chain=forward action=drop connection-state=new
connection-nat-state=!dstnat in-interface=Modem 1 log=no
log-prefix=“”



[Cormacs@MikroTik] /ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=accept dst-address-list=!Modems
in-interface=Tek Savvy log=no log-prefix=“”



[Cormacs@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; masq. vpn traffic
chain=srcnat action=masquerade src-address=10.0.3.0/24 log=no log-prefix=“”

1 chain=srcnat action=masquerade src-address=10.0.0.0/24 out-interface=Tek Savvy log=no log-prefix=“”

2 chain=srcnat action=masquerade dst-address=10.0.1.1 out-interface=Modem 1 log=no log-prefix=“”

3 chain=srcnat action=masquerade dst-address=10.0.2.1 out-interface=Modem 2 log=no log-prefix=“”

4 chain=dstnat action=dst-nat to-addresses=10.0.0.101 to-ports=80 protocol=tcp in-interface=Tek Savvy dst-port=80 log=no log-prefix=“”

5 X ;;; Xbox One
chain=dstnat action=dst-nat to-addresses=10.0.0.124 to-ports=3074 protocol=udp in-interface=Tek Savvy dst-port=3074 log=no log-prefix=“”

6 X ;;; Xbox 360
chain=dstnat action=dst-nat to-addresses=10.0.0.118 to-ports=3074 protocol=udp in-interface=Tek Savvy dst-port=3074 log=no log-prefix=“”



[Cormacs@MikroTik] /ip upnp> print
enabled: yes
allow-disable-external-interface: yes
show-dummy-rule: yes



[Cormacs@MikroTik] /ip upnp interfaces> print
Flags: X - disabled, D - dynamic

INTERFACE TYPE FORCED-EXTERNAL-IP

0 Local internal
1 Tek Savvy external



[Cormacs@MikroTik] /interface> print
Flags: D - dynamic, X - disabled, R - running, S - slave

NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS

0 R Local ether 1500 1598 2028 4C:5E:0C:04:AF:43
1 R Modem 1 ether 1500 1598 2028 4C:5E:0C:04:AF:42
2 R Modem 2 ether 1500 1598 2028 4C:5E:0C:04:AF:46
3 Unused1 ether 1500 1598 2028 4C:5E:0C:04:AF:44
4 Unused2 ether 1500 1598 2028 4C:5E:0C:04:AF:45
5 R Tek Savvy pppoe-out 32715

Unticking “allow-disable-external-interface: yes” won’t hurt.

I don’t have Xbox One direct experience but never had problems getting UPNP to work with Xbox 360 and PS3, etc on the same network.

I noticed you disabled the manual 3074 redirections, guess they’re leftovers from testing… maybe in this post http://forums.xbox.com/xbox_support/xbox_one_support/f/4267/t/1627170.aspx you can get some ideas for further troubleshooting; as it seems something related to the X1.

Yeah the manual redirects are disabled, that’s what I’m using in place of upnp. I enable and disable as needed. I just wish I could get upnp to work so I would have to do that. I can’t get anything to see the mikrotiks upnp right now, not even my windows machine.


Sent from my iPhone using Tapatalk

Which Device, RouterOS version and Firmware versions?

A complete export will make things easier, does the mikrotik router get the external IP? How is your setup?

The mikrotik gets its external IP through a PPOE client. The Device is a Routerboard 750 r2 Firmware version is 3.24

If you help me fix this I will be forever grateful. I cant for the life of my figure this out and I don’t usually post to forums, I can usually figure it out on my own through countless hours of google. This time I am at a los..

Here is the complete export…

MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 6.29.1 (c) 1999-2015 > http://www.mikrotik.com/

[?] Gives the list of available commands
command [?] Gives help on the command and list of arguments

[Tab] Completes the command/word. If the input is ambiguous,
a second [Tab] gives possible options

/ Move up to base level
.. Move up one level
/command Use command at the base level
[Cormacs@MikroTik] > export

dec/06/2015 13:26:19 by RouterOS 6.29.1

software id = FCND-X79A

/interface ethernet
set [ find default-name=ether2 ] name=Local
set [ find default-name=ether1 ] name=“Modem 1”
set [ find default-name=ether5 ] name=“Modem 2”
set [ find default-name=ether3 ] name=Unused1
set [ find default-name=ether4 ] name=Unused2
/interface pppoe-client
add add-default-route=yes disabled=no interface=“Modem 1,Modem 2” name=
“Tek Savvy” password=**** user=****
/ip neighbor discovery
set “Modem 1” discover=no
/ip pool
add name=default-dhcp ranges=10.0.0.2-10.0.0.250
add name=vpn ranges=10.0.3.2-10.0.3.250
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=Local name=default
/ppp profile
set [ find name=default ] name=default
set [ find name=default-encryption ] local-address=192.168.89.1 name=
default-encryption remote-address=vpn
/interface l2tp-server server
set enabled=yes ipsec-secret=**** use-ipsec=yes
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=10.0.0.1/24 comment=“default configuration” interface=Local
network=10.0.0.0
add address=10.0.2.2/24 interface=“Modem 2” network=10.0.2.0
add address=10.0.1.2/24 interface=“Modem 1” network=10.0.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=10.0.0.10 mac-address=00:62:6E:4B:ED:FD
add address=10.0.0.11 mac-address=00:62:6E:50:78:FA
add address=10.0.0.12 mac-address=00:62:6E:4C:42:3E
add address=10.0.0.13 mac-address=C4:D6:55:39:A8:E7
add address=10.0.0.14 mac-address=00:62:6E:4D:E0:80
add address=10.0.0.15 mac-address=78:A5:DD:03:C0:C4
add address=10.0.0.16 mac-address=00:62:6E:4B:EC:E3
add address=10.0.0.100 mac-address=88:DC:96:26:C1:09
add address=10.0.0.101 mac-address=94:DE:80:C3:D2:91
add address=10.0.0.102 mac-address=00:21:B9:02:18:16
add address=10.0.0.103 mac-address=00:05:CD:3F:5C:9F
add address=10.0.0.104 always-broadcast=yes mac-address=00:27:0D:1F:80:9B
add address=10.0.0.105 mac-address=00:60:6E:A5:B1:C8
add address=10.0.0.106 mac-address=00:60:6E:A5:B4:AF
add address=10.0.0.107 mac-address=18:B4:30:0C:F7:A5
add address=10.0.0.108 mac-address=18:B4:30:23:5B:87
add address=10.0.0.109 mac-address=18:B4:30:2B:CF:7B
add address=10.0.0.110 mac-address=F8:A9:63:08:CD:78
add address=10.0.0.111 mac-address=9C:B7:0D:73:71:26
add address=10.0.0.112 mac-address=44:2A:60:5B:8D:E3
add address=10.0.0.113 always-broadcast=yes mac-address=E0:B5:2D:39:31:37
add address=10.0.0.114 mac-address=00:08:89:D0:4B:55
add address=10.0.0.115 mac-address=00:13:B6:E9:EA:5C
add address=10.0.0.116 mac-address=B4:B5:2F:F3:0B:EA
add address=10.0.0.117 mac-address=00:16:6C:1B:A6:0D
add address=10.0.0.118 mac-address=00:17:FA:68:A7:25
add address=10.0.0.119 mac-address=00:E1:6D:B9:55:22
add address=10.0.0.120 always-broadcast=yes mac-address=74:E2:F5:A6:8B:3F
add address=10.0.0.121 mac-address=88:DC:96:30:04:14
add address=10.0.0.122 mac-address=D0:DF:9A:7E:41:FB
add address=10.0.0.123 client-id=1:0:4:20:f2:e0:66 mac-address=
00:04:20:F2:E0:66 server=default
add address=10.0.0.9 client-id=1:0:62:6e:4b:ee:56 mac-address=
00:62:6E:4B:EE:56 server=default
add address=10.0.0.124 client-id=1:b4:ae:2b:67:7c:cf mac-address=
B4:AE:2B:67:7C:CF server=default
/ip dhcp-server network
add address=10.0.0.0/24 comment=“default configuration” gateway=10.0.0.1
/ip dns
set allow-remote-requests=yes servers=206.248.154.170,206.248.154.22
/ip dns static
add address=10.0.2.2 name=router
/ip firewall address-list
add address=10.0.1.1 list=Modems
add address=10.0.2.1 list=Modems
/ip firewall filter
add chain=input comment=“default configuration” protocol=icmp
add chain=input comment=“default configuration” connection-state=
established,related
add chain=input comment=“allow l2tp” dst-port=1701 protocol=udp
add chain=input comment=“allow pptp” dst-port=1723 protocol=tcp
add chain=input comment=“allow sstp” dst-port=443 protocol=tcp
add action=drop chain=input comment=“default configuration” in-interface=
“Modem 1”
add action=fasttrack-connection chain=forward comment=“default configuration”
connection-state=established,related
add chain=forward comment=“default configuration” connection-state=
established,related
add action=drop chain=forward comment=“default configuration”
connection-state=invalid
add action=drop chain=forward comment=“default configuration”
connection-nat-state=!dstnat connection-state=new in-interface=“Modem 1”
/ip firewall mangle
add chain=prerouting dst-address-list=!Modems in-interface=“Tek Savvy”
/ip firewall nat
add action=masquerade chain=srcnat comment=“masq. vpn traffic” src-address=
10.0.3.0/24
add action=masquerade chain=srcnat out-interface=“Tek Savvy” src-address=
10.0.0.0/24
add action=masquerade chain=srcnat dst-address=10.0.1.1 out-interface=
“Modem 1”
add action=masquerade chain=srcnat dst-address=10.0.2.1 out-interface=
“Modem 2”
add action=dst-nat chain=dstnat dst-port=80 in-interface=“Tek Savvy”
protocol=tcp to-addresses=10.0.0.101 to-ports=80
add action=dst-nat chain=dstnat comment=“Xbox One” disabled=yes dst-port=3074
in-interface=“Tek Savvy” protocol=udp to-addresses=10.0.0.124 to-ports=
3074
add action=dst-nat chain=dstnat comment=“Xbox 360” dst-port=3074
in-interface=“Tek Savvy” protocol=udp to-addresses=10.0.0.118 to-ports=
3074
/ip service
set telnet disabled=yes
set www port=224
set ssh disabled=yes
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/ip upnp interfaces
add interface=Local type=internal
add interface=“Tek Savvy” type=external
/ppp secret
add name=Cormacs password=****
add name=Test password=*****
/system clock
set time-zone-name=America/Toronto
/system routerboard settings
set cpu-frequency=650MHz protected-routerboot=disabled
/system scheduler
add interval=1m name=dynDNS on-event=“/system script run DynDNS1\r
\n” policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive
start-date=aug/28/2015 start-time=01:08:29
add disabled=yes interval=1d name=“Renew IP” on-event=
“/system script run Renew-IP\r
\n” policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive
start-date=sep/10/2015 start-time=23:30:00
/system script
add name=Renew-IP policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive source=“/interf
ace pppoe-client set [find name="Tek Savvy"] disabled=yes\r
\ndelay 5;\r
\n/interface pppoe-client set [find name="Tek Savvy"] disabled=no\r
\n”
add name=DynDNS1 policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive source=“:local
ddnsuser "*****"\r
\n:local ddnspass "****"\r
\n:local theinterface1 "Tek Savvy"\r
\n:local ddnshost1 "cormacs.net"\r
\n:local ipddns1 [:resolve $ddnshost1];\r
\n:local ipfresh1 [ /ip address get [/ip address find interface=$theinter
face1 ] address ]\r
\n:if ([ :typeof $ipfresh1 ] = nil ) do={\r
\n :log info ("DynDNS1: No ip address on $theinterface1 .")\r
\n} else={\r
\n :for i from=( [:len $ipfresh1] - 1) to=0 do={ \r
\n :if ( [:pick $ipfresh1 $i] = "/") do={ \r
\n :set ipfresh1 [:pick $ipfresh1 0 $i];\r
\n } \r
\n}\r
\n \r
\n:if ($ipddns1 != $ipfresh1) do={\r
\n :log info ("DynDNS1: IP-DynDNS = $ipddns1")\r
\n :log info ("DynDNS1: IP-Fresh = $ipfresh1")\r
\n :log info "DynDNS1: Update IP needed, Sending UPDATE…!"\r
\n :local str "/nic/update?hostname=$ddnshost1&myip=$ipfresh1&wildca
rd=NOCHG&mx=NOCHG&backmx=NOCHG"\r
\n /tool fetch address=members.dyndns.org src-path=$str mode=http user=
$ddnsuser \\r
\n password=$ddnspass dst-path=("/DynDNS.".$ddnshost1)\r
\n :delay 1\r
\n :local str [/file find name="DynDNS.$ddnshost1"];\r
\n /file remove $str\r
\n :global ipddns1 $ipfresh1\r
\n :log info "DynDNS1: IP updated to $ipfresh1!"\r
\n } else={\r
\n :log info "DynDNS1: dont need changes";\r
\n }\r
\n} \r
\n\r
\n\r
\n”
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=Local
add interface=Unused1
add interface=Unused2
add interface=“Modem 2”
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=Local
add interface=Unused1
add interface=Unused2
add interface=“Modem 2”
/tool netwatch
add disabled=yes down-script=
“/ip firewall mangle disable 6\r
\n/ip firewall mangle enable 7” host=10.0.1.1 up-script=
“/ip firewall mangle disable 7\r
\n/ip firewall mangle enable 6”
/tool romon port
add disabled=no
[Cormacs@MikroTik] > netwatch

That was a lot of text. I hope I didn’t miss any usernames and passwords lol.

You’re using an RC and dated RouterOS version, download the latest bugfix-only release from http://download2.mikrotik.com/routeros/6.32.3/routeros-mipsbe-6.32.3.npk and drag it over to your Winbox windows, then reboot.

Check on System > Routerboard if there’s new firmware available for your device. If so, upgrade, and reboot.

After these upgrades, a reset to no defults subsequently re-loading your export would be the first thing I’d do with any device whose firmware/RouterOS versions have significantly changed, to do so:

Run again the export with a file output this time:

/export file=MyRouterConf

Go to Winbox Files and drag the .rsc to a safe place on your computer.

Now to do a reset to no defaults and configuration reload:

/system reset-configuration no-defaults=yes skip-backup=yes keep-users=yes run-after-reset=MyRouterConf.rsc

I’m guessing I missed something.

No, you were faster answering while I was typing…

I’d change this:

/ip dhcp-server network
add address=10.0.0.0/24 comment="default configuration" gateway=10.0.0.1

to this so that your local devices use the dns cache you already enabled:

/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.1 comment="default configuration" gateway=10.0.0.1

As we don’t know the exact procedure the Xbox One uses to trigger UPNP and determine NAT level it could help…

Yes I set those rules so I can access the modems and see my DSL line stats. I do have a masquerade rule for 10.0.0.0 src and ppoe out interface. Is that not good enough?


Sent from my iPhone using Tapatalk

That’s fine, sorry. No problem with your masq.

The upnp is not only not working for the Xbox, it doesn’t work for any device. I only really need it for the xbox’s. For testing purposes I’ve been trying to get my laptop to connect with upnp and it doesn’t work either. I’ve uses windows network discovery and upnp test, neither can access the mikrotik.


Sent from my iPhone using Tapatalk

I made the changes you suggested.


Sent from my iPhone using Tapatalk

And still no UPNP?

I’m wondering if it has to do with your MLPPP setup, you could try powering off one of the modems, (rebooting the router and the XBoxes afterwards to start from a “scratch” environment)

I can’t see the mlppp affecting it. Maybe. I have tried rebooting everything multiple times this weekend. For some reason nothing within my network can access the upnp server on the mikrotik


Sent from my iPhone using Tapatalk

It won’t hurt trying… the reboot will ensure no connections are in the conn table that may “fool” the XBoxes into thinking the environment is the same preventing them from probing again.

In fact instead of powering off one router I’d disable MLPPP by removing Modem2 interface from the pppoe-client, as this could be RouterOS related.

If it works with regular pppoe (no MLPPP), send an email to support explaining the issue, attaching a supout file, or preferably two, one with MLPPP and another without it.

I guess it couldn’t hurt


Sent from my iPhone using Tapatalk

(check previous post, I edited it)

How are the XBoxes connected to the router? Could it be a device further into your network the one blocking UPNP?

A quick test (if possible) would be temporarily wiring one of them directly to the router to rule out this possibility.

I thought of that as well. There is a 48 port corporate switch between the router and everything. I went down with my laptop and unplugged the network from the router and directly plugged my laptop in. The laptop still couldn’t see the router in network discovery.


Sent from my iPhone using Tapatalk