Port Forwarding: proper way to do "DMZ" + UPnP?

When I want specific port X to be forwarded… I don’t think I’d want it to be randomly overridden by device, just because it happens to have access to my LAN.
This is, in a way, compatible with UPnP as the same port could be forwarded to only one device at a time, so the only change needed is taking into account that forwarding is taking place.

Does Mikrotik’s UPnP support that by the way? I.e. if I am forwarding a single port, could it still let UPnP client to try to forward it? (I realize it would likely fail as UPnP service seems to kick in after all FW processing is done, but would UPnP client be notified about it, or would it assume that it is listening, but just receive no data?)
DMZ + UPnP is a bit unusual “forward everything to that host, unless there are dynamic clients for that port”.


I imagine both cases would be addressed if we could explicitly call out UPnP service in firewall rules.