Hello everyone, I am using a hap ax3 device, v7.8 stable. There is a pcdn terminal that needs to use upnp to create firewall automatic forwarding entries. I directly interconnect it with the physical port and configure a /30 mask.
My network egress is an operator nat network segment starting with 100. I read in some places that upnp must be triggered by the public network, but when I use openwrt, upnp can be triggered correctly, and the network exit does not need to be a public network.
When I set an input entry of udp port 1900, I saw that my pcdn terminal sent a multicast message to hap ax3, but unfortunately there is no feedback in ax3.
Below is my upnp configuration for your review.
[@MikroTik] /ip/upnp> print
enabled: yes
allow-disable-external-interface: no
show-dummy-rule: yes
[@MikroTik] /ip/upnp> interfaces/
[@MikroTik] /ip/upnp/interfaces> print
Columns: INTERFACE, TYPE
INTERFACE TYPE
0 Internet external
1 ether3 internal
Do I need to open other special ports in the firewall or is there any reason why upnp does not work? Is there any diagnostic command to see the logs about upnp?
I have disassembled the original bridge, and now eth3 is not joined to any bridge. And according to my own needs to re-plan the interface lists and firewall part.
If it has something to do with firewall policies, can you tell me which ports upnp needs to open on the firewall.
I have another question, how to isolate the input traffic of upnp.
It seems that the destination address of this traffic is my network egress, and the inbound interface is my internet interface.
I want to only allow traffic input in dnat entries generated by upnp. I am currently using the following configuration, but this does not seem to take effect
Dunno, but you may need to use “bridge” (or vlan) instead of “ether3”. If ether3 is already a member of the bridge, it’s a slave interface so it won’t hit that firewall rule.
yes you can restrict the trafic to only allow specific devices access to UPnP.
The way that I do it it 1st create an address list of permitted devices by their IP address
Then only allow UPnP interaction for those devices … I use 2 firewall rules to accomplish this. I am not in my lab right now but later will let you see the rules once i get back to my office.
May be my usage scenario is different from upnp’s regular usage scenario.
PCDN is a distributed CDN, which disperses CDN among home users.
I have only one ip address, and I need to meet my family’s Internet needs while running pcdn, so I use Port Restricted Cone NAT.
This type of nat will prevent the outside from accessing the internal devices, and upnp is to open up the channel from the outside to the inside.
So what I want to ask is how to only allow dst-nat input traffic through upnp technology. My wan port theoretically rejects all input traffic.
In fact, the firewall policy above can meet my needs. Last night, because the traffic was too small, I mistakenly thought that the policy did not take effect.
Thank you very much, the purpose of my reply to this paragraph is to let other people with the same needs know the solution after seeing the post.
Normally the default “accept on input from LAN list” rule would cover uPnP negotiation. But if you had a more custom firewall, say VLANs, you’d need to allow those port on “input” to router. But these ports should NOT be exposed to the internet, only local LANs/VLANs. The uPnP “server” on the Mikrotik will add DYNAMIC rules as need by uPnP clients on the local network(s) (e.g. gaming console/things).
When enabling uPnP, make sure pick the right interface for “internal” (e.g. if you have VLANs, you need to add them if you want them to use uPnP). And you WAN / internet should be marked as “external”.
Thanks, you saved me from opening those ports to the internet. I do have an accept all from LAN rule so I think the answer is that they broke uPnP in the latest stable ROS because it was working before.
