UPnP does not work for me

RouterOS General
1

Router: CCR1009
Firmware: 6.42rc37

I have a number of devices that are UPnP capable residing on a number of VLANs.

  1. Synology NAS in VLAN10
  2. Apple Time Capsule in VLAN20
  3. XBOX in VLAN40
    upnp.GIF
    When these device attempt to access the UPnP service they all report No UPnP service was found.— WHY?
    following is my firewall rules:
/ip firewall filter add action=accept chain=input comment="INPUT Established, Related" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="INPUT Drop Invalid" connection-state=invalid log-prefix="invalid connection"
/ip firewall filter add action=add-src-to-address-list address-list="Port Scanners" address-list-timeout=2d chain=input comment="INPUT Telnet Port Scans" dst-port=23 in-interface=ether1 protocol=tcp
/ip firewall filter add action=drop chain=input comment="INPUT DROP Rogue VPN Hosts" in-interface=ether1 log=yes log-prefix=rogue_vpn_hosts src-address-list=rogue_vpn_hosts
/ip firewall filter add action=accept chain=input dst-port=500 in-interface=ether1 protocol=udp
/ip firewall filter add action=accept chain=input dst-port=4500 in-interface=ether1 log=yes log-prefix=who_is_this protocol=udp
/ip firewall filter add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
/ip firewall filter add action=accept chain=input in-interface=ether1 protocol=ipsec-ah
/ip firewall filter add action=accept chain=input comment="INPUT Allow to Router from address list" src-address-list=allowed_to_router
/ip firewall filter add action=accept chain=input comment="INPUT ICMP" protocol=icmp
/ip firewall filter add action=drop chain=input comment="INPUT DROP ALL"
/ip firewall filter add action=accept chain=forward comment="FORWARD Accept in IPsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="FORWARD Accept out IPsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="FORWARD Accept FastTrack Established, Related" connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="FORWARD Accept Established, Related" connection-state=established,related
/ip firewall filter add action=drop chain=forward comment="FORWARD Drop invalid" connection-state=invalid log-prefix=invalid
/ip firewall filter add action=drop chain=forward comment="FORWARD Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=!public src-address-list=not_in_internet
/ip firewall filter add action=drop chain=forward comment="FORWARD Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
/ip firewall filter add action=accept chain=forward comment="FORWARD VLANs to WAN" in-interface-list=VLANs out-interface=ether1
/ip firewall filter add action=accept chain=forward comment="FORWARD Allow Access for AP's" src-address-list=access_points
/ip firewall filter add action=accept chain=forward comment="FORWARD ALLOW Linux station access to printers" dst-address-list=Printers src-address=192.168.40.50
/ip firewall filter add action=accept chain=forward comment="FORWARD Allow UPnP devices" connection-nat-state=dstnat in-interface=ether1 log-prefix=UPnP src-address-list=UPnPdevices
/ip firewall filter add action=drop chain=forward comment="FORWARD Drop all"
/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1

Can anyone give me some idea as to why UPnP is not working for me?

Wireguard VPN setup
2

Are addresses of those devices in “allowed_to_router” list? If not, their attempts to contact UPnP service get dropped.

3

Provide export of VLAN config, I am thinking if VLAN’s in bridge config, maybe use the bridge instead of VLAN interfaces directly

4

allowed_to_router list is for rule that allows my workstations I use from different locations so that I can access Winbox to mange the Router.
I have a rule that I believed would allow the 3 devices to access UPnP as follows
/ip firewall filter add action=accept chain=forward comment=“FORWARD Allow UPnP devices” connection-nat-state=dstnat in-interface=ether1 log-prefix=UPnP src-address-list=UPnPdevices
But that rule does not seem to have any effect. – Perhaps I should use another rule for Winbox Access for my workstations — do you have a suggestion?

@SobThank You.
[EDIT] So I added the NAS to the allowed_to_router list and sure enough UPnP stated to work for that device … I will now have to formulate a different rule [plan] for my workstations to access Winbox and SSH plus I will need to understand the implications which are not clear to me at this time. Apparently the specific UPnP rule for dstnat as shown above is not required.

Thanks for the feedback.

5

I do not use any bridges in my config. I like my VLANs no intention on using bridges except for EOIP. :smiley: sometime in the future.

Thanks for the feedback …

6

There are two parts to make UPnP work. One is the actual forwarded ports, that’s what you deal with in forward chain. But first you must allow devices to tell router which ports it should forward, and that’s what you didn’t allow before.

Adding those devices to “allowed_to_router” list is just a quick fix. If you don’t want to open anything more than absolutely necessary, make another list for UPnP clients and only allow them to access UPnP control port(s). I don’t know exact details from top of my head, there was at least some http-like service, perhaps more. Ask Google.

Edit: I had to look myself and according to RouterOS manual, it should be 1900/udp and 2828/tcp. So allow that for your devices in input chain and it should work.

How to block UPnP for some LAN clients
Mk, NAT Open Request [Help needed]
7

@Sob Thank You – great feedback
The NAS worked but the XBOX and Apple Time Capsulte did not work – I will no longer us that list for those UPnP devices — will move to a new list that exploits your excellent suggestion on UPnP Control ports – just have to find out which control ports MikroTik implemented for its UPnP service. [EDIT] Thanks for finding the ports :slight_smile:

[EDIT] Just tested the Control Ports — worked and it worked fine for all 3 devices

Thank You @Sob — [EDIT] more tests and XBOX now show open — no need for any other rule — realy like the fact that its resticted to devices I identify in my list!

8

For those following this thread I am posting my revised firewall rules that incorporate @Sob excellent suggestion of using UPnP Control ports to enable UPnP device to ACCESS the UPnP service
.

/ip firewall filter add action=accept chain=input comment="INPUT Established, Related" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="INPUT Drop Invalid" connection-state=invalid log-prefix="invalid connection"
/ip firewall filter add action=add-src-to-address-list address-list="Port Scanners" address-list-timeout=2d chain=input comment="INPUT Telnet Port Scans" dst-port=23 in-interface=ether1 protocol=tcp
/ip firewall filter add action=drop chain=input comment="INPUT DROP Rogue VPN Hosts" in-interface=ether1 log=yes log-prefix=rogue_vpn_hosts src-address-list=rogue_vpn_hosts
/ip firewall filter add action=accept chain=input dst-port=500 in-interface=ether1 protocol=udp
/ip firewall filter add action=accept chain=input dst-port=4500 in-interface=ether1 log=yes log-prefix=who_is_this protocol=udp
/ip firewall filter add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
/ip firewall filter add action=accept chain=input in-interface=ether1 protocol=ipsec-ah
/ip firewall filter add action=accept chain=input comment="INPUT Allow UPnP port 1900 udp" dst-port=1900 log-prefix=UPnP protocol=udp src-address-list=UPnPdevices
/ip firewall filter add action=accept chain=input comment="INPUT Allow UPnP port 2828 tcp" dst-port=2828 log-prefix=UPnP protocol=tcp src-address-list=UPnPdevices
/ip firewall filter add action=accept chain=input comment="INPUT Allow to Router from address list" src-address-list=allowed_to_router
/ip firewall filter add action=accept chain=input comment="INPUT ICMP" protocol=icmp
/ip firewall filter add action=drop chain=input comment="INPUT DROP ALL"
/ip firewall filter add action=accept chain=forward comment="FORWARD Accept in IPsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="FORWARD Accept out IPsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="FORWARD Accept FastTrack Established, Related" connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="FORWARD Accept Established, Related" connection-state=established,related
/ip firewall filter add action=drop chain=forward comment="FORWARD Drop invalid" connection-state=invalid log-prefix=invalid
/ip firewall filter add action=drop chain=forward comment="FORWARD Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=!public src-address-list=not_in_internet
/ip firewall filter add action=drop chain=forward comment="FORWARD Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
/ip firewall filter add action=accept chain=forward comment="FORWARD VLANs to WAN" in-interface-list=VLANs out-interface=ether1
/ip firewall filter add action=accept chain=forward comment="FORWARD Allow Access for AP's" src-address-list=access_points
/ip firewall filter add action=accept chain=forward comment="FORWARD ALLOW Linux station access to printers" dst-address-list=Printers src-address=192.168.40.50
/ip firewall filter add action=drop chain=forward comment="FORWARD Drop all"

Special note: I used 2 INPUT rules only and all my devices identified in the LIST that use UPnP work to my satisfaction.