I’ve had my MT router running for over a month and it’s UPnP enabled. Sometimes client devices make a UPnP request then they reboot or crash or disconnect or whatever before requesting the entry to be removed. My DST-NAT now has over 250 entries from just 3 PCs, the majority of which are useless since the application that requested them is no longer running. I can see this becoming an issue the longer I leave the device on, the more stale UPnP entries are going to build up.
Is there any way to set a timeout or other way to automatically remove these other than rebooting the device?
A kill and restart script is what I had thought of at first, it seems to work really well on other open source platforms. There has to be some decent way to do this in RouterOS.
BTW, a prime example of this is the Xbox360 vs. PS3. PS3 opens a upnp port in the NAT table, but when you shut the machine off it released the dhcp address and closes the port. The Xbox360 does not. It opens 3074UDP upon logging into LIVE and never closes it when turning the box off. To remove the port forward you have to remove it manually.
If you have tested that disabling and re-enabling UPnP actually flushes rules this is trivial:
/ip upnp set enabled=no; /ip upnp set enabled=yes;
Schedule that, and you’re done.
If that doesn’t actually flush rules you could try this: I’d assume that UPnP creates dynamic NAT rules. If that is correct, you can delete all dynamic NAT rules:
/ip firewall nat { remove [find where dynamic] };
This could interact weirdly with other things that create dynamic NAT rules though - it would be a very bad idea to run that on a router that also is a Hotspot.
Yes, you are correct inasmuch as UPnP creates dynamic NAT rules. I do think you’re onto something with the second script line you wrote. What is being thought of, however, is some sort of pass/fail scripting.
For instance, UPnP opens a dynamic NAT rule of udp3074. Machine that created the rule is shut down, but the nat rule remains in place. Script would run (scheduler) and check for “the last time any packets came through this rule,” or “last time any activity occurred on this rule” and, by way of user defined settings, either remove the dynamic rule or leave it open.
The tomato firmware does something to this effect with upnp and natpmp. Settings such as “cleaning interval (time)” and “number of entries left open before cleaning is even attempted” and so on.
Ah. Well, you can access the the connection table via “/ip firewall connection”, access the dynamic rules and extract the ports used by them, and then look for connections in the connection table by that port. I doubt that you can determine when a rule was last used without some rather complex logic in the built in scripting language, though. Good luck!
It probably cleans them just fine, but it’s a bit of a brute force approach: it’ll also clear forwarding rules that are still active. So if the device/app that requested the UPnP hole be punched is still active you’re dragging it out from under its feet. How it handles that would depend on the device/app.
