Had a query and wondered if anyone else had encountered this and might have a suggestion / solution.
I’ve use UPnP on some customer facing routers to allow devices like xboxes, playstations etc to perform port mapping and get online. As part of this I’ve always added some dst-nat action=accept rules that prevent any router ports we use from being accidentally mapped by UPnP to internal users (21,22,23,80,443,8291,1812,1813 etc).
This however presents a problem for the UPnP enabled devices. If a device/service maps port 80 and is told by UPnP that this mapping has succeeded, then it expects that the port forward should be setup and working even though my static rules (which sit above the dynamic rules created by UPnP) aren’t allowing them to.
Additionally; in the event there is a static port forward on the router for something like UDP/3074 (for an xbox) and another xbox is connected; it won’t know about this and still try and map and use the port; while if both xboxes are simply using UPnP the first one will get 3074, the second will see that it is in use and pick another port (normally a random high port).
Which brings me to my question: Is there a way to make certain UPnP port mappings unavailable via MikroTik? I’ve tried creating static rules, drop rules; all of them work but there doesn’t seem to be any coherence between UPnP and the port forwards already in place; so it will try and double up on them.
Lastly, the why: Why not just have each device use UPnP and don’t use the port forwards? For starters as mentioned above; I need to be able to protect the router ports from being forward to an internal user. Secondly the basis behind this requirement is that some users are behind a second router on a private network; essentially creating a double-nat situation that I’d like to be able to address programatically. If I could check for UPnP mappings on routers onsite and block ports that are already in use; this would allow for multiple console devices to be connected and map ports through from the core device all the way back to the users console; allowing them open NAT connectivity with no additional configuration on their end.
I have decided to disable upnp and I do the port mappings manually when really necessary. Only by this approach I have the control over it. I see very dangerous to let any application on whatever device in the network to open a hole inside on its own. But maybe you don’t care.
That is true but in this case the reason for using UPnP is simply due to lack of public IPv4 resources; we want users to be able to map public ports into their local routers for consoles and even to be able to temporarily host their own services if they want.
MikroTik can’t do CGNAT yet though so until such time we’re stuck trying to make this work
That’s fine for services on those ports but the problem I’m running into is like this; say I have 4 users with Xbox’s on a site; each behind their own router which is in turn behind the core router. Normally if they had public IP addresses on the router a simple UPnP port map for UDP/3074 gets them open NAT and access to join any game server through Xbox live.
Now compare this to the setup available, where even if they use UPnP they only get port 3074 mapped locally; and me mapping port 3074 locally to one of them means all the others lose out.
Don’t forget that, if available on your customer’s network/ISP, IPv6 eliminates the need for NAT/UPnP. If addresses are available, configuring IPv6 will completely get around the NAT port-sharing issue (solved it for me on my just-purchased CCR Routerboard–no more strict NAT).
hello good night, also made a topic about UPnP and read your interesting thought. really would otimo the possibility of creating a reserve of doors not to be used by UPnP and the possibility of intelligent use of another port if one is already in use by another rule.
