Upnp is not enabled.
My config is:
# jan/05/2021 08:42:19 by RouterOS 6.47.3
# software id = NPE3-YMYE
#
# model = RB760iGS
# serial number = xxxxxxxx
/interface bridge
add admin-mac=C4:AD:34:xx:xx:xx arp=proxy-arp auto-mac=no comment=defconf \
name=bridge
/interface ovpn-client
add certificate="United States-New York-TCP.ovpn_1" cipher=aes256 connect-to=\
usny2-ovpn-tcp.dns2use.com disabled=yes mac-address=02:31:3E:87:2A:E7 \
name=ovpn-out1 user=
xxx@yyy.com
/interface pptp-client
add allow=mschap1,mschap2 connect-to=caq1.dns2use.com dial-on-demand=yes \
disabled=no name="Torrent pptp-out1" user=
xxx@yyy.com
/interface vlan
add interface=sfp1 name=vlan4 vlan-id=4
add interface=sfp1 name=vlan100 vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip firewall layer7-protocol
add name=Bittorrent regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrap\
e\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\
\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
/ip pool
add name=dhcp1 ranges=10.1.1.101-10.1.1.199
add name=dhcp_VLAN4pool ranges=10.1.4.101-10.1.4.199
add name=dhcp_VLAN100pool ranges=10.1.100.101-10.1.100.199
add name=L2TP-pool ranges=10.1.1.240-10.1.1.254
/ip dhcp-server
add address-pool=dhcp1 disabled=no interface=bridge name=defconf
add address-pool=dhcp_VLAN100pool disabled=no interface=vlan100 name=dhcp100
add address-pool=dhcp_VLAN4pool disabled=no interface=vlan4 name=dhcp4
/port
set 0 name=serial0
/ppp profile
add local-address=10.1.1.1 name=Profile-L2TP remote-address=L2TP-pool \
use-encryption=required
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge disabled=yes interface=ether1
add interface=vlan100
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 default-profile=Profile-L2TP enabled=yes \
one-session-per-host=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether1 list=WAN
/ip address
add address=10.1.1.1/24 comment=defconf interface=bridge network=10.1.1.0
add address=10.1.4.1/24 interface=vlan4 network=10.1.4.0
add address=10.1.100.1/24 interface=vlan100 network=10.1.100.0
/ip dhcp-client
add comment=defconf interface=ether2 use-peer-dns=no
add disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=10.1.1.20 client-id=1:e8:fc:af:e5:f4:88 mac-address=\
E8:FC:AF:E5:F4:88 server=defconf
add address=10.1.1.3 client-id=1:b0:95:75:15:ac:60 mac-address=\
B0:95:75:15:AC:60 server=defconf
add address=10.1.1.19 client-id=1:28:c6:8e:36:1d:be mac-address=\
28:C6:8E:36:1D:BE server=defconf
add address=10.1.1.110 client-id=1:60:f1:89:1b:2d:29 mac-address=\
60:F1:89:1B:2D:29 server=defconf
add address=10.1.100.98 client-id=1:c:8b:fd:cc:51:f0 mac-address=\
0C:8B:FD:CC:51:F0 server=dhcp100
add address=10.1.1.13 mac-address=08:00:37:A9:DB:79 server=defconf
add address=10.1.1.4 client-id="Netgear POE switch" comment=\
"Netgear POE switch" mac-address=38:94:ED:A9:60:16 server=defconf
add address=10.1.100.21 client-id=1:8:ed:ed:89:13:c7 mac-address=\
08:ED:ED:89:13:C7 server=dhcp100
add address=10.1.100.22 client-id=1:8:ed:ed:6d:66:46 mac-address=\
08:ED:ED:6D:66:46 server=dhcp100
add address=10.1.100.25 client-id=1:8:ed:ed:89:13:c9 mac-address=\
08:ED:ED:89:13:C9 server=dhcp100
add address=10.1.100.24 client-id=1:a0:bd:1d:d5:73:d9 mac-address=\
A0:BD:1D:D5:73:D9 server=dhcp100
add address=10.1.100.250 client-id=1:88:dc:96:49:8e:ef mac-address=\
88:DC:96:49:8E:EF server=dhcp100
add address=10.1.100.23 client-id=1:8:ed:ed:19:3c:55 mac-address=\
08:ED:ED:19:3C:55 server=dhcp100
add address=10.1.100.26 client-id=1:8:ed:ed:d6:f7:9e mac-address=\
08:ED:ED:D6:F7:9E server=dhcp100
add address=10.1.100.31 client-id=1:c:8c:24:a1:c8:3c mac-address=\
0C:8C:24:A1:C8:3C server=dhcp100
add address=10.1.1.10 client-id=1:0:23:24:5e:4a:fb comment="NVR System" \
mac-address=00:23:24:5E:4A:FB server=defconf
add address=10.1.1.30 client-id=1:cc:98:8b:46:83:57 comment=\
"TV1 ethernet - lounge" mac-address=CC:98:8B:46:83:57 server=defconf
add address=10.1.1.33 client-id=1:ac:d5:64:74:8a:43 comment=\
"TV2 wifi - Theatre room" mac-address=AC:D5:64:74:8A:43 server=defconf
add address=10.1.4.168 comment="Eccowit weather" mac-address=\
DC:4F:22:59:19:F7 server=dhcp4
add address=10.1.4.2 mac-address=00:04:F3:13:86:34 server=dhcp4
add address=10.1.1.99 client-id=1:c:8b:fd:cc:51:f0 comment="Asus wifi static" \
mac-address=0C:8B:FD:CC:51:F0 server=defconf
add address=10.1.1.21 client-id=1:0:11:32:c9:e7:a0 comment=AttungaNAS \
mac-address=00:11:32:C9:E7:A0 server=defconf
add address=10.1.100.33 client-id=1:74:ee:2a:37:95:74 comment=\
"Autens V380 Pro" mac-address=74:EE:2A:37:95:74 server=dhcp100
add address=10.1.1.83 client-id=1:22:15:af:dd:98:4 mac-address=\
22:15:AF:DD:98:04 server=defconf
add address=10.1.1.82 client-id=1:fe:b3:f1:2:86:25 mac-address=\
FE:B3:F1:02:86:25 server=defconf
add address=10.1.1.81 client-id=1:78:4f:43:88:62:72 mac-address=\
78:4F:43:88:62:72 server=defconf
/ip dhcp-server network
add address=10.1.1.0/24 comment=defconf gateway=10.1.1.1 netmask=24
add address=10.1.4.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.1.4.1
add address=10.1.100.0/24 gateway=10.1.100.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.2,1.0.0.2
/ip dns static
add address=10.1.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.1.1.99 disabled=yes list="traffic to go to vpn"
add address=usny1.dns2use.com list=VPNservers
add address=ukm1.dns2use.com list=VPNservers
add address=caq1.dns2use.com list=VPNservers
add address=de1.dns2use.com list=VPNservers
add address=64.90.202.69 list=idrive-servers
add address=64.90.202.70 list=idrive-servers
add address=148.66.234.47 list=idrive-servers
add address=148.66.234.51 list=idrive-servers
add address=173.255.7.235 list=idrive-servers
add address=evsns19.idrive.com list=idrive-servers
add address=vleu-be1.dns2use.com list=VPNservers
/ip firewall filter
add action=drop chain=forward connection-state=!established dst-port=123 \
in-interface-list=WAN log=yes log-prefix="WAN to NTP" protocol=udp
add action=drop chain=forward dst-port=53 in-interface-list=WAN log=yes \
log-prefix="WAN to **DNS**" protocol=udp
add action=drop chain=input dst-port=53 in-interface-list=WAN log=yes \
log-prefix="WAN input to **DNS**" protocol=udp
add action=accept chain=input comment="Allow L2PT / IPSec VPN access" \
dst-port=500,1701,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow L2PT / IPSec VPN access" \
disabled=yes in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input comment="Allow L2PT / IPSec VPN access" \
disabled=yes in-interface-list=WAN protocol=ipsec-ah
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid log=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN log-prefix="not from LAN"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=\
"prevent vlan100 (ipcameras) from accessing internet" disabled=yes \
in-interface=vlan100 out-interface-list=WAN src-address=!10.1.100.10
add action=accept chain=forward disabled=yes dst-address=10.1.100.0/24 \
src-address=10.1.1.0/24
add action=accept chain=forward disabled=yes dst-address=10.1.1.10 \
src-address=10.1.100.0/24
add action=drop chain=forward in-interface=vlan100 log=yes log-prefix=\
"vlan 100 dropped"
add action=drop chain=forward in-interface=all-vlan out-interface-list=!WAN
add action=accept chain=forward dst-address=10.1.1.21 dst-port=123 log=yes \
log-prefix="Time query" protocol=udp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
protocol=tcp psd=21,3s,3,1
/ip firewall mangle
add action=mark-routing chain=prerouting comment="direct Asus laptop to VPN" \
disabled=yes dst-address-list=!idrive-servers new-routing-mark=for-vpn \
passthrough=yes src-address=10.1.1.99
add action=mark-routing chain=prerouting comment="direct NVR to VPN" \
disabled=yes dst-address-list=!idrive-servers new-routing-mark=for-vpn \
passthrough=yes src-address=10.1.1.10
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
# no interface
add action=masquerade chain=srcnat out-interface=*E
add action=dst-nat chain=dstnat dst-port=10443 in-interface=ether1 protocol=\
tcp to-addresses=10.1.100.10 to-ports=10443
add action=dst-nat chain=dstnat dst-port=20008 in-interface=ether1 protocol=\
tcp to-addresses=10.1.1.20 to-ports=80
/ip route
add distance=1 gateway="Torrent pptp-out1" routing-mark=for-vpn
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.1.1.0/24
set ssh disabled=yes
set www-ssl address=10.1.1.0/24 disabled=no
set api disabled=yes
set winbox address=10.1.1.0/24,10.1.100.99/32,10.1.4.99/32
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ppp secret
add name=xxx profile=Profile-L2TP service=l2tp
add name=yyy profile=Profile-L2TP service=l2tp
/system clock
set time-zone-name=Australia/Sydney
/system logging
add action=remote topics=critical,info,error,warning,ppp
/system ntp client
set enabled=yes server-dns-names=au.pool.ntp.org,oceania.pool.ntp.org
/system package update
set channel=long-term
/tool bandwidth-server
set enabled=no
/tool graphing interface
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no