Hi Guys,
Had a query and wondered if anyone else had encountered this and might have a suggestion / solution.
I've use UPnP on some customer facing routers to allow devices like xboxes, playstations etc to perform port mapping and get online. As part of this I've always added some dst-nat action=accept rules that prevent any router ports we use from being accidentally mapped by UPnP to internal users (21,22,23,80,443,8291,1812,1813 etc).
This however presents a problem for the UPnP enabled devices. If a device/service maps port 80 and is told by UPnP that this mapping has succeeded, then it expects that the port forward should be setup and working even though my static rules (which sit above the dynamic rules created by UPnP) aren't allowing them to.
Additionally; in the event there is a static port forward on the router for something like UDP/3074 (for an xbox) and another xbox is connected; it won't know about this and still try and map and use the port; while if both xboxes are simply using UPnP the first one will get 3074, the second will see that it is in use and pick another port (normally a random high port).
Which brings me to my question: Is there a way to make certain UPnP port mappings unavailable via MikroTik? I've tried creating static rules, drop rules; all of them *work* but there doesn't seem to be any coherence between UPnP and the port forwards already in place; so it will try and double up on them.
Lastly, the why: Why not just have each device use UPnP and don't use the port forwards? For starters as mentioned above; I need to be able to protect the router ports from being forward to an internal user. Secondly the basis behind this requirement is that some users are behind a second router on a private network; essentially creating a double-nat situation that I'd like to be able to address programatically. If I could check for UPnP mappings on routers onsite and block ports that are already in use; this would allow for multiple console devices to be connected and map ports through from the core device all the way back to the users console; allowing them open NAT connectivity with no additional configuration on their end.