I've had my MT router running for over a month and it's UPnP enabled. Sometimes client devices make a UPnP request then they reboot or crash or disconnect or whatever before requesting the entry to be removed. My DST-NAT now has over 250 entries from just 3 PCs, the majority of which are useless since the application that requested them is no longer running. I can see this becoming an issue the longer I leave the device on, the more stale UPnP entries are going to build up.

Is there any way to set a timeout or other way to automatically remove these other than rebooting the device?

I'd like the answer to this myself...

I know you can highlight and remove the dynamic entries, but there has to be an easier way... script?



Surely someone must know...

I know these can be removed manually... anyone write a script for this?

bump

I was thinking along the lines of a script running with scheduler... anyone?

+1 for a timeout option or script!

Time for another bump...


Of course a script would be lovely.

How about a "script" for turning UPnP off and on every night to clear it ?

How about a "script" for turning UPnP off and on every night to clear it ?

A kill and restart script is what I had thought of at first, it seems to work really well on other open source platforms. There has to be some decent way to do this in RouterOS.

Yes, http://forum.mikrotik.com/viewtopic.php?f=1&t=56529

I think the example - tomato tries to do it beautifully.

People's reactions from RouterBOARDs is "beautiful" and I'd like to get some of those good feelings for my tech soul as well.

MikroTik staff, any plans for UPnP ?

BTW, a prime example of this is the Xbox360 vs. PS3. PS3 opens a upnp port in the NAT table, but when you shut the machine off it released the dhcp address and closes the port. The Xbox360 does not. It opens 3074UDP upon logging into LIVE and never closes it when turning the box off. To remove the port forward you have to remove it manually.

Disclaimer: I don't use UPnP.

If you have tested that disabling and re-enabling UPnP actually flushes rules this is trivial: Schedule that, and you're done.

If that doesn't actually flush rules you could try this: I'd assume that UPnP creates dynamic NAT rules. If that is correct, you can delete all dynamic NAT rules: This could interact weirdly with other things that create dynamic NAT rules though - it would be a very bad idea to run that on a router that also is a Hotspot.

Thank you, fewi!

Yes, you are correct inasmuch as UPnP creates dynamic NAT rules. I do think you're onto something with the second script line you wrote. What is being thought of, however, is some sort of pass/fail scripting.

For instance, UPnP opens a dynamic NAT rule of udp3074. Machine that created the rule is shut down, but the nat rule remains in place. Script would run (scheduler) and check for "the last time any packets came through this rule," or "last time any activity occurred on this rule" and, by way of user defined settings, either remove the dynamic rule or leave it open.

The tomato firmware does something to this effect with upnp and natpmp. Settings such as "cleaning interval (time)" and "number of entries left open before cleaning is even attempted" and so on.

Disclaimer: I don't use UPnP.

If you have tested that disabling and re-enabling UPnP actually flushes rules this is trivial:

Code: Select all

/ip upnp set enabled=no; /ip upnp set enabled=yes;

Schedule that, and you're done.

If that doesn't actually flush rules you could try this: I'd assume that UPnP creates dynamic NAT rules. If that is correct, you can delete all dynamic NAT rules:

Code: Select all

/ip firewall nat { remove [find where dynamic] };

This could interact weirdly with other things that create dynamic NAT rules though - it would be a very bad idea to run that on a router that also is a Hotspot.

Ah. Well, you can access the the connection table via "/ip firewall connection", access the dynamic rules and extract the ports used by them, and then look for connections in the connection table by that port. I doubt that you can determine when a rule was last used without some rather complex logic in the built in scripting language, though. Good luck!

This is what I use lately:

Thank you as well, NP!

I assume if you've been using this for a while, you can verify that it does clean out the dynamic NAT forwards...

This is what I use lately:

Code: Select all

/system scheduler add interval=1d name=resetUPnP on-event="/ip upnp set enabled=no;\r\
    \n/delay 3000ms;\r\
    \n/ip upnp set enabled=yes;" start-time=04:30:00

It probably cleans them just fine, but it's a bit of a brute force approach: it'll also clear forwarding rules that are still active. So if the device/app that requested the UPnP hole be punched is still active you're dragging it out from under its feet. How it handles that would depend on the device/app.

I think Skype needed to be restarted to re-estabilsh UPnP