Good day Mikrotik devs and users
I use RouterOS at the core of my network as it seems to be the most intuitive and effective router platform I've found, allowing me better control for my limited knowledge, especially in my case where I have a dual-wan PPPoE setup (route splitting, not bonding) and must do connection and packet marking in order to serve traffic in and out of the local network properly. So first a word of thanks for creating such a great product
One great improvement that I've noticed since 6.x of RouterOS, is that in many places we can now select "all-ppp" in cases where we want to apply some rule to all ppp interfaces without duplicating the rules for each interface. This is extremely helpful for me especially when creating firewall NAT rules, and seems completely safe if you know what you are doing
A significant drawback that I've recently come across however, is the lack of such support when it comes to RouterOS's UPnP implementation (in fact this seems to be a general UPnP limitation which nobody has ever bothered to resolve). The problem is that UPnP only seems to work for one WAN/external interface, even though it is 'deceptively' POSSIBLE to add multiple external interfaces to the UPnP instance via ip->upnp in winbox/terminal. One can even specify 0.0.0.0 as the external IP, and the rule will be created as such... however it does not bind properly to all the PPP interfaces and simply does not work as expected. In fact it seems completely useless that multiple external interfaces can be added to the UPnP instance if adding them seems to have literally no effect. If multi-wan support is not going to happen, then perhaps we should be presented with an error alert instead of it being possible to assign them. There may be a glimmer of hope regarding this, with pfSense, but this is obviously not going to solve the problem for Mtik users. Perhaps Mikrotik can now become a clear exception and be on the forefront of this as well?
With p2p on the rise, and modern day applications such as Skype showing up more and more on mobile devices like phones and tablets, it is becoming very pain-staking and impractical to manually maintain port forwards for these sorts of applications, as devices mac addresses change frequently and on semi-public networks, new devices may come in all the time and then maintaining manual rules becomes an impossibility! UPnP was created as an ideal solution for this, but has never evolved and is now extremely handicapped by the fact that it still only supports a single WAN.
Since all UPnP really seems to do is inform the network of its presence and listen for application's request for an open port, and then set up a temporary rule for that. So one would expect that it should be relatively easy to modify the type of rule that it creates to some greater degree than right now. At the moment it creates a dst-nat rule, by dst-address IP and does not bind to an interface, and there appears to be no way of changing that behaviour
Furthermore, there is no control over where these dynamic dst-nat rules will appear in the firewall table... In my case, they fall underneath a DMZ rule, and thus go ignored unless I disable the DMZ rule. Is there any way to make the UPnP rules take preference over the DMZ rule? I would like a DMZ rule only as a last-resort after other port-forwards are considered, and I can't seem to find a way to do this in RouterOS?
In searching, I've come across a few similar posts on these forums where users ask for help with multi-wan upnp, and nobody has found a solution. With all the PPP changes being pushed for v6.8/6.9 right now, wouldn't this be a perfect time to give UPnP a bit of a face-lift into the 21st century too which will make it far more appealing and useful for dynamic port forwarding applications which seem to be on the rise now more than ever?