Just wondering if anyone can tell me if there is any support for NAT-PMP available on RouterOS current or Beta?

For those who aren't in the know..

NAT Port Mapping Protocol (NAT-PMP) is an Internet Engineering Task Force Internet Draft, introduced by Apple Computer as an alternative to the more common Internet Gateway Device (IGD) protocol implemented in many network address translation (NAT) routers. It was introduced in June 2005. NAT-PMP allows a computer in a private network (behind a NAT router) to automatically configure the router to allow parties outside the private network to contact itself. NAT-PMP runs over UDP. It essentially automates the process of port forwarding.

Shortened form: Its a UPnP equivalent for Apple devices.

As far as I am aware MT doesn't support uPNP. Even if it did I would disable it, like many "ease of use" protocols it is highly insecure.

Imagine a PC on your network gets infected with a virus which then uses uPNP to open up your Firewall to other traffic, very quickly your Firewall will be like a Swiss cheese (full of holes!! ).

Whilst manually entering Port Forwarding details can be a chore, I would far rather do this and be able to know/control what services are being piped through the Firewall.

I believe MT supports "port knocking", this allows a connection on a port to be established which causes a second linked port to be opened. This works OK for manual connections or where you develop your own software, but usually isn't useful for most other software.

Just FYI the Mt does support UPnP and this isn't for any sort of home firewall, this is handling about 300+ users that have every different need under the sun.. by the time I put in port allowances for each and everyone of them, I'd either have bleeding fingers or the firewall would be swiss cheese anyway. Least this way the UPnP makes it their problem if they get a virus.

That and we put a TCP connection limit per user so viruses and such don't have so much of an impact.

Just noticed I sounded a little rude there. Sorry for any offence caused.

Hi there

Has anyone got UPnP to work properly over more than one hob?

The device I would like to test has to pass 5 hobs.

I have enabled UPnP on all the hobs, specified the external interfaces and also the internal interfaces which are needed.

I used a P2P package called ShareAZA, which has some sort of UPnP wizard. ShareAZA told me it couldn't configure my UPnP device, so I should enable port forwarding manually. I can get it to work this way, but the reason for the excersize is to get UPnP to work.

I only have masquerading on my router connected to the internet. I use PPPoE on the bandwidth MT's for internet connection.

Is there anything obvious I should know?

Any help would be appreciated!

EDIT

I forgot to mention that no dynamic was created by UPnP.

hobs? I'm assuming you either mean "hubs" or "hops"?

Just make sure you set the Private interface as the internal Upnp interface and the Public as the external.
So long as you allow high ports 1025-65535 then upnp should be able to punch a hole through.

Check under the nat rules and look for dynamic nat rules (which will be the Upnp rules)

Could someone at mikrotik just confirm for me how long these rules stay for, for example on an adsl router they often timeout after a couple of hours and let the program recreate them, whereas on the mikrotik box they appear to just stay until I delete them or restart, not that there's too many of them currently but it could cause an issue in the future.

Thanks