OVERVIEW
RB4011 running ROS 7.8.
Gaming Console that requires open ports for internet related gaming features.
Gaming Console (with static IP) on its own network VLAN90, connected directly to RB4011 ether3 (untagged port, PVID90).
GOAL
Provide necessary open ports for Gaming Console, with as little impact on overall network security as possible.
DISCUSSION
I've used manually added Static NAT rules in the past, which satisfied the Gaming Console. However, I noticed when I did a external port scan of the RB4011, it would show the NAT'ed ports as "no response" instead of the desired status "Stealth"..
Have considered UPnP in the past, but read many bad things about it, including certain router vendor's poor implementation of the protocol, and also the fact one device within the network could start punching firewall holes for other devices in the same network..
So my question
Is MikroTik's implementation of UPnP solid?
Would security be acceptable if UPnP was enabled only for the VLAN interface of Gaming Console? (EG: UPnP couldn't affect any other LANs if Gaming Console was compromised)
I'm thinking:
ip upnp> set enable=yes
allow-disable-external-interface=no
show-dummy-rule=yes
ip upnp interfaces> add interface=ether1 type=external
add interface=VLAN90 type=internal