Hello everyone, I am using a hap ax3 device, v7.8 stable. There is a pcdn terminal that needs to use upnp to create firewall automatic forwarding entries. I directly interconnect it with the physical port and configure a /30 mask.
My network egress is an operator nat network segment starting with 100. I read in some places that upnp must be triggered by the public network, but when I use openwrt, upnp can be triggered correctly, and the network exit does not need to be a public network.
When I set an input entry of udp port 1900, I saw that my pcdn terminal sent a multicast message to hap ax3, but unfortunately there is no feedback in ax3.
Below is my upnp configuration for your review.

[@MikroTik] /ip/upnp> print
enabled: yes
allow-disable-external-interface: no
show-dummy-rule: yes
[@MikroTik] /ip/upnp> interfaces/
[@MikroTik] /ip/upnp/interfaces> print
Columns: INTERFACE, TYPE
# INTERFACE TYPE
0 Internet external
1 ether3 internal


Do I need to open other special ports in the firewall or is there any reason why upnp does not work? Is there any diagnostic command to see the logs about upnp?

Thank you everyone!

Hi, welcome to the forum

The internal interface must be "bridge", since all your LAN intefaces (including wireless and also ether3) are bridged together, at least by default

Hi, welcome to the forum

The internal interface must be "bridge", since all your LAN intefaces (including wireless and also ether3) are bridged together, at least by default

Hi，thank you for your reply.

I have disassembled the original bridge, and now eth3 is not joined to any bridge. And according to my own needs to re-plan the interface lists and firewall part.

If it has something to do with firewall policies, can you tell me which ports upnp needs to open on the firewall.

Best wish!

If it has something to do with firewall policies, can you tell me which ports upnp needs to open on the firewall.

udp port 1900
tcp port 2828

If it has something to do with firewall policies, can you tell me which ports upnp needs to open on the firewall.

udp port 1900
tcp port 2828

Thank you very much, I really didn't think it was actually related to the firewall.

In fact, I made a strict firewall policy to prohibit this pcdn from accessing other devices in my network, similar to the dmz area.

Of course, the input access to this area is also closed. I didn't expect it to be really related to the firewall.

I have another question, how to isolate the input traffic of upnp.

It seems that the destination address of this traffic is my network egress, and the inbound interface is my internet interface.

I want to only allow traffic input in dnat entries generated by upnp. I am currently using the following configuration, but this does not seem to take effect

4 ;;; pcdn-forward
chain=forward action=accept connection-nat-state=dstnat in-interface=Internet
out-interface=ether3 log=yes log-prefix="pcdn-in"

Dunno, but you may need to use "bridge" (or vlan) instead of "ether3". If ether3 is already a member of the bridge, it's a slave interface so it won't hit that firewall rule.

I have another question, how to isolate the input traffic of upnp.

yes you can restrict the trafic to only allow specific devices access to UPnP.
The way that I do it it 1st create an address list of permitted devices by their IP address
Then only allow UPnP interaction for those devices … I use 2 firewall rules to accomplish this. I am not in my lab right now but later will let you see the rules once i get back to my office.

Following is rules I use

/ip firewall filter add action=accept chain=input comment="INPUT Allow UPnP port 1900 udp" dst-port=1900 log-prefix=UPnP protocol=udp src-address-list=UPnPdevices
/ip firewall filter add action=accept chain=input comment="INPUT Allow UPnP port 2828 tcp" dst-port=2828 log-prefix=UPnP protocol=tcp src-address-list=UPnPdevices

Dunno, but you may need to use "bridge" (or vlan) instead of "ether3". If ether3 is already a member of the bridge, it's a slave interface so it won't hit that firewall rule.

I have detached eth3 from bridge, it is not in brdige.
But thanks for your reply!

I have another question, how to isolate the input traffic of upnp.

yes you can restrict the trafic to only allow specific devices access to UPnP.
The way that I do it it 1st create an address list of permitted devices by their IP address
Then only allow UPnP interaction for those devices … I use 2 firewall rules to accomplish this. I am not in my lab right now but later will let you see the rules once i get back to my office.

Following is rules I use

/ip firewall filter add action=accept chain=input comment="INPUT Allow UPnP port 1900 udp" dst-port=1900 log-prefix=UPnP protocol=udp src-address-list=UPnPdevices
/ip firewall filter add action=accept chain=input comment="INPUT Allow UPnP port 2828 tcp" dst-port=2828 log-prefix=UPnP protocol=tcp src-address-list=UPnPdevices

May be my usage scenario is different from upnp's regular usage scenario.

PCDN is a distributed CDN, which disperses CDN among home users.

I have only one ip address, and I need to meet my family's Internet needs while running pcdn, so I use Port Restricted Cone NAT.

This type of nat will prevent the outside from accessing the internal devices, and upnp is to open up the channel from the outside to the inside.

So what I want to ask is how to only allow dst-nat input traffic through upnp technology. My wan port theoretically rejects all input traffic.

In fact, the firewall policy above can meet my needs. Last night, because the traffic was too small, I mistakenly thought that the policy did not take effect.

Thank you very much, the purpose of my reply to this paragraph is to let other people with the same needs know the solution after seeing the post.

Best Regards!

If it has something to do with firewall policies, can you tell me which ports upnp needs to open on the firewall.

udp port 1900
tcp port 2828

Do I open these ports on the input chain? And the ports are "destination port"?

udp port 1900
tcp port 2828

Do I open these ports on the input chain? And the ports are "destination port"?

Normally the default "accept on input from LAN list" rule would cover uPnP negotiation. But if you had a more custom firewall, say VLANs, you'd need to allow those port on "input" to router. But these ports should NOT be exposed to the internet, only local LANs/VLANs. The uPnP "server" on the Mikrotik will add DYNAMIC rules as need by uPnP clients on the local network(s) (e.g. gaming console/things).

When enabling uPnP, make sure pick the right interface for "internal" (e.g. if you have VLANs, you need to add them if you want them to use uPnP). And you WAN / internet should be marked as "external".

Do I open these ports on the input chain? And the ports are "destination port"?

Normally the default "accept on input from LAN list" rule would cover uPnP negotiation. But if you had a more custom firewall, say VLANs, you'd need to allow those port on "input" to router. But these ports should NOT be exposed to the internet, only local LANs/VLANs. The uPnP "server" on the Mikrotik will add DYNAMIC rules as need by uPnP clients on the local network(s) (e.g. gaming console/things).

When enabling uPnP, make sure pick the right interface for "internal" (e.g. if you have VLANs, you need to add them if you want them to use uPnP). And you WAN / internet should be marked as "external".

Thanks, you saved me from opening those ports to the internet. I do have an accept all from LAN rule so I think the answer is that they broke uPnP in the latest stable ROS because it was working before.