UPnP & NAT-PMP

Universal Plug and Play (UPnP) and NAT Port Mapping Protocol (NAT-PMP) are network services which allow software and devices to configure each other when attaching to a network. This includes automatically creating dynamic NAT port forwards and associated firewall rules.

The UPnP and NAT-PMP service, located at Services > UPnP & NAT-PMP, enables client PCs and other devices such as game consoles to automatically allow required inbound traffic and can account for outbound NAT on traffic using the same ports. There are many popular programs and platforms which support UPnP such as Torrent clients, Steam/Steam Deck, Nintendo consoles, PlayStation consoles, XBox consoles, video conferencing apps, and more. NAT-PMP is supported primarily by Apple products.

See also

For advice on specific consoles and games, see Configuring pfSense Software for Online Gaming.

UPnP employs the Simple Service Discovery Protocol (SSDP) for network discovery, which uses UDP port 1900. The UPnP daemon used by pfSense® software, miniupnpd, also uses TCP port 2189. When using a strict LAN ruleset, manually add firewall rules to allow access to these services, especially if the default LAN-to-any rule has been removed, or in bridged configurations. NAT-PMP is also handled by miniupnpd and uses UDP port 5351.

UPnP & NAT-PMP and IPv6

As of this writing, the UPnP and NAT-PMP service on current versions of pfSense software supports IPv6, but client support is still rare.

Note

IPv6 UPnP client traffic will almost always require manual rules to pass. Clients are likely to use a link-local source going to a multicast destination, which is not covered by the default interface rules.

Security Concerns

UPnP and NAT-PMP are a classic example of the “Security vs. Convenience” trade-off. By their very nature, these services are insecure. Any program on the network can allow in and forward any traffic – a potential security nightmare. On the other side, it can be a chore to enter and maintain NAT port forwards and their associated rules, especially when it comes to game consoles. There is a lot of guesswork and research involved to find the proper ports and settings, but UPnP just works and requires little administrative effort. Manual port forwards to accommodate these scenarios tend to be overly permissive, potentially exposing services that should not be open from the Internet. The port forwards are also always on, where UPnP may be temporary.

Access controls in the UPnP service configuration can lock down which devices are allowed to make alterations. Over and above the built-in access controls, further control may be exerted with firewall rules. When properly controlled, UPnP can also be a little more secure by allowing programs to pick and listen on random ports, instead of always having the same port open and forwarded.

Configuration Options

Enable UPnP & NAT-PMP:

Master control for the entire service. When unchecked, all of the services on this page are disabled.

Allow UPnP Port Mapping:

When checked, the service allows UPnP.

Allow NAT-PMP Port Mapping:

When checked, the service allows NAT-PMP.

External Interface:

The interface for outgoing traffic. This must be set to the WAN containing the default gateway. Only one External Interface may be selected.

Interfaces:

The local interfaces where clients allowed to use UPnP/NAT-PMP reside. Multiple interfaces may be selected.

When a bridge is in use, only select the bridge interface with an IP address.

Download Speed:

Maximum download speed reported to clients, in Kilobits per second.

Upload Speed:

Maximum upload speed reported to clients, in Kilobits per second.

Override WAN Address:

Selects an alternate interface IP address to use on WAN rules added by the daemon, such as a CARP or IP Alias Virtual IP address.

Traffic Shaping:

The name of an ALTQ (not Limiter) traffic shaping queue in which the firewall will place traffic allowed through UPnP.

Note

Exercise caution when selecting this queue. UPnP is used by traffic such as game consoles, which need high priority, and also by file transfer clients which may need low priority.

Log Packets:

When checked, port forwards generated by UPnP/NAT-PMP will be set to log, so that each connection made will have an entry in the firewall logs, found at Status > System Logs, on the Firewall tab.

Uptime:

By default, the UPnP daemon reports the service uptime when queried rather than the system uptime. Checking this option will cause it to report the actual system uptime instead.

Default Deny:

When checked, UPnP only allows access to clients matching configured access control lists. This is a more secure method of controlling the service, but as discussed above, is also less convenient.

Custom Presentation URL:

A custom URL this daemon presents to UPnP clients who click this device when listing devices on the local network. For example, when browsing the network in Windows Explorer. When left blank, the daemon uses the URL of the firewall GUI.

Custom Model Number:

A custom model number presented to clients who click this device when listing devices on the local network. For example, when browsing the network in Windows Explorer. When left blank, the daemon uses the firmware version.

Stun Settings

For UPnP to function properly, the External Interface must have a public IP address. Otherwise, this firewall is behind NAT and port forwarding may not be possible. In some cases the External Interface can be behind unrestricted NAT (e.g. 1:1) where all incoming traffic is forwarded and routed to the External Interface without any filtering. In these cases UPnP service needs to know the real public IP address. UPnP can learn this address by asking an external server using the STUN protocol.

Enable STUN:

Enable retrieving the external IP address and detecting the NAT type by using a remote STUN server.

STUN Server:

The hostname or IP address of a remote STUN server.

There are a few public STUN servers available, including:

  • stun.sipgate.net

  • stun.xten.com

  • stun.l.google.com on port 19302

STUN Port:

The UDP port on which the STUN server is listening for client connections.

UPnP Access Control Lists

ACL Entries:

These fields specify user-defined access rules to control UPnP client behavior.

Rules are formulated using the following format:

<[allow|deny]> <[external port|range]> <[internal IP|IP/CIDR]> <[internal port|range]>

Click fa-plus Add to create additional rules.

Note

If the Default Deny option is enabled, rules must be set to allow access.

UPnP User Permission Examples

Deny access to external port 80 forwarding from everything on the LAN, 192.168.1.0, with a /24 subnet, to local port 80:

deny 80 192.168.1.0/24 80

Allow 192.168.1.10 to forward any unprivileged port:

allow 1024-65535 192.168.1.10 1024-65535

Configuration Procedure

To configure UPnP and NAT-PMP:

  • Navigate to Services > UPnP & NAT-PMP

  • Configure the options as needed

  • Click Save

The UPnP and/or NAT-PMP service will be started automatically.

UPnP & NAT-PMP Status

To view a list of currently forwarded ports and clients, navigate to Status > UPnP & NAT-PMP. The output will be similar to UPnP & NAT-PMP Status Screen Showing Client PCs With Forwarded Ports.

../_images/upnp-status.png

UPnP & NAT-PMP Status Screen Showing Client PCs With Forwarded Ports

View the status of the UPnP daemon at Status > Services. The Service Status page shows if the daemon is running or stopped, and allows the service to be stopped, started or restarted. Under normal circumstances, manually managing the daemon is not necessary.

Troubleshooting

Most issues with UPnP tend to involve bridging. In this case it is important to have firewall rules allow UPnP on UDP port 1900. Since UPnP uses multicast traffic, the destination will be the broadcast address for the subnet, or in some cases a destination of any will be necessary.

Note

For IPv6, it’s important to note that the traffic will almost always require manual rules to pass the traffic. Clients are likely to use a link-local source going to a multicast destination. That source is not covered by the default interface rules.

Consult the firewall logs at Status > System Logs, on the Firewall tab to see if traffic is being blocked. Pay particular attention to the destination address, as it may be different than expected.

Further trouble with game consoles may also be alleviated by switching to manual outbound NAT and enabling Static Port. See Static Port for more details.

See also

For advice on specific consoles and games, see Configuring pfSense Software for Online Gaming.