====== PFSense - UPNP (Universal Plug and Play) ======
UPnP and NAT-PMP both allow devices and programs that support them to automatically add dynamic port forwards and firewall entries.
**ALERT:** Risks!!!
Any service that allows a client device to dynamically open ports on a firewall can pose a risk to the network.
A mischievous application could pose as a UPnP client and open up the system to hackers.
pfSense does provide ability to unlock only for certain IP / CIDR ranges, but this is still open to abuse.
It is safer to rather open ports on a case by case basis.
----
===== Configure UPNP =====
Navigate too **Services -> UPnP & NAT-PMP**.
Configure the following options:
* **Enable:** Enabled UPnP & NAT-PMP ticked.
* **UPnP Port Mapping:** Allow UPnP Port Mapping Ticked.
* **NAT-PMP Port Mapping:** Allow NAT-PMP Port Mapping ticked.
* **External Interface:** Select your external interface, usually WAN,
* **Interfaces:** Select the interfaces where UPnP/NAT-PMP clients exist.
----
===== Advanced UPnP & NAT-PMP Configuration =====
* **Enable:** Enabled UPnP & NAT-PMP ticked.
* **UPnP Port Mapping:** Allow UPnP Port Mapping Ticked.
* **NAT-PMP Port Mapping:** Allow NAT-PMP Port Mapping ticked.
* **External Interface:** Select your external interface, usually WAN,
* **Interfaces:** Select the interfaces where UPnP/NAT-PMP clients exist.
* **Default Deny:** Deny access to UPnP & NAT-PMP by default ticked.
The **Default Deny** will automatically deny any UPnP & NAT-PMP requests from clients unless an ACL (Access Control List) is set.
----
===== ACL (Access Control List) =====
Syntax:
[allow or deny] [external single port or range of ports] [single IP address or a single range] [internal single port or range]
Example:
allow 1024-65535 192.168.1.2 1024-65535
allow 12345 192.168.1.0/24 50000-65535
----
===== ACL (Access Control List) for PS3 and PS4 =====
allow 80-65535 192.168.1.45/32 80-65535
where the PS has a static IP of 192.168.1.45
----
**NOTE:** Remember to click **Save**.