Table of Contents
PFSense - UPNP (Universal Plug and Play)
UPnP and NAT-PMP both allow devices and programs that support them to automatically add dynamic port forwards and firewall entries.
ALERT: Risks!!!
Any service that allows a client device to dynamically open ports on a firewall can pose a risk to the network.
A mischievous application could pose as a UPnP client and open up the system to hackers.
pfSense does provide ability to unlock only for certain IP / CIDR ranges, but this is still open to abuse.
It is safer to rather open ports on a case by case basis.
Configure UPNP
Navigate too Services → UPnP & NAT-PMP.
Configure the following options:
- Enable: Enabled UPnP & NAT-PMP ticked.
- UPnP Port Mapping: Allow UPnP Port Mapping Ticked.
- NAT-PMP Port Mapping: Allow NAT-PMP Port Mapping ticked.
- External Interface: Select your external interface, usually WAN,
- Interfaces: Select the interfaces where UPnP/NAT-PMP clients exist.
Advanced UPnP & NAT-PMP Configuration
- Enable: Enabled UPnP & NAT-PMP ticked.
- UPnP Port Mapping: Allow UPnP Port Mapping Ticked.
- NAT-PMP Port Mapping: Allow NAT-PMP Port Mapping ticked.
- External Interface: Select your external interface, usually WAN,
- Interfaces: Select the interfaces where UPnP/NAT-PMP clients exist.
- Default Deny: Deny access to UPnP & NAT-PMP by default ticked.
The Default Deny will automatically deny any UPnP & NAT-PMP requests from clients unless an ACL (Access Control List) is set.
ACL (Access Control List)
Syntax:
[allow or deny] [external single port or range of ports] [single IP address or a single range] [internal single port or range]
Example:
allow 1024-65535 192.168.1.2 1024-65535 allow 12345 192.168.1.0/24 50000-65535
ACL (Access Control List) for PS3 and PS4
allow 80-65535 192.168.1.45/32 80-65535
where the PS has a static IP of 192.168.1.45
NOTE: Remember to click Save.