pfSense UPnP and NAT-PMP

In a previous article, I described how to configure port forwarding in pfSense. But what if port forwarding could be done automatically? That is the object of the Universal Plug and Play Protocol and Nat Port Mapping Protocol, and both are supported by pfSense. In this article, I will explain how to configure pfSense UPnP and NAT-PMP protocols.

UPnP and NAT-PMP Explained

Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other’s presence on the network and establish functional network services for data sharing, communications, and entertainment. It is intended primarily for residential networks without enterprise class devices (the reasons for this will become apparent soon) and is primarily used in Microsoft systems. The concept of UPnP is an extension of plug-and-play, a technology for dynamically attaching devices directly to a computer.

Among other things, UPnP provides a solution for NAT traversal via its implementation of the Internet Gateway Device Protocol. Many routers and firewalls expose themselves as Internet Gateway Devices, allowing any local UPnP control point to perform a variety of actions, including retrieving the external IP address of the device, enumerate existing port mappings, and add or remove port mappings. By adding a port mapping, a UPnP controller behind the IGD can enable traversal of the IGD from an external address to an internal client. UPnP uses UDP port 1900 and TCP port 2869.

NAT Port Mapping Protocol (NAT-PMP) is another means of accomplishing what UPnP does. It was introduced by Apple in 2005 as an alternative to IGD. NAT-PMP allows a computer in a private network to automatically configure the router to allow parties outside the private network to contact it. It automates the process of port forwarding. Included in the protocol is a method for retrieving the public IP address of a NAT gateway. NAT-PMP runs over UDP port 5351.

Configuring pfSense UPnP and NAT-PMP

pfSense UPnP

Enabling UPnP and NAT-PMP in pfSense 2.0.

As it happens, both UPnP and NAT-PMP are supported by pfSense 2.0. Enabling pfSense UPnP and NAT-PMP  is relatively easy as well. To enable these services, first navigate to Services -> UPnP & NAT-PMP. Check the “Enable UPnP & NAT-PMP” check box. Below that, check either “Allow UPnP Port Mapping“, “Allow NAT-PMP Port Mapping“, or both. At “Interfaces (generally LAN)“, select an interface (or hold down the CTRL key while clicking to select multiple interfaces). Then press the “Change” button to change the settings. You have now configured pfSense UPnP and/or NAT-PMP.


There are several additional options that are worth noting. Below “Interfaces”, you can specify a “Maximum Download Speed” (in Kbits/s). You can also specify a “Maximum Upload Speed” (also in Kbits/s). “Override WAN address” can be used to override the miniupnp listening address. “Traffic Shaping Queue” allows you to specify an already-defined traffic shaping queue (for more information, see parts one, two, and three of my series on traffic shaping). Checking “Enable Log Packets” will keep a log of UPnP and NAT-PMP traffic. Checking “Use system uptime instead of UPnP and NAT-PMP service uptime” will use the system’s uptime in the logs. Checking “By default deny access to UPnP & NAT-PNP” will block UPnP and NAT-PNP traffic except for traffic specifically allowed in the below “User specified permissions“. There, you can define up to four permissions in the following format: [allow or deny][external port or range][internal IP address or IP address/CIDR][internal port or range].

pfSense UPnP and NAT-PNP:  Potential Security Risks

Now that I have described pfSense UPnP and NAT-PNP and how to configure them, I suppose it is only fair to note that enabling these services and allowing devices to make and modify their own firewall rules has some serious security implications. In January 2013, the security company Rapid7 reported on a six-month research program in which a team scanned for signals from UPnP-enabled devices announcing their availability for internet connect. Some 6900 products from 1500 companies at 81 million IP addresses responded to their requests. 80% of the devices are home routers; others include printers, webcams, and surveillance cameras. With this in mind, it is little wonder that UPnP  is not targeted many at home routers and not enterprise-level networking equipment, as IT departments would likely be wary of deploying equipment with such glaring security vulnerabilities. I do not know of any similar studies covering NAT-PMP devices, but I would assume this has more to do with the greater popularity of UPnP than it has anything to do with NAT-PMP devices being more secure. It might be prudent to dedicate a separate interface to UPnP and/or NAT-PMP devices. It might be even more prudent to use the “By default deny access to UPnP & NAT-PNP” feature and only allow specific pfSense UPnP and NAT-PMP traffic.


External Links:

UPnP at Wikipedia

NAT-PMP at Wikipedia

What is pfSense UPnP? at doc.pfsense.org

UPnP flaws turn millions of firewalls into doorstops at nakedsecurity

Port Forwarding with NAT in pfSense

Firewall Configuration: NAT port forwarding

Firewall -> NAT configuration page in the pfSense web GUI.

In computer networking, Network Address Translation (NAT) is the process of modifying IP address information in IPv4 headers while in transit across a traffic routing device. In most cases, it involves translating from the WAN IP address to the 192.168.x.x addresses of your local network. In this article, I will describe how to set up NAT port forwarding.

NAT and firewall rules are distinct and separate. NAT rules forward traffic, while firewall rules block or allow traffic. In the next article, I will cover firewall rules, but for now keep in mind that just because a NAT rule is forwarding traffic does not mean the firewall rules will allow it.

NAT Port Forwarding

NAT port forwarding rules can differ in complexity, but in this example, let’s assume we set up an Apache server at 192.1.168.125 on the local network, and we want to direct all HTTP traffic (port 80) to that address. First, browse to Firewall -> NAT. The options are “Port Forward“, “1:1” and “Outbound“. Select the “Port Forward” tab. Click the “plus” button in order to create a new NAT port forward rule. “Disable the rule” and “No RDR” can be left unchanged. For “Interface” you can choose WAN and LAN; we are concerned about incoming requests from the Internet, so you can keep it as WAN.


For “Protocol”, there are five choices: TCP, UDP, TCP/UDP, GRE, and ESP. TCP stands for Transmission Control Protocol, and is the transport level protocol of the Internet protocol suite. This is usually what we want to use. Next is UDP, or User Datagram Protocol, another transport level protocol which is also part of the Internet protocol suite. It is suitable for purposes where error checking and correction are either not necessary or are performed in the application. GRE stands for Generic Routing Encapsulation, a tunneling protocol that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links. It can be used, among other things, in conjunction with PPTP to create VPNs. ESP stands for Encapsulating Security Payload, a member of the IPsec protocol suite which provides authenticity, integrity and confidentiality protection of packets. In this port forwarding scenario, you can leave the protocol unchanged (TCP).

Firewall Configuration: NAT

Adding a NAT port forwarding rule.

For “Source“, you can specify the allowed client source. Typically you can leave it as “any”, but there are several choices: “Single host or alias“, “Network“, “PPTP clients“, “PPPoE clients“, “L2TP clients“, “WAN subnet“, “WAN address“, “LAN subnet“, and “LAN address“. In this case, you can leave the default (any) unchanged.

For “Source port range“, we want to redirect HTTP traffic (port 80), so choose HTTP for the from and to drop-down boxes. “Destination” offers the same choices as “Source” and can be left unchanged. “Destination port range” should be changed to HTTP for the from and to drop-down boxes. For “Redirect target IP“, specify the web server the traffic to be forwarded to (in our case, 192.168.1.125). For “Redirect target Port“, choose HTTP. Next is “No XMLRPC Sync“; enable this option to prevent this rule from being applied to any redundant firewalls using CARP. This option can be left unchecked now. “NAT Reflection” can be enabled or disabled, usually it is disabled. “Filter Rule association” will automatically create a firewall rule and associate it to this NAT rule. Check this box to avoid having to create a separate firewall rule. Add a description if you wish, and press “Save” to save the changes. The port forwarding rule set up should now be in effect.

NAT Port Redirection

In this case, we passed traffic from port 80 on the source to port 80 on the destination, which is the classic port forwarding scenario. But there’s no reason you can’t redirect traffic to a different port. There are two reasons you might want to do this:

[1] Security: A good way to thwart hackers is to put services on non-standard ports. For example, everyone knows the standard port for FTP is 21, but an outsider is unlikely to find your FTP server if you place it on port 69, or better yet, an even higher port number (e.g. 51782). The same can be said of SSH. Users will have to know the port in order to access it.

[2] Single Public IP Address, more than one computer with the same services: Smaller networks with only a single public IP address may be stuck if the want to expose a lot of public services. For example, imagine that we want to have two separate FTP servers, but on two separate computers. With port redirection, we create two different NAT rules: the first rule will redirect port 51782 to port 21 on FTPServer1, and the second will redirect port 51783 to port 21 on FTPServer2. We can then remote into two separate FTP servers on two different computers using the same IP address.


External Links:

Port Forwarding Troubleshooting at doc.pfsense.org

© 2013 David Zientara. All rights reserved. Privacy Policy