18.2  Universal Plug-and-Play (UPnP)

WinRoute supports UPnP protocol (Universal Plug-and-Play). This protocol enables client applications (i.e. Microsoft MSN Messenger) to detect the firewall and make a request for mapping of appropriate ports from the Internet for the particular host in the local network. Such mapping is always temporary — it is either applied until ports are released by the application (using UPnP messages) or until expiration of the certain timeout.

The required port must not collide with any existing mapped port or any traffic rule allowing access to the firewall from the Internet. Otherwise, the UPnP port mapping request will be denied.

Configuration of the UPnP support

To configure UPnP go to the Security Settings folder in Configuration → Advanced Options.

IPnP settings (the Security Settings tab under Configuration → Advanced Options)

Figure 18.3. IPnP settings (the Security Settings tab under Configuration → Advanced Options)


Enable UPnP

This option enables UPnP.

Warning

If WinRoute is running on Windows XP, Windows Server 2003, Windows Vista or Windows Server 2008, check that the following system services are not running before you start the UPnP function:

  • SSDP Discovery Service

  • Universal Plug and Play Device Host

If any of these services is running, close it and deny its automatic startup. In WinRoute, these services work with the UPnP protocol in Windows, and therefore they cannot be used together with UPnP.

Note: The WinRoute installation program detects the services and offers their stopping and denial.

Log packets

If this option is enabled, all packets passing through ports mapped with UPnP will be recorded in the Filter log (see chapter 22.9  Filter Log)).

Log connections

If this option is enabled, all packets passing through ports mapped with UPnP will be recorded in the Connection log (see chapter 22.5  Connection Log).

Warning

Apart from the fact that UPnP is a useful feature, it may also endanger network security, especially in case of networks with many users where the firewall could be controlled by too many users. A WinRoute administrator should consider carefully whether to prefer security or functionality of applications that require UPnP.

Using traffic policy (see chapter 7.3  Definition of Custom Traffic Rules) you can limit usage of UPnP and enable it to certain IP addresses or certain users only.

Example:

Traffic rules allowing UPnP for specific hosts

Figure 18.4. Traffic rules allowing UPnP for specific hosts


The first rule allows UPnP only from UPnP Clients IP group. The second rule denies UPnP from other hosts (IP addresses).