Need help securing your MikroTik routers? A printable copy of our MikroTik Router Hardening Guide complete with a checklist, links to STIGs, and more in-depth discussions of best practices than will fit in a blog post are featured in the MikroTik Router Hardening Guide. Click here to find out more.
For those of you playing the home game - and by that I mean playing on an Xbox or Playstation at home using Mikrotik for routing, you've probably seen the console complaining about your NAT configuration. It's not a huge deal in most cases, but for some games and services it can cause issues with download speed, voice, and chat communications. If you have the Xbox test the network connection it will most likely complain about "Moderate NAT" settings if you're running the console behind a Mikrotik using the default configuration. The fix for this is really simple - enable and configure UPnP. This service allows the Xbox to request the router create dynamic DST-NAT rules specifically for Xbox Live communications.
Allowing UPnP to dynamically forward ports is the flip-side of using static NAT entries for port forwarding. A lot of networking folks take issue with UPnP (Universal Plug and Play) for a couple reasons. First, UPnP takes some of the control out of the hands of network administrators, allowing network devices themselves to communicate with the router and create their own "pinhole" port forward settings. Second, most UPnP implementations on low-end networking equipment are laughably insecure. There's a laundry list of security issues created by home network equipment manufacturers, and unfortunately that reputation has bled over to UPnP itself. Fortunately Mikrotik's implementation isn't terrible, and only opens up access specifically requested by the device on the LAN asking for it.
First, we'll enable the UPnP service, which is disabled by default:
/ip upnp set enabled=yes
Next, we'll tell the router which is the internal interface that's LAN-facing, and which is the external interface that's Internet-facing. In this case ether1-gateway is the WAN connections, and bridge-local is the LAN connection:
/ip upnp interfaces
add interface=ether1-gateway type=external
add interface=bridge-local type=internal
That's it! UPnP is turned on, and we've told the router which interfaces are which so that firewall NAT pinholes can be created. Now we'll fire up the Xbox so it can communicate with the router and create dynamic NAT rules:
The two NAT rules above marked with a "D" are the dynamic rules that UPnP created for internal LAN devices that need them, including the Xbox. Testing the network from the Xbox again will show green across the board, and everything should work really well. That's it!