UPnP
Universal Plug and Play
A set of protocols that lets networked devices automatically discover each other and request port forwarding rules from the router — enabling gaming consoles, media servers, and peer-to-peer apps to work without manual configuration, at the cost of reduced security control.
UPnP has two main functions. First, device discovery (SSDP — Simple Service Discovery Protocol): devices broadcast their presence on the LAN so other devices can find them automatically (how your phone finds a Chromecast or smart TV). Second, NAT port mapping (UPnP IGD — Internet Gateway Device protocol): applications ask the router to create a port forwarding rule, enabling inbound connections from the internet. A gaming console sends a UPnP IGD request: "please forward UDP port 3074 to my IP." The router complies with no password required — which is both the feature and the security problem.
UPnP vs manual port forwarding
| Property | UPnP | Manual port forwarding |
|---|---|---|
| Configuration | Automatic (zero-config) | Manual (router admin panel) |
| Authentication | None — any LAN device can request | Admin password required |
| Persistence | Dynamic, may expire or be overwritten | Permanent until manually deleted |
| Visibility | Mappings hidden from admin unless checked | Visible in router port forwarding table |
| Security risk | Malware can open ports silently | Only admin-approved ports open |
| Best for | Gaming consoles, Plex, media apps | Servers, security-conscious setups |
UPnP security considerations
UPnP has no built-in authentication — any device on the LAN can instruct the router to open any port mapping. Compromised IoT devices, malware, or rogue LAN devices can exploit this to open inbound ports, creating pathways for external attacks. Some routers also incorrectly exposed UPnP to the WAN interface, allowing internet hosts to manipulate port mappings. The CallStranger (2020) and EternalSilence attacks used UPnP as an attack vector. Mitigations: disable UPnP if not needed; isolate IoT devices on a separate VLAN so they can't reach the router's UPnP service; ensure UPnP is not accessible from the WAN; use manual port forwarding for any services that genuinely need inbound access.
Frequently Asked Questions
Should I enable or disable UPnP on my router?
Enable for convenience (gaming, media servers, P2P). Disable for better security — any LAN device including malware can open ports without authentication. If enabled, ensure UPnP is blocked on the WAN interface and IoT devices are VLAN-isolated from the router.
What is the difference between UPnP and port forwarding?
Manual port forwarding is a static admin-configured rule. UPnP is dynamic — applications request mappings from the router automatically. Manual gives control and visibility; UPnP gives zero-configuration convenience. Both achieve the same result (open inbound ports) through different means.
Why does UPnP affect NAT type in gaming?
UPnP lets consoles automatically open port mappings, achieving NAT Type 2 (Moderate/Open). Without UPnP and without manual port forwarding, consoles get NAT Type 3 (Strict), causing connection failures and inability to host multiplayer sessions or connect to other strict-NAT players.