OPNSense UPnP

Configuring UPnP on OPNSense for many is likely not as straightforward as installing the UPnP service.

While this may open unnecessary ports, this is what my final state was for functional UPnP.

1. Disable IGMP Snooping on your client network(s)

2. Install the UPnP plugin (os-upnp) from System->Firmware

3. Change UPnP to default-deny due to security issues

- Add an allow rule for the required hosts e.g. `allow 1024-65535 192.168.1.10 1024-65535`

4. Firewall->Rules->Your Client Network add

- Rule 1

- Interface: Your client network interface

- Direction: in

- Protocol: UDP

- Source: Clients requiring UPnP

- Destination Port: 1900

- Destination: 239.255.255.250/32

- Rule 2

- Interface: Your client network interface

- Direction: in

- Protocol: UDP

- Source: Clients requiring UPnP

- Destination Port: 5351

- Rule 3

- Interface: Your client network interface

- Direction: in

- Protocol: TCP

- Source: Clients requiring UPnP

- Destination Port: 2189

If this is a Windows device (which is recommended, I suggest limiting to gaming consoles) then you're AntiVirus Firewall may be causing issues.

You also need to set the client devices to use static port mappings - use Hybrid NAT for the least impact on your network's security.