Here is a quick tip for MikroTik router owners on how to configure Mikrotik RouterOS to allow UPnP to map local devices to privileged ports including TCP/80 (HTTP) and TCP/443 (HTTPS) on an external interface.
Some game consoles including the PlayStation 4 and Xbox One sometimes need to redirect/forward port 80 and 443 from the public internet to the console for some online multiplayer functions. Being able to temporarily redirect port 80 can also be useful for other tools like when you need to demonstrate control over port 80 to be issued an encryption certificate by Let’s Encrypt.
RouterOS doesn’t distinguish between privileges (ports below 1024) and unprivileged ports (ports including and above 1024), yet you’ll find that UPnP won’t be able to map port 80 which can result in degraded online gaming experiences. You’ll get the following error message if you fire up
upnpc to manually test port redirection:
Depending on your configuration, you may have the same problem with other ports including 22 (SSH), 23 (telnet), 80 (http), and 443 (https) as well as 8701, 8729, and 8291. By seeing all the affected ports together in a list, you may have recognize them as the ports for the various administrative interfaces available on RouterOS.
These administrative and unmappable ports don’t show up in the firewall or NAT overviews in any of RouterOS’ administrative interfaces. You can manually setup a port redirection from port 80 on WAN to any device on your LAN side. Yet, the UPnP server in RouterOS will fail to redirect any of the ports that are used by a service on the router.
There are a few different options you can try to work around these limitations and allow these ports to be redirected with UPnP:
- Move the affected service from its default port to another port.
- Disable the service that blocks the port you want to use.
- Manually configure port redirection to a specific device in NAT.
You can change service port assignments or disable services in RouterOS from IP: Services, or configure port redirection from IP: Firewall: NAT. You’ll find the exact details on how you can apply these changes in the RouterOS manual.
RouterOS is a small business/enthusiast network solution, yet you can’t restrict it from redirecting privileged ports (ports below 1024). It also fails to redirect some ports without giving you any clear indication of why it can’t perform the redirection the client asked for. There’s no log message or any other indication about the problem.
The ability to redirect port 80 with UPnP is one of those things that set routers apart but its also nearly impossible to dig up any information on this ability before you purchase the router and can test for yourself.