Surf Soho internal access rule for nat-pmp


Great forum, I spent some time reading but didn’t exactly find my answer.

Surf soho, I have one machine that runs a few services that would be nice to use NAT-PMP, but I don’t care to allow any device on the network to use it. I enabled Nat-PMP (only, not UPnP)

So I setup an internal rule.

This blocks NAT-PMP for all hosts, but does not allow 1.8 to use it. I also tried with mac address and a few other variations.

Am I just using this feature incorrectly? Can I allow 1.8 to use NAT-PMP and no other hosts?



Using the router IP in the deny rule doesn’t work either, it allows every IP to use NAT-PNP


Any ideas here? I just want one IP to be able to use NAT-PMP.


Isn’t NAT-PMP a LAN side only thing? If so, then I don’t think that an internal firewall rule is appropriate. I think they are intended for controlling vlan to vlan access and vlan to untagged lan access. Take this with a grain of salt, a bit over my head here.


yes it is a lan only connection. udp on that port to the routers lan ip. i am hoping the internal network firewall rules apply to any traffic hitting the router from the lan.


I am somewhat out of my depth, but I think by definition a firewall lives at the boundary of two networks. Traffic from one LAN device to another LAN device traverses no boundary, so firewalls don’t come into play. The exception being if the LAN side devices were in different VLANs. You can have internal firewall rules that govern VLAN to VLAN traffic.


Right. Obviously I don’t expect the firewall to do anything with traffic that doesn’t hit the routers lan ports. I guess I just want to know more about what exactly “Internal Network Firewall” can do, or how to properly use it.

Since NAT-PMP is a service running on the router, the traffic has to hit the router lan port (5351 UDP)… I know that my deny rule “no nat-pmp” does kill the nat-pmp function… nothing can use it… so i know the filter is working. My probablem is trying to get an exception that that rule to work. I want 1.8 to be able to use it.


Hello @mbw,
To extend on @Michael234 guidance, there is two firewalls available

  • between the WAN & LAN sides of the network
  • between the VLANs

There is no ability to firewall on the same LAN/VLAN segment of the balance routers (and from my checks that includes the SD switch series), if you want to operate a firewall between the physical LAN ports, you will need to assign each of them to a separate VLAN and then setup suitable rules between the VLANs.

Have a look at this previous reply, it highlights six different threads on setting up VLANs, most of it is to do with InControl2 though there is some good information there.

You can also do this search within the forum “how to setup VLAN”.
Happy to Help,
Marcus :slight_smile:


That makes sense. The deny rule did work, so I thought it might be possible within a vlan. I ended up just disabling NAT-PMP and manually setup a port for now.