UPnP devices yell about their presence to anybody’s willing to listen. Say you plug in a new printer. That printer yells “hey, I’m a new printer, happy to meet you all”. DHCP will assign that printer a local IP address. If you happen to know that address, you can access it – great. But there are plenty of devices in your local network and they don’t really care about discovering their neighbors. What UPnP does differently is that it makes sure everybody else knows about that address by propagating that device’s existence to everyone else.
It’s two protocols for two different things:
– Most common, it’s a protocol to discover devices on your network and have those devices advertise their presence. This is how your network backup device or media player advertises itself to appear in your computer’s list of nearby machines.
– Additionally, it’s a way to instruct a firewall/router to open ports to your machine so that the world can access parts of your network.
The second is used for, say, a gaming console or teleconferencing app to literally “open a hole” on your network so that other players can talk to game servers that you are hosting etc.
Unfortunately, the latter is surprisingly common and yet still COMPLETELY INSECURE. Literally any device on your network can request your firewall to open any port and forward it to any other device on your local network. There is no authentication, confirmation, or way to tell that it’s been done (such facilities exist, but almost nothing actually has them turned on or even have the option to do so). Hence, it’s a security risk and most often disabled on corporate networks.
It’s also completely irrelevant in modern times as pretty much every game, application, etc. works just fine behind your “firewall” (more accurately something called NAT) nowadays and so such port-forwarding is entirely unnecessary for the vast majority of people.
The former is not really a security risk. UPnP discovery just stays on your local network and is helpful.
The latter is a serious security risk and entirely unnecessary.
However both are called “UPnP”.
The difference is where they are turned on. Do you want your media player to have UPnP enabled so you can find it on the network? Sure. Do you want UPnP enabled on your firewall/router so that literally anything inside your network (e.g. your cheap Chinese CCTV camera, kids toys, etc.) can just open up holes from the Internet to your local network without you ever knowing? No.
Hence, always disable this on your wifi / router.
Will it affect you joining/hosting games? Not nowadays. I have a 20 year old Steam account with 1500+ games on it, and it makes no difference at all. It’s a common fallacy that you have to have UPnP enabled (and, like I say, almost no corporate networks allow it).
P.S. I’m an IT manager of 25+ years.
It *USED* to be required back in the dark ages when people were too dumb to port-forward themselves and also were trying to host services from their own home connection (e.g. host a game server, not just join a game server). That’s no longer true, and most ISPs stop you doing that now anyway because they’ve put you behind NAT anyway.
Unless you’re literally offering a network service to the world hosted by your own machine, you don’t need to port-forward on your home connection, ever. If you are doing that, you better hope you understand what risks that brings in terms of keeping that hosted service up-to-date and exposed to the global Internet. And if that’s true… then you still don’t need UPnP because you should be smart enough to port-forward that yourself anyway.
Take my advice – go into your wifi/router and see if there’s an option to disable UPnP. Turn it off. See if you notice any difference. If there is no option… find a better wifi/router.
You can have it turned on in your game, on your media player, etc. But turn it off on your router.
Latest Answers