So I realise the risks of uPNP, but I still want it *grin*

My setup is as follows - 3 servers behind the router, set as NAT DMZ hosts as the outgoing IP needs to match their incoming IPs.

Then laptops all on NAT, going out through the gateway address.

The laptops run various things that open uPNP ports - MSN, Bittorrent etc.

The problem is the block all rule that of course everyone has at the top of the firewall rule set - that will block any uPNP ports that are opened internally. Which kind of makes a mockery of uPNP.

So if I add an allow all rule from WAN -> router IP then uPNP functions as expected, but that's a little too wide for my liking, even if the router itself won't respond to unopened ports.

Is there a smarter way to do this?