What I wish routers did was make UPNP a pending request something I could go and approve. Limit it to the device making it, let it switch it on and off but fundamentally I want to control if I want that hole made or not. OpenWRT comes without UPNP in its base images for a reason, its a major security hole. But I think there is a middle ground here where UPNP isn't just no or yes but rather authorised which will reduce the problem and provide autoconfiguration but without automated firewall holes.
manwe150|1 month ago
But if you don’t have it on, software just falls back to STUN, which achieves the same exact result as upnp, just an order of magnitude slower and less reliably (though doesn’t require any router configuration or cooperation)