Speaking of UPnP, I hope you will make certain that this feature is *not* exposed to the public internet, but instead strictly limited to the local network. Steve Gibson of grc.com provides perhaps the best advice (https://www.grc.com/su/UPnP-Rejected.htm):



Here's what you need to know about Universal Plug n' Play (UPnP):

UPnP is a “zero-authentication” (no passwords required) system for allowing networked devices to discover and easily connect with each other on a private local network.

Additionally, software such as Skype and BitTorrent, and gaming consoles, which wish to be “seen” on the Internet, are able to use UPnP to open “holes” through the protection normally provided by routers in order to allow “unsolicited” traffic to enter.

THE HUGE MISTAKE IS: No part of UPnP was EVER MEANT to be exposed to the EXTERNAL public Internet. It was only ever meant for private local control of devices and routers. Its exposure gives malicious hackers direct access to the inside of any exposed private network.



You probably know all this, but just in case...