UPnP and NAT-PMP both allow devices and programs that support them to automatically add dynamic port forwards and firewall entries.
ALERT: Risks!!!
Any service that allows a client device to dynamically open ports on a firewall can pose a risk to the network.
A mischievous application could pose as a UPnP client and open up the system to hackers.
pfSense does provide ability to unlock only for certain IP / CIDR ranges, but this is still open to abuse.
It is safer to rather open ports on a case by case basis.
Navigate too Services → UPnP & NAT-PMP.
Configure the following options:
The Default Deny will automatically deny any UPnP & NAT-PMP requests from clients unless an ACL (Access Control List) is set.
Syntax:
[allow or deny] [external single port or range of ports] [single IP address or a single range] [internal single port or range]
Example:
allow 1024-65535 192.168.1.2 1024-65535 allow 12345 192.168.1.0/24 50000-65535
allow 80-65535 192.168.1.45/32 80-65535
where the PS has a static IP of 192.168.1.45
NOTE: Remember to click Save.