MiniUPnP Project

Home | Downloads | Compatibility list | libnatpmp | xchat upnp patch | Forum

NAT Port Mapping Protocol (NAT-PMP)

To put it in a nutshell, the NAT Port Mapping Protocol promoted by Apple computer and integrated in recent AirPort wireless routers/access points and in Mac OS X is an alternative to the much less elegant UPnP IGD (Internet Gateway Device) specification.

NAT-PMP is part of the Bonjour protocol specifications. Below is the description of the protocol as found in the internet draft (ie RFC draft) first published by Apple Computer in september 2005, and updated since until it became RFC 6886. All the versions are available on IEFT web site.

It is designed to work on small NATed LANs : A domestic network with one wireless router and a few devices with private IP addresses, as defined in RFC 1918. In NAT-PMP, the service is provided by the default gateway of the network which is the router connecting the private network to the outside world. The clients send their request in the form of UDP packets to the port 5351 of the default gateway. So there is no need for a discovery process as it is the case within the UPnP IGD specification.

NAT-PMP has now be superseded by it's successor, Port Control Protocol (aka PCP) which is described in RFC 6887.

Structure of the request and response packets

Every request packet starts with two bytes : the protocol version (must be 0) and the Operation code. The response starts with one byte for protocol version (0) followed by the response operation code (128 + the request operation code) and two bytes (in network order) for the result code. All 2 bytes and 4 bytes values are transmitted in network order.

Note : PCP use version 2 (Version number 1 was used by a vendor that shipped products that use a protocol that is incompatible with the IETF Standard).

Public address request. OP Code = 0

Byte 0Byte 1
Version = 0OP Code = 0

Public address response. OP Code = 128

Byte 0Byte 1Byte 2Byte 3
Version = 0OP Code = 128Result code
Byte 4Byte 5Byte 6Byte 7
Seconds since port mapping table was initialized
Byte 8Byte 9Byte 10Byte 11
Public IP Address

New port mapping request. OP Code = 1 for UDP or 2 for TCP

Byte 0Byte 1Byte 2Byte 3
Version = 0OP Code = 1 | 2Reserved (0)
Byte 4Byte 5Byte 6Byte 7
Private portrequested public port
Byte 8Byte 9Byte 10Byte 11
Requested port mapping lifetime in seconds

New port mapping response. OP Code = 129 for UDP or 130 for TCP

Byte 0Byte 1Byte 2Byte 3
Version = 0OP Code = 129 | 130Result code
Byte 4Byte 5Byte 6Byte 7
Seconds since port mapping table was initialized
Byte 8Byte 9Byte 10Byte 11
Private portMapped public port
Byte 12Byte 13Byte 14Byte 15
Port mapping lifetime in seconds

Result code table

1Unsupported Version
2Not Authorized/Refused (e.g. box supports mapping, but user has turned feature off)
3Network Failure (e.g. NAT box itself has not obtained a DHCP lease)
4Out of resources (NAT box cannot create any more mappings at this time)
5Unsupported opcode


When the public address changes, the NAT gateway must send a notification on the multicast group port 5351 with the format of a public address response. update : since the 2008 version of the specification, port 5350 is used instead.

There is no specific request to remove a port mapping. One should use the port mapping request with a lifetime of zero. If lifetime and private port are zero, then all the port mapping to this host are removed.

Valid XHTML 1.0 Transitional Valid CSS!