For any 1-to-1 NAT LAN address, uPnP discovery should be blocked
Some apps e.g. stellar-core and siad (the Sia daemon) use uPnP discovery to determine their WAN IP, then fall back to other methods if uPnP is not available. This means that if you are running 1-to-1 NAT for All Protocols and Ports
and using MiniuPnP, the wrong external IP gets identified. Stellar are going to introduce a switch to disable uPnP, but there is no clear intention with Sia.
In ClearOS, for 1-to-1 All Protocols and Ports
IP's we should add a firewall rule:
iptables -w -I INPUT -s 1-to-1_LAN_IP -p udp --dport 1900 -j DROP
Edited by Nick