How to Turn Off NAT-PMP on Airport Routers from macOS

Airport routers from Apple have a service turned on by default called NAT-PMP (Network Address Translation Port Mapping Protocol).  This service allows applications and/or devices inside your network to automatically open ports in your router to make them accessible from the Internet.  While this feature does make it easier to set up Internet of Things devices (doorbells, webcams, light bulbs), it makes your network more vulnerable to attack.  

The recent (October 2016) Denial of Service attacks on the Domain Name System that pretty much broke the internet for a half a day were due to devices inside peoples’ networks being commandeered to act on behalf of the bad actors.  In other words, having NAT-PMP enabled on an Airport router (or UPnP on other manufacturer’s routers) allowed these Internet of Things devices to be recruited into a botnet.

If you want to learn more, please see this Wikipedia article: https://en.wikipedia.org/wiki/NAT_Port_Mapping_Protocol

These instructions show you how to turn NAT-PMP off in an Airport Router using the Airport Utility which is inside your Applications/Utilities folder.  If you have a Netgear Nighthawk Router, please see this tutorial: https://www.podfeet.com/blog/how-to-turn-off-upnp-on-netgear-nighthawk-routers/

Open AirPort Utility

Click on the image or name of the router (mine is called Tall Dart) which will enable a menu.

Click on Edit

Select the Network Tab

Select Network Options

Disable NAT Port Mapping Protocol

  1. Uncheck the box next to "Enable NAT Port Mapping Protocol"
  2. Click Save

Your Airport router will tell you that it will have to restart.  In a few minutes you should be back up and running.  

If any of your internal network devices stop working, contact the manufacturer.  They should be able to tell you specific ports to open and how to do that. If they tell you that you must have NAT-PMP or UPnP enabled, you’ll have to make a decision for yourself on whether to re-enable it or get rid of a device that makes your network less secure.