Would using miniupnpd with an ACL to allow only one host (PS4) on an isolated VLAN be considered security malpractice?
That should be fine. The primary concern is allowing any host anywhere to open ports via UPnP, which can be dangerous. Since you are limiting the exposure of UPnP to a single host (PS4) and isolating it from the rest of your network, then you have greatly minimized your potential risk.
@jimp Thank you.
I see this in the routing log:
Jun 29 11:52:13 miniupnpd 65764 SSDP packet sender 192.168.20.50:46958 (if_index=10) not from a LAN, ignoring
I think it's doing exactly what it should be doing, ignoring hosts not on a configured (in UPnP settings) network. That ip is a Sonos speaker. It's a lot of log spam, every 30 seconds or so and not the most descriptive message. The PS4 is on the "Media" VLAN and the Sonos Speakers are currently on the "Home" VLAN. UPnP is 'listening' only on Media.
Had a moment to look in the logs more closely. I see this:
miniupnpd 34231 setsockopt(udp, IPV6_RECVPKTINFO): Invalid argument
It works, but... This happens on restart of miniupnpd after any config change.