diff --git a/net/upnp/pkg-descr b/net/upnp/pkg-descr
index e970623794..b1e98c6a17 100644
--- a/net/upnp/pkg-descr
+++ b/net/upnp/pkg-descr
@@ -7,6 +7,22 @@ WWW: https://miniupnp.tuxfamily.org/
 Plugin Changelog
 ================
 
+1.9
+
+* Separate service log file and log level UI option
+* More specific allow third-party mapping UI option
+* Impove help/wording and update missed changelog
+* Add daemon patch to improve logging
+
+1.8
+
+* New UI options: disable IPv6 mapping, allow third-party mapping, UPnP IGD compatibility, router/friendly name; remove option: report system uptime (bug)
+* List IPv6 maps and keep active maps when reconfiguring/restarting service, clearer added via / description field
+* New UI sections, rewording plugin, set allow-filtered with STUN to workaround CGNAT test limitation, clean up daemon config
+* Update daemon to 2.3.9, add build options (e.g. IGDv2 support), add daemon patch to improve UPnP IGDv2 compatibility
+
+(1.8/1.9 contributed by Self-Hosting-Group)
+
 1.7
 
 * Add option to allow arbitrary number of UPnP/NAT-PMP rules (contributed by Kreeblah)
diff --git a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
index a3f01f48c0..7f91e74406 100644
--- a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
+++ b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
@@ -44,10 +44,12 @@ function miniupnpd_firewall($fw)
         return;
     }
 
+    /* required for IPv4: */
     $fw->registerAnchor('miniupnpd', 'rdr');
+    /* required for IPv6: */
     $fw->registerAnchor('miniupnpd', 'fw');
+    /* required for IPv4 NAT hairpinning: */
     $fw->registerAnchor('miniupnpd', 'nat', 0, 'head');
-    $fw->registerAnchor('miniupnpd', 'binat');
 }
 
 function miniupnpd_services()
@@ -88,14 +90,11 @@ function miniupnpd_start()
     $cmd_args = ['/var/etc/miniupnpd.conf', '/var/run/miniupnpd.pid'];
 
     switch ($log_level) {
-        case 'debug':
-            $cmd_frmt[] = '-v';
-            /* FALLTHROUGH */
         case 'info':
             $cmd_frmt[] = '-v';
-            /* FALLTHROUGH */
-        default:
             break;
+        case 'debug':
+            $cmd_frmt[] = '-vv';
     }
 
     mwexecfb($cmd_frmt, $cmd_args);
@@ -105,8 +104,8 @@ function miniupnpd_stop()
 {
     killbypid('/var/run/miniupnpd.pid');
 
-    mwexecf('/sbin/pfctl -a miniupnpd -Fr');
-    mwexecf('/sbin/pfctl -a miniupnpd -Fn');
+    mwexecf('/sbin/pfctl -a miniupnpd -F rules');
+    mwexecf('/sbin/pfctl -a miniupnpd -F nat');
 }
 
 function miniupnpd_configure()
@@ -221,11 +220,15 @@ function miniupnpd_configure_do($verbose = false)
                 $config_text .= "bitrate_up={$upload}\n";
             }
 
-            if (!empty($upnp_config['allow_third_party_mapping'])) {
+            if (in_array($upnp_config['allow_third_party_mapping'] ?? '', ['1', 'upnp-igd'])) {
                 $config_text .= "secure_mode=no\n";
-                $config_text .= "pcp_allow_thirdparty=yes\n";
             } else {
                 $config_text .= "secure_mode=yes\n";
+            }
+
+            if (in_array($upnp_config['allow_third_party_mapping'] ?? '', ['1', 'pcp'])) {
+                $config_text .= "pcp_allow_thirdparty=yes\n";
+            } else {
                 $config_text .= "pcp_allow_thirdparty=no\n";
             }
 
diff --git a/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/ACL/ACL.xml b/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/ACL/ACL.xml
index 77d5cf5822..159112fb57 100644
--- a/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/ACL/ACL.xml
+++ b/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/ACL/ACL.xml
@@ -11,11 +11,11 @@
             <pattern>status_upnp.php*</pattern>
         </patterns>
     </page-status-upnpstatus>
-    <page-services-upnp-log>
+    <page-diagnostics-logs-upnp>
         <name>Services: UPnP IGD &amp; PCP: Log File</name>
         <patterns>
             <pattern>ui/diagnostics/log/core/miniupnpd/*</pattern>
             <pattern>api/diagnostics/log/core/miniupnpd/*</pattern>
         </patterns>
-    </page-services-upnp-log>
+    </page-diagnostics-logs-upnp>
 </acl>
diff --git a/net/upnp/src/www/services_upnp.php b/net/upnp/src/www/services_upnp.php
index d9a3e2230b..76a4626306 100644
--- a/net/upnp/src/www/services_upnp.php
+++ b/net/upnp/src/www/services_upnp.php
@@ -179,7 +179,7 @@ function miniupnpd_validate_port($port)
         // save form data
         $upnp = [];
         // boolean types
-        foreach (['enable', 'enable_upnp', 'enable_natpmp', 'logpackets', 'sysuptime', 'permdefault', 'allow_third_party_mapping', 'ipv6_disable'] as $fieldname) {
+        foreach (['enable', 'enable_upnp', 'enable_natpmp', 'logpackets', 'sysuptime', 'permdefault', 'ipv6_disable'] as $fieldname) {
             $upnp[$fieldname] = !empty($pconfig[$fieldname]);
         }
         // numeric types
@@ -187,7 +187,7 @@ function miniupnpd_validate_port($port)
             $upnp['num_permuser'] = $pconfig['num_permuser'];
         }
         // text field types
-        foreach (['download', 'ext_iface', 'friendly_name', 'log_level', 'overridesubnet', 'overridewanip', 'stun_host', 'stun_port', 'upload', 'upnp_igd_compat'] as $fieldname) {
+        foreach (['allow_third_party_mapping', 'download', 'ext_iface', 'friendly_name', 'log_level', 'overridesubnet', 'overridewanip', 'stun_host', 'stun_port', 'upload', 'upnp_igd_compat'] as $fieldname) {
             $upnp[$fieldname] = $pconfig[$fieldname];
         }
         foreach (miniupnpd_permuser_list() as $fieldname) {
@@ -234,7 +234,7 @@ function miniupnpd_validate_port($port)
                   </thead>
                   <tbody>
                     <tr>
-                      <td><a id="help_for_enable" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Enable service");?></td>
+                      <td><a id="help_for_enable" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Enabled");?></td>
                       <td>
                        <input name="enable" type="checkbox" value="yes" <?=!empty($pconfig['enable']) ? "checked=\"checked\"" : ""; ?> />
                        <div class="hidden" data-for="help_for_enable">
@@ -350,9 +350,14 @@ function miniupnpd_validate_port($port)
                     <tr>
                       <td><a id="help_for_allow_third_party_mapping" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Allow third-party mapping");?></td>
                       <td>
-                        <input name="allow_third_party_mapping" type="checkbox" value="yes" <?=!empty($pconfig['allow_third_party_mapping']) ? "checked=\"checked\"" : ""; ?> />
+                        <select name="allow_third_party_mapping">
+                          <option value="0" <?= ($pconfig['allow_third_party_mapping'] ?? '') == '0' ? 'selected="selected"' : '' ?> ><?= gettext('Disabled (recommended)') ?></option>
+                          <option value="1" <?= ($pconfig['allow_third_party_mapping'] ?? '') == '1' ? 'selected="selected"' : '' ?> ><?= gettext('Enabled') ?></option>
+                          <option value="upnp-igd" <?= ($pconfig['allow_third_party_mapping'] ?? '') == 'upnp-igd' ? 'selected="selected"' : '' ?> ><?= gettext('Enabled (UPnP IGD only)') ?></option>
+                          <option value="pcp" <?= ($pconfig['allow_third_party_mapping'] ?? '') == 'pcp' ? 'selected="selected"' : '' ?> ><?= gettext('Enabled (PCP only)') ?></option>
+                        </select>
                         <div class="hidden" data-for="help_for_allow_third_party_mapping">
-                          <?=gettext("Allow adding port maps for non-requesting IP addresses.");?>
+                          <?=gettext("Allow adding port maps for non-requesting IP addresses; use with care.");?>
                         </div>
                       </td>
                     </tr>