UPnP (Universal Plug'n Play) is a controvertial protocol that was developed with all the good intentions but received heavy criticism dues to the poor security implementation. Nonetheless it is a rather important protocol and allows fully dynamic port mapping from LAN IP into Internet. in the image below you that the WhatsApp application has mapped certain port on the tomato's WAN IP/Interface. UPnP is the original, historical implementation of this dynamic port-mapping protocol, NAP-PMP (NAT Port Mapping Protocol) is the enhanced version of UPnP and designed to have better compatibility with NAT communications. If you use dynamic port forwarding you will probably want both protocols enabled to retain backward compatibility.
Enable UPnP: Enable and Disable UPnP
Enable NAT-PMP: Enable/Disable NAT-PMP
Inactive Rule Cleaning: timeout to remove rules counted from the lasttime traffic was seen flowing
Cleaning Interval: How often the cleaning sub-process is executed
Cleaning Threshold: Maximumnumber of rules to be removed by an Interval
Secure Mode: As per page descruiption only the “owner LAN IP” can trigger its own mapping/unmapping
Enable on: Can be enables only on certain VLANs if needed
Show in My Network Places: if enabled Tomato will appear as a gateway devices within the browsable Windows LAN network (WORKGROUP) .
Miniupnpd custom config: allows you to specify options not available via the GUI. In the image below UPnP requests/mapping are denied for a specific IP address only.