UPnP (Universal Plug and Play) is a controversial protocol which allows fully dynamic (automatic) port mapping from LAN IPs onto the Internet. It was developed with nothing but good intentions, but received heavy criticism due to its poor security. With this protocol, each application program that use the network maps its own ports automatically. In the screenshot below, you can see that the WhatsApp application has mapped certain ports on Tomato's WAN IP/Interface. UPnP is the original implementation of this dynamic port-mapping protocol. NAT-PMP (NAT Port Mapping Protocol) is a newer, enhanced version of UPnP, designed for better compatbility with NAT (Network Address Translation) routing. If you use dynamic port forwarding, you'll probably want to enable both protocols to maintain backward compatibility.
Enable UPnP: Enable and Disable UPnP.
Enable NAT-PMP: Enable/Disable NAT-PMP.
Inactive Rule Cleaning: The timeout period to remove rules counted from the last time traffic was seen flowing.
Cleaning Interval: How often the cleaning sub-process is executed.
Cleaning Threshold: The maximum number of rules to be removed by an Interval.
Secure Mode: Allows only the “owner LAN IP” to trigger its own mapping/unmapping. In other words, the client could only map an incoming port to the IP address of the client itsef, not to not to another IP address.
Enable on: Can be enabled only on certain VLANs, when necessary.
Show in My Network Places: If enabled, makes Tomato appears as a gateway device within the browsable Windows LAN network (WORKGROUP or HOMEGROUP).
Miniupnpd custom config: allows you to specify custom configuration options not available via the GUI. In the image below UPnP requests/mapping are denied for a specific IP address only.