Recently I had the need to allow a few devices to open UPNP ports to the internet. My OpnSense router is in a DMZ because I could not find a way to bypass my Verizon Fios router without disrupting my TV service. As a result, my OpnSense router gets a private IP address for the WAN port and most UPNP devices fail. To get these devices to work properly I needed to register a STUN server in the UPNP configuration. Once STUN was configured UPNP started working properly.
I used stun.l.google.com on port 19302. There are some other random stun servers out there that you can use. I just went with google.