Hi all, hoping someone can help me track down how my NAS is exposed to the internet.

**Setup:**
- TP-Link Deco mesh system (acting as primary router, Spectrum modem in bridge mode)
- UGREEN NAS connected to Deco via 2.5GbE
- Windows PC connected to Deco via 2.5GbE
- NAS also has a direct 10GbE connection to the PC

**The problem:**
My NAS security log is filling up with hundreds of login attempts from external IPs (DigitalOcean, Azure, Chinese IP ranges, etc.). Auto-block is catching them but I need to close the exposure entirely.

**What I have already tried:**
- Checked NAT Forwarding in the Deco app — no port forwarding rules exist
- Disabled UGREEN Link (the NAS manufacturer's remote access/cloud relay service) — attacks continue
- Rebooted the NAS after disabling UGREEN Link — attacks continue
- Confirmed the Spectrum modem is in bridge mode — the Deco is the gateway
- Disabled all NAS services except SMB
- Auto-block is enabled and working (2 failed attempts = permanent block)

**Why I think it's the Deco:**
When I initially set up the NAS, UGREEN Link (remote access) was enabled by default. This service almost certainly used UPnP to automatically open ports on the Deco. Even though I have since disabled UGREEN Link, I believe those UPnP-created port rules may still be active on the Deco but the app gives literally zero information and the web portal is even worse.

I have not yet disabled UPnP in the Deco settings — I wanted to understand first whether rebooting the Deco would flush those rules, or if they persist until manually cleared.

**My questions:**
1. Does rebooting the Deco flush UPnP-created port rules, or do they persist?
2. Is there a way to view active UPnP rules in the Deco app or web interface?
3. Is there anything else in the Deco configuration I should check?

Thanks in advance.