info_i_25x25.png See important information about Ubiquiti Devices and KRACK Vulnerability in this article. We will update this document as more information becomes available.

EdgeRouter - How do I troubleshoot port forwarding (DNAT) issues?

This KB is specifically for the EdgeOS port forward wizard available since version 1.4. Most of the following steps should also apply if you are manually doing port forwarding (Destination NAT).

Check for inbound connectivity

First, confirm that your router has a public IP address, and not a RFC1918 private address in the 10.0.0.0/8 (10.0.0.0-10.255.255.255), 172.16.0.0/12 (172.16.0.0-172.31.255.255) and 192.168.0.0/16 (192.168.0.0-192.168.255.255) range. You can check in the GUI on the main “Dashboard” tab or via the CLI/SSH with the following command:

show interfaces
ubnt@ubnt:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 2.2.2.2/30 u/u Internet
eth1 192.168.1.1/24 u/D Local
eth2 192.168.2.1/24 u/D Local 2
lo 127.0.0.1/8 u/u

If you are getting a private address on your WAN port, this means either your modem is in router mode and/or your ISP is handing out a private IP address. You'll need to check with your ISP if you can put your modem in bridge mode and whether you should be getting a public IP address (e.g., 2.2.2.2 above).

If you are getting a public address, double check that you are trying to access the correct public IP address. If you are accessing the port forward via DNS/DDNS, try pinging the host to confirm it is resolving to the correct IP.

On some Internet connections (Usually residential) , even if you have a public IP address, your ISP may not allow you to host services on common ports like 25 (SMTP), 80(HTTP) and 443 (HTTPS). You can use tcpdump to check if packets are reaching your router.

 

In this example we have added a port forward that forwards packets to on TCP port 8282, to the private (forward-to) address 192.168.1.39. Public:8282->192.168.1.39:8282. The forward-to port only needs to be set if you want to translate the public port to a different private port. e.g 8282 -> 443

eth0 = WAN

eth1 = LAN 192.168.1.0/24


Run the following command from the CLI and try to access your port forward (From the Internet, not locally). Change 8282 to your Original (public) Port forward:

sudo tcpdump -nv -i eth0 not port 22 and port 8282

The output should look something like this (possibly several pages):

ubnt@ubnt:~$ sudo tcpdump -nv -i eth0 not port 22 and port 8282
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
00:03:24.936592 IP (tos 0x0, ttl 128, id 23813, offset 0, flags [DF], proto TCP (6), length 52)
1.1.1.1.60386  2.2.2.2.8282: Flags [S], cksum 0x333f (correct), seq 1306542023, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
00:03:24.936928 IP (tos 0x0, ttl 128, id 23814, offset 0, flags [DF], proto TCP (6), length 52)
1.1.1.1.60387 > 2.2.2.2.8282: Flags [S], cksum 0xc46c (correct), seq 1879477362, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

If you don't see something like above, this could mean your ISP is blocking this port. Try using a different original port or checking with your provider.

Check for outbound connectivity

*If your LAN interface is a bridged interface, and you are trying to access the port forward locally, you may need to put the bridge into “promiscuous mode”.

configure
set interfaces bridge br0 promiscuous enable
commit
save
exit


Check that packets are leaving the correct interface, in this example eth1. Change 8282 to your forward-to (private) port.

 

sudo tcpdump -nv -i eth1 not port 22 and port 8282
ubnt@ubnt:~$ sudo tcpdump -nv -i eth1 not port 22 and port 8282
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
00:04:54.241129 IP (tos 0x0, ttl 127, id 25226, offset 0, flags [DF], proto TCP (6), length 52)
1.1.1.1.60703 > 192.168.1.39.8282: Flags [S], cksum 0xd41a (correct), seq 3153276637, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
00:04:54.241337 IP (tos 0x0, ttl 127, id 25227, offset 0, flags [DF], proto TCP (6), length 52)
 1.1.1.1.60704 > 192.168.1.39.8282: Flags [S], cksum 0xaecc (correct), seq 582872416, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
00:04:54.241506 IP (tos 0x0, ttl 127, id 25228, offset 0, flags [DF], proto TCP (6), length 52)


You should see something similar to this.

If you don't, make sure that you have "Auto Firewall" enabled on Firewall/NAT-> Port Forwarding.

Check your host

Verify that the Forward-to IP address (private device/service) is correct and that you can access the service/device via its LAN address. You may want to disable any software firewalls on your PC when testing. Also, make sure that the private host is either statically assigned or that it has a DHCP reservation. Otherwise, it may pull a different IP address and break your port forward.

Check that the private device/service has the correct subnet and default gateway settings. One of the most common causes of port forwarding issues we see, is an incorrect default gateway.

Finally, you can check that port forwarded packets are reaching your private device using tcpdump or Wireshark. In this case, 192.168.1.39 (forward-to address) is an airMAX radio, whose HTTPS port was changed to 8282.

 

tcpdump -nv -i br0 not port 22 and port 8282
XM.v5.6-beta4.22359.140521.1845# tcpdump -nv -i br0 not port 22 and port 8282
tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 96 bytes
20:35:01.983186 IP (tos 0x0, ttl 127, id 19923, offset 0, flags [DF], proto TCP (6), length 52) 1.1.1.1.4059 > 192.168.1.39.8282: S, cksum 0x73ce (correct), 376443378:376443378(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
20:35:02.169364 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52) 192.168.1.39.8282 > 1.1.1.1.4059: S, cksum 0x8841 (correct), 614060057:614060057(0) ack 376443379 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 1>

Related Articles