EdgeRouter - Destination NAT


Overview


Readers will learn how to forward UDP and TCP ports to an internal server using Destination NAT.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Please see the Related Articles below for more information.
 
Devices and products used in this article:

Table of Contents


  1. Frequently Asked Questions (FAQ)
  2. Adding Destination NAT Rules
  3. Related Articles

Frequently Asked Questions (FAQ)


Back to Top

1. What is the difference between Destination NAT and Port Forwarding?

Destination NAT and Port Forwarding serve the same purpose and can both be used to forward ports to an internal host behind NAT.

2. Do I need to manually add firewall entries for the Destination NAT rules?

Yes, see the steps below.

3. Do I need to manually configure Hairpin NAT?

Yes, see the Hairpin NAT article.

4. Can I also configure Source NAT?

Yes, see the Source NAT and Masquerade article.


Adding Destination NAT Rules


Back to Top

topology.png

The HTTPS traffic with TCP port 443 and 10443 from external clients will be forwarded to the UNMS server.


Follow the steps below to add the Destination NAT and firewall rules to the EdgeRouter:

GUI: Access the EdgeRouter Web UI.

1. Add a Destination NAT rule for TCP port 443, referencing the primary WAN IP address.

Firewall / NAT > NAT > +Add Destination NAT Rule

Description: https443
Inbound Interface: eth0
Translation Address: 192.168.1.10
Translation Port: 443
Protocol: TCP
Destination Address: 203.0.113.1
Destination Port: 443

2. Add a Destination NAT rule for TCP port 10443, referencing the secondary WAN IP address.

Firewall / NAT > NAT > +Add Destination NAT Rule

Description: https10443
Inbound Interface: eth0
Translation Address: 192.168.1.10
Translation Port: 443
Protocol: TCP
Destination Address: 203.0.113.2
Destination Port: 10443

3. Add a firewall rule that allows the HTTPS traffic to reach the UNMS server.

Firewall/NAT > Firewall Policies > WAN_IN > Actions > Edit Ruleset > Add New Rule

Description: https
Action: Accept
Protocol: TCP
Destination > Port: 443
Destination > Address: 192.168.1.10
NOTE: NAT rules are consulted before firewall policies are applied. This is the reason why the firewall rule above matches on the post-translated port and address.
 
See the Packets Processing article for more information.

The above configuration can also be set using the CLI:

CLI: Access the Command Line Interface. You can do this using the CLI button in the GUI or by using a program such as PuTTY.
configure

set firewall name WAN_IN rule 21 action accept
set firewall name WAN_IN rule 21 description https
set firewall name WAN_IN rule 21 destination port 443
set firewall name WAN_IN rule 21 destination address 192.168.1.10
set firewall name WAN_IN rule 21 log disable
set firewall name WAN_IN rule 21 protocol tcp

set service nat rule 1 description https443
set service nat rule 1 destination address 203.0.113.1
set service nat rule 1 destination port 443
set service nat rule 1 inbound-interface eth0
set service nat rule 1 inside-address address 192.168.1.10
set service nat rule 1 inside-address port 443
set service nat rule 1 log disable
set service nat rule 1 protocol tcp
set service nat rule 1 type destination

set service nat rule 2 description https10443
set service nat rule 2 destination address 203.0.113.2
set service nat rule 2 destination port 10443
set service nat rule 2 inbound-interface eth0
set service nat rule 2 inside-address address 192.168.1.10
set service nat rule 2 inside-address port 443
set service nat rule 2 log disable
set service nat rule 2 protocol tcp
set service nat rule 2 type destination

commit ; save

Related Articles


Back to Top

EdgeRouter - Source NAT and Masquerade

EdgeRouter - Port Forwarding

EdgeRouter - Hairpin NAT

EdgeRouter - Packets Processing

Intro to Networking - How to Establish a Connection Using SSH


We're sorry to hear that!