info_i_25x25.png Due to unforeseen weather conditions we are experiencing higher chat wait times. Remember you can also submit a ticket and one of our support representatives will get back to you as soon as possible. We apologize for the inconvenience.

EdgeRouter - Destination NAT


Overview


Readers will learn how to forward UDP and TCP ports to an internal server using Destination NAT (DNAT).

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information.
 
Equipment used in this article:

Table of Contents


  1. Frequently Asked Questions (FAQ)
  2. Network Diagram
  3. Destination NAT
  4. Related Articles

FAQ


Back to Top

1. What is the difference between destination NAT and port-forwarding?

The destination NAT and the port-forwarding features serve the same purpose (forwarding ports to an internal host behind NAT).

2. Do I need to manually configure firewall rules?

Yes, see the steps below. The NAT port translation happens before any firewall rules are consulted. Please see the this article for a high level overview on how packets are processed on an EdgeRouter.

3. Do I need to manually configure Hairpin NAT when using Destination NAT?

Yes, see the EdgeRouter - Hairpin NAT article.

4. Does this article cover how to distribute Public IPs with 1:1 NAT?

No, but check out the EdgeRouter- How to Distribute Public IPs article.


Network Diagram


Back to Top

The network topology is shown below and the following interfaces are in use on the EdgeRouter:

  • eth0 (WAN) - 203.0.113.1 / 203.0.113.2
  • eth1 (LAN) - 192.168.1.1/24

In the example, the HTTPS traffic from external clients for 203.0.113.1:443 (TCP port 443) and 203.0.113.2:10443 (TCP port 10443) will be forwarded to the UNMS server at 192.168.1.10:443 (TCP port 443) using Destination NAT.


Destination NAT


Back to Top

For the purpose of this article, it is assumed that the routing and interface configurations are already in place and that reachability has been tested.

GUI: Access the Graphical User Interface.

1. Add a firewall rule that allows the HTTPS traffic to reach the UNMS server.

Firewall/NAT > Firewall Policies > WAN_IN > Actions > Edit Ruleset > Add New Rule

Basic tab

Description: https
Action: Accept
Protocol: TCP

205231700.3.png

Destination tab

Destination Port: 443

205231700.4.png

NOTE: No rule is added to allow TCP port 10443 through the firewall. This is because the port-forwarding / NAT translation happens before the firewall is consulted, meaning that the port is already translated to 443 before it hits the firewall.

2. Add a Destination NAT rule for TCP port 443. 

Firewall / NAT > NAT > +Add Destination NAT Rule

Description: https443
Inbound Interface: eth0
Translation Address: 192.168.1.10
Translation Port: 443
Protocol: TCP
Destination Address: 203.0.113.1
Destination Port: 443

205231700.5.png

3. Add a Destination NAT rule for TCP port 10443.

Firewall / NAT > NAT > +Add Destination NAT Rule

Description: https10443
Inbound Interface: eth0
Translation Address: 192.168.1.10
Translation Port: 443
Protocol: TCP
Destination Address: 203.0.113.2
Destination Port: 10443

205231700.6.png

 

The CLI equivalent of this destination NAT configuration is shown below.

CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.
configure

set firewall name WAN_IN rule 21 action accept
set firewall name WAN_IN rule 21 description https
set firewall name WAN_IN rule 21 destination port 443
set firewall name WAN_IN rule 21 log disable
set firewall name WAN_IN rule 21 protocol tcp

set service nat rule 1 description https443
set service nat rule 1 destination address 203.0.113.1
set service nat rule 1 destination port 443
set service nat rule 1 inbound-interface eth0
set service nat rule 1 inside-address address 192.168.1.10
set service nat rule 1 inside-address port 443
set service nat rule 1 log disable
set service nat rule 1 protocol tcp
set service nat rule 1 type destination

set service nat rule 2 description https10443
set service nat rule 2 destination address 203.0.113.2
set service nat rule 2 destination port 10443
set service nat rule 2 inbound-interface eth0
set service nat rule 2 inside-address address 192.168.1.10
set service nat rule 2 inside-address port 443
set service nat rule 2 log disable
set service nat rule 2 protocol tcp
set service nat rule 2 type destination

commit ; save

Related Articles


Back to Top

EdgeRouter- How to Distribute Public IPs

EdgeRouter - Port Forwarding

EdgeRouter - Hairpin NAT

Intro to Networking - How to Establish a Connection Using SSH