EdgeRouter - Destination NAT


Overview


Readers will learn how to forward UDP and TCP ports to an internal server using Destination NAT (DNAT). Unlike the port-forwarding feature, DNAT allows you to forward ports on secondary addresses or multiple interfaces. Firewall rules need to be manually created when using Destination NAT.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information.
 
Equipment used in this article:

Table of Contents


  1. Frequently Asked Questions (FAQ)
  2. Network Diagram
  3. Steps: Destination NAT
  4. Steps: Testing & Verification
  5. Related Articles

FAQ


Back to Top

1. What is the difference between destination NAT and port-forwarding?

The destination NAT and the port-forwarding features serve the same purpose (forwarding ports to an internal host behind NAT). The port-forwarding feature is designed to allow users to easily forward ports without having to create firewall and NAT rules.

2. What are the advantages and disadvantages of using destination NAT over port-forwarding?

Advantages

  • Allows you to forward ports on multiple WAN interfaces.
  • Allows you to forward ports on secondary IP addresses.
  • Allows you to specify the source IP and source port.

Disadvantages

  • You will need to manually create firewall rules for each destination NAT rule.
  • You will need to manually configure hairpin NAT if desired.
3. Do I need to manually configure firewall rules?

Yes, see the steps below. The NAT port translation happens before any firewall rules are consulted. Please see the this article for a high level overview on how packets are processed on an EdgeRouter.

 

You need to manually create a firewall rule for each port that you are translating to. If you have multiple destination NAT rules that all translate to the same port (443 in this example) you only need a single firewall rule that matches on destination port 443.

4. Do I need to manually configure hairpin NAT?

Yes, see the EdgeRouter - Hairpin NAT article.

5. Does destination NAT work when using multiple WAN interfaces or secondary WAN addresses?

Yes, see the steps below.

6. How do I know if my destination NAT rules are working?
  • Verify the firewall and NAT counters/statistics using the GUI (Graphical User Interface) or CLI (Command Line Interface). 
  • Verify the NAT translations in the CLI.
  • Capture the traffic on the WAN and LAN interfaces using the CLI.

All of these verification steps are shown in the Testing & Verification section.


Network Diagram


Back to Top

The network topology is shown below and the following interfaces are in use on the EdgeRouter:

  • eth0 (WAN) - 203.0.113.1 / 203.0.113.2
  • eth1 (LAN) - 192.168.1.1/24

In the example, the HTTPS traffic from external clients for 203.0.113.1:443 (TCP port 443) and 203.0.113.2:10443 (TCP port 10443) will be forwarded to the UNMS server at 192.168.1.10:443 (TCP port 443) using destination NAT.


Steps: Destination NAT


Back to Top

For the purpose of this article, it is assumed that the routing and interface configurations are already in place and that reachability has been tested.

ATTENTION: Manual hairpin NAT rules need to be created if you want hosts on the LAN to access another internal server/host via the external IP address of the EdgeRouter. See the EdgeRouter - Hairpin NAT article for more information.

 

GUI: Access the Graphical User Interface.

1. Add a firewall rule that allows the HTTPS traffic to reach the UNMS server.

Firewall/NAT > Firewall Policies > WAN_IN > Actions > Edit Ruleset > Add New Rule

Basic tab

Description: https
Action: Accept
Protocol: TCP

205231700.3.png

Destination tab

Destination Port: 443

205231700.4.png

NOTE: No rule is added to allow TCP port 10443 through the firewall. This is because the port-forwarding / NAT translation happens before the firewall is consulted, meaning that the port is already translated to 443 before it hits the firewall.

2. Add a Destination NAT rule for TCP port 443. 

Firewall / NAT > NAT > +Add Destination NAT Rule

Description: https443
Inbound Interface: eth0
Translation Address: 192.168.1.10
Translation Port: 443
Protocol: TCP
Destination Address: 203.0.113.1
Destination Port: 443

205231700.5.png

NOTE: There is no need to specify a source address or source port unless you want to limit the traffic to specific clients.

3. Add a Destination NAT rule for TCP port 10443.

Firewall / NAT > NAT > +Add Destination NAT Rule

Description: https10443
Inbound Interface: eth0
Translation Address: 192.168.1.10
Translation Port: 443
Protocol: TCP
Destination Address: 203.0.113.2
Destination Port: 10443

205231700.6.png

 

The CLI equivalent of this destination NAT configuration is shown below.

CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.
configure

set firewall name WAN_IN rule 21 action accept
set firewall name WAN_IN rule 21 description https
set firewall name WAN_IN rule 21 destination port 443
set firewall name WAN_IN rule 21 log disable
set firewall name WAN_IN rule 21 protocol tcp

set service nat rule 1 description https443
set service nat rule 1 destination address 203.0.113.1
set service nat rule 1 destination port 443
set service nat rule 1 inbound-interface eth0
set service nat rule 1 inside-address address 192.168.1.10
set service nat rule 1 inside-address port 443
set service nat rule 1 log disable
set service nat rule 1 protocol tcp
set service nat rule 1 type destination

set service nat rule 2 description https10443
set service nat rule 2 destination address 203.0.113.2
set service nat rule 2 destination port 10443
set service nat rule 2 inbound-interface eth0
set service nat rule 2 inside-address address 192.168.1.10
set service nat rule 2 inside-address port 443
set service nat rule 2 log disable
set service nat rule 2 protocol tcp
set service nat rule 2 type destination

commit ; save

Steps - Testing & Verification


Back to Top

1. Verify that the traffic is increasing the counters on the WAN_IN firewall rule.

Firewall/NAT > Firewall Policies > WAN_IN > Actions > Stats

205231700.8.png

2. Verify that the traffic is increasing the counters on the DNAT rules.

Firewall/NAT > NAT

show nat statistics 
rule  count       type  IN        OUT       description
----  ----------  ----  --------  --------  -----------
1     38          DST   eth0      -         https443
2     37          DST   eth0      -         https10443
5010  1022        MASQ  -         eth0      masquerade for WAN

show firewall name WAN_IN statistics
--------------------------------------------------------------------------------

IPv4 Firewall "WAN_IN"  [WAN to internal]
 Active on (eth0,IN)

rule  packets     bytes       action  description
----  -------     -----       ------  -----------
10    775         68264       ACCEPT  Allow established/related
20    0           0           DROP    Drop invalid state
21    75          3900        ACCEPT  https
10000 0           0           DROP    DEFAULT ACTION

2. Capture the traffic on the WAN and LAN interfaces to verify that it is being forwarded.

sudo tcpdump -i eth0 -n tcp dst port 443 or port 10443
IP 192.0.2.1.7376 > 203.0.113.1.443: Flags [S], seq 2797748138, win 64240
IP 192.0.2.1.7376 > 203.0.113.1.443: Flags [.], ack 3505301926, win 256
IP 192.0.2.1.7376 > 203.0.113.1.443: Flags [F.], seq 0, ack 1, win 256

IP 192.0.2.1.7443 > 203.0.113.2.10443: Flags [S], seq 4101345097, win 64240
IP 203.0.113.2.10443 > 192.0.2.1.7443: Flags [S.], seq 1643519215, ack 4101345098, win 8192
IP 192.0.2.1.7443 > 203.0.113.2.10443: Flags [F.], seq 1, ack 1, win 256

sudo tcpdump -i eth1 -n tcp dst port 443
IP 192.0.2.1.7376 > 192.168.1.10.443: Flags [S], seq 2797748138, win 64240
IP 192.0.2.1.7376 > 192.168.1.10.443: Flags [.], ack 3505301926, win 256
IP 192.0.2.1.7376 > 192.168.1.10.443: Flags [F.], seq 0, ack 1, win 256

IP 192.0.2.1.7443 > 192.168.1.10.443: Flags [S], seq 4101345097, win 64240
IP 192.0.2.1.7443 > 192.168.1.10.443: Flags [F.], seq 4101345098, ack 1643519216, win 256
IP 192.0.2.1.7443 > 192.168.1.10.443: Flags [.], ack 2, win 256
NOTE: This is a live capture. If there is no output then the traffic is either not being generated or there is something blocking the traffic upstream. 

3. Verify the destination NAT translation table.

show nat translations destination detail 
Pre-NAT src          Pre-NAT dst        Post-NAT src         Post-NAT dst     
192.0.2.1:7376       203.0.113.1:443    192.0.2.1:7376       192.168.1.10:443 
  tcp: dnat: 203.0.113.1 ==> 192.168.1.10  timeout: 22 use: 1

192.0.2.1:7443       203.0.113.2:10443  192.0.2.1:7443       192.168.1.10:443 
  tcp: dnat: 203.0.113.2:10443 ==> 192.168.1.10:443  timeout: 112 use: 1

4. (Advanced users) Verify the iptables firewall and nat rules.

sudo iptables -L -v -n
Chain WAN_IN (1 references)
 pkts bytes target     prot opt in     out     source               destination        
   75  3900 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* WAN_IN-21 */ tcp dpt:443
NOTE: There is no iptables rule that allows port TCP port 10443 through the firewall. This is because the port-forwarding / NAT translation happens before the firewall is consulted, meaning that the port is already translated to 443 before it hits the firewall.
sudo iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 276 packets, 20743 bytes)
 pkts bytes target    prot opt in     out    source      destination        
   38  1976 DNAT      tcp  --  eth0   *      0.0.0.0/0   203.0.113.1   tcp dpt:443 /* NAT-1 */ to:192.168.1.10:443
   37  1924 DNAT      tcp  --  eth0   *      0.0.0.0/0   203.0.113.2   tcp dpt:10443 /* NAT-2 */ to:192.168.1.10:443

Related Articles


Back to Top