EdgeRouter - Port Forwarding


Overview


Readers will learn how to forward UDP and TCP ports to an internal server using the port-forwarding feature. Note that the port-forwarding feature only applies to the primary address on the primary WAN interface. If you need to forward ports on secondary addresses or multiple interfaces then configure Destination NAT instead.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information and see the attachments for the configuration used in this article.
 
Equipment used in this article:

Table of Contents


  1. Frequently Asked Questions (FAQ)
  2. Network Diagram
  3. Steps: Port Forwarding
  4. Steps: Testing & Verification
  5. Hairpin NAT Explanation
  6. Related Articles

FAQ


Back to Top

1. What is the difference between destination NAT and port-forwarding?

The destination NAT and the port-forwarding features serve the same purpose (forwarding ports to an internal host behind NAT). The port-forwarding feature is designed to allow users to easily forward ports without having to create firewall and NAT rules.

2. What are the advantages and disadvantages of using port-forwarding over destination NAT?

Advantages

  • You do not have to manually create firewall rules for each port-forwarding rule.
  • You do not have to manually configure Hairpin NAT.

Disadvantages

  • You can only forward ports on the primary WAN interface (not multiple WAN interfaces).
  • You can only forward ports on the primary WAN address (not secondary addresses).
3. Which interface should I set as the LAN interface when I am using an EdgeRouter-X (ER-X) and/or EdgeRouter-X-SFP (ER-X-SFP)?

You should set the LAN interface to the interface that is configured with the subnet that you are forwarding to. For example, you are using the switch0 interface to group multiple ethernet interfaces together. In this case, the switch0 interface is assigned the IP subnet range (192.168.1.0/24 for example) and should be set as the LAN interface in the port-forwarding wizard.

4. Which interface should I set if I am using a switch0 or br0 (bridge) interface?

You should set the LAN interface to the interface that is configured with the subnet that you are forwarding to. In this case, the LAN interface needs to be set to switch0 or br0 and not any of the individual (eth1, eth2, etc.) interfaces.

5. Do I need to manually configure firewall rules and how does the auto-firewall feature work?

No, you do not have to manually create firewall rules if you leave the Enable auto firewall box checked. See the steps below.

 

The auto-firewall feature automatically creates rules in iptables. See the Testing & Verification section below.

6. Do I need to manually configure hairpin NAT?

No, see the Hairpin NAT section below.

7. Does port-forwarding work when using multiple WAN interfaces or secondary WAN addresses?

No, you will need to configure the destination NAT feature instead.

8. How do I know if my port-forwarding rules are working?
  • Verify the port-forwarding counters/stats using the GUI (Graphical User Interface). 
  • Verify the NAT translations in the CLI (Command Line Interface).
  • Capture the traffic on the WAN and LAN interfaces using the CLI.
  • Use an online port-scan tool (nmap) to verify if the ports are open.
  • Verify that the host/server is listening on the correct ports (netstat) and if any host-based firewalls are blocking the traffic.
  • Verify the counters/statistics in the iptables rules.

All of these verification steps are shown in the Testing & Verification section.


Network Diagram


Back to Top

Two different network topologies are shown below, one port-forwarding scenario for the ER-4 and one for the ER-X. Note the difference in the LAN interface that will be used for port-forwarding. In both examples, TCP ports 443 and 10443 will be forwarded to port 443 (HTTPS) on the UNMS server.

ER-4

  • eth0 (WAN) - 203.0.113.1
  • eth1 (LAN) - 192.168.1.1/24

217367937.1.png

ER-X

  • eth0 (WAN) - 203.0.113.1
  • switch0 (LAN) - 192.168.1.1/24

217367937.2.png


Steps: Port Forwarding


Back to Top

ATTENTION: Port-forwarding relies on defining the LAN / internal interface that participates in the port-forwarding process. The ER-X and ER-X-SFP models, for example, can use a switch0 interface which groups ethernet interfaces together. In this case, the LAN interface needs to be set to switch0 and not any of the individual (eth1, eth2, etc.) interfaces.

 

The same rules apply when using bridged (br0) interfaces. If you are not sure which interface to select look at the Dashboard > Interfaces and see which interface is in the IP address range that you wish to forward to.

For the purpose of this article, it is assumed that the routing and interface configurations are already in place and that reachability has been tested. 

GUI: Access the Graphical User Interface (GUI).

1. Add the port-forwarding rules for TCP ports 443 and 10443. The auto-firewall feature will automatically open the required ports in the iptables firewall.

Firewall / NAT > Port Forwarding

  • Show advanced options
  • Enable hairpin NAT (this feature is explained below)
  • Enable auto firewall
WAN interface: eth0
LAN interface: eth1
NOTE: The LAN interface is changed to switch0 in the ER-X scenario.

+Add Rule

Original port: 443
Protocol: TCP
Forward-to address: 192.168.1.10
Forward-to port: 443
Description: https443

+Add Rule

Original port: 10443
Protocol: TCP
Forward-to address: 192.168.1.10
Forward-to port: 443
Description: https10443

2. Apply the changes.

217367937.3.png

NOTE: There is no need to manually configure firewall rules when using the auto-firewall feature.

The CLI equivalent of this port-forwarding configuration is shown below.

CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.
configure

set port-forward auto-firewall enable
set port-forward hairpin-nat enable
set port-forward wan-interface eth0
set port-forward lan-interface eth1

set port-forward rule 1 description https443
set port-forward rule 1 forward-to address 192.168.1.10
set port-forward rule 1 forward-to port 443
set port-forward rule 1 original-port 443
set port-forward rule 1 protocol tcp

set port-forward rule 2 description https10443
set port-forward rule 2 forward-to address 192.168.1.10
set port-forward rule 2 forward-to port 443
set port-forward rule 2 original-port 10443
set port-forward rule 2 protocol tcp

commit ; save
NOTE: The LAN interface is changed to switch0 in the ER-X scenario.

Steps - Testing & Verification


Back to Top

1. Verify that the traffic is increasing the counters on the port-forwarding rules.

217367937.4.png

2. Capture the traffic on the WAN and LAN interfaces to verify that it is being forwarded.

sudo tcpdump -i eth0 -n tcp dst port 443 or port 10443
IP 192.0.2.1.6044 > 203.0.113.1.443: Flags [S], seq 3332151841, win 64240
IP 192.0.2.1.6044 > 203.0.113.1.443: Flags [.], ack 30879579, win 256
IP 192.0.2.1.6044 > 203.0.113.1.443: Flags [F.], seq 0, ack 1, win 256

IP 192.0.2.1.6074 > 203.0.113.1.10443: Flags [S], seq 1658372875, win 64240
IP 203.0.113.1.10443 > 192.0.2.1.6074: Flags [S.], seq 2921988519, ack 1658372876
IP 192.0.2.1.6074 > 203.0.113.1.10443: Flags [.], ack 1, win 256

sudo tcpdump -i eth1 -n tcp dst port 443
IP 192.0.2.1.6044 > 192.168.1.10.443: Flags [S], seq 3332151841, win 64240
IP 192.0.2.1.6044 > 192.168.1.10.443: Flags [.], ack 30879579, win 256
IP 192.0.2.1.6044 > 192.168.1.10.443: Flags [F.], seq 0, ack 1, win 256

IP 192.0.2.1.6074 > 192.168.1.10.443: Flags [S], seq 1658372875, win 64240
IP 192.0.2.1.6074 > 192.168.1.10.443: Flags [.], ack 2921988520, win 256
IP 192.0.2.1.6074 > 192.168.1.10.443: Flags [F.], seq 0, ack 1, win 256
NOTE: This is a live capture. If there is no output then the traffic is either not being generated or there is something blocking the traffic upstream.
 
The command is changed to sudo tcpdump -i switch0 -n tcp dst port 443 in the ER-X scenario.

3. Verify the destination NAT translation table.

show nat translations destination detail 
Pre-NAT src          Pre-NAT dst        Post-NAT src         Post-NAT dst     
192.0.2.1:6044       203.0.113.1:443    192.0.2.1:6044       192.168.1.10:443 
  tcp: dnat: 203.0.113.1 ==> 192.168.1.10  timeout: 21 use: 1 

192.0.2.1:6074       203.0.113.1:10443  192.0.2.1:6074       192.168.1.10:443 
  tcp: dnat: 203.0.113.1:10443 ==> 192.168.1.10:443  timeout: 7 use: 1

4. (Advanced users) Verify the iptables firewall and nat rules.

sudo iptables -L -v -n
Chain UBNT_PFOR_FW_RULES (1 references)
 pkts bytes target     prot opt in     out     source               destination        
  108  4752 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.10         tcp dpt:443
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.10         tcp dpt:443 
NOTE: There is no iptables rule that allows port TCP port 10443 through the firewall. This is because the port-forwarding / NAT translation happens before the firewall is consulted, meaning that the port is already translated to 443 before it hits the firewall.

 

Also, note that there is a duplicate iptables rule for TCP 443. Only the first rule is consulted and the second entry is unused (this has no negative effect). The second entry is added because there are two port-forwarding rules that forward to TCP port 443.

sudo iptables -t nat -L -v -n  
Chain UBNT_PFOR_DNAT_RULES (2 references)
 pkts bytes target     prot opt in     out     source               destination        
   18   936 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:192.168.1.10:443
   18   936 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:10443 to:192.168.1.10:443

Hairpin NAT Explanation


Back to Top

Hairpin NAT allows a host on the LAN to access another internal server/host via the external IP address of the EdgeRouter. 

217367937.5.png  

In the example above, the internal host at 192.168.1.11 wants to access the UNMS server using the same external IP address (203.0.113.1) that external clients use. Without Hairpin NAT this would not be possible because the request enters the router on the same interface (eth1) where it is also going out. The situation is identical for the ER-X, where the incoming interface is also the same (switch0). 

 

Hairpin NAT can be set in the port-forwarding tab in the GUI and is enabled by default.

217367937.6.png 

ATTENTION: If you are using multiple internal interfaces (or VLANs/VIFs) then make sure to add all LAN interfaces where hosts reside to the list.

You can verify the hairpin NAT traffic by looking at the NAT translation table and the iptables nat rules.

1. Verify the source and destination NAT translation table.

show nat translations destination detail 
Pre-NAT src          Pre-NAT dst        Post-NAT src         Post-NAT dst     
192.168.1.11:1109    203.0.113.1:10443  192.168.1.1:1109     192.168.1.10:443 
  tcp: dnat: 203.0.113.1:10443 ==> 192.168.1.10:443  timeout: 114 use: 1

192.168.1.11:1108    203.0.113.1:443    192.168.1.1:1108     192.168.1.10:443 
  tcp: dnat: 203.0.113.1 ==> 192.168.1.10  timeout: 109 use: 1

show nat translations source detail
192.168.1.11:1109    203.0.113.1:10443  192.168.1.1:1109     192.168.1.10:443 
  tcp: snat: 192.168.1.11 ==> 192.168.1.1  timeout: 104 use: 1

192.168.1.11:1108    203.0.113.1:443    192.168.1.1:1108     192.168.1.10:443 
  tcp: snat: 192.168.1.11 ==> 192.168.1.1  timeout: 98 use: 1  
NOTE: The traffic with source 192.168.1.11:1108 and destination 203.0.113.1:443 is translated to source 192.168.1.1:1108 and destination 192.168.1.10:443.

2. (Advanced users) Verify the iptables nat rules.

sudo iptables -t nat -L -v -n
Chain UBNT_PFOR_SNAT_RULES (1 references)
 pkts bytes target      prot opt in     out     source       destination        
   27  1396 MASQUERADE  tcp  --  *      eth1    0.0.0.0/0    192.168.1.10   match-set NETv4_eth1 src tcp dpt:443
    0     0 MASQUERADE  tcp  --  *      eth1    0.0.0.0/0    192.168.1.10   match-set NETv4_eth1 src tcp dpt:443

Related Articles


Back to Top