EdgeRouter - Port Forwarding


Readers will learn how to forward UDP and TCP ports to an internal server using the port-forwarding feature.

Applicable to the latest EdgeOS firmware on all EdgeRouter models. Please see the Related Articles below for more information.
Device used in this article:

Table of Contents

  1. Frequently Asked Questions (FAQ)
  2. Network Diagram
  3. Port Forwarding
  4. Related Articles


Back to Top

1. What is the difference between destination NAT and port-forwarding?

The destination NAT and the port-forwarding features serve the same purpose (forwarding ports to an internal host behind NAT).

2. Do I need to manually configure firewall rules?

No, see the steps below.

3. Do I need to manually configure hairpin NAT?

No, see the Hairpin NAT section below.

Network Diagram

Back to Top

The network topology is shown below and the following interfaces are in use on the EdgeRouter:

  • eth0 (WAN) - /
  • eth1 (LAN) -

In the example, the HTTPS traffic from external clients for (TCP port 443) and (TCP port 10443) will be forwarded to the UNMS server at (TCP port 443) using port forwarding.



Port Forwarding

Back to Top

For the purpose of this article, it is assumed that the routing and interface configurations are already in place and that reachability has been tested. 

GUI: Access the Graphical User Interface (GUI).

1. Add the port-forwarding rules for TCP ports 443 and 10443. The auto-firewall feature will automatically open the required ports in the firewall.

Firewall / NAT > Port Forwarding

  • Show advanced options
  • Enable Hairpin NAT
  • Enable the auto-firewall feature
WAN interface: eth0
LAN interface: eth1
NOTE: It is suggested to add all active LAN interfaces on the router to allow Hairpin NAT from hosts on all LANs. The LAN interface might differ depending on your EdgeRouter model and setup. For example, the ER-X and ER-X-SFP are able to use the switch0 interface. This Community post has an example.

+Add Rule

Original port: 443
Protocol: TCP
Forward-to address:
Forward-to port: 443
Description: https443

+Add Rule

Original port: 10443
Protocol: TCP
Forward-to address:
Forward-to port: 443
Description: https10443

2. Apply the changes.



The CLI equivalent of this port-forwarding configuration is shown below.

CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

set port-forward auto-firewall enable
set port-forward hairpin-nat enable
set port-forward wan-interface eth0
set port-forward lan-interface eth1

set port-forward rule 1 description https443
set port-forward rule 1 forward-to address
set port-forward rule 1 forward-to port 443
set port-forward rule 1 original-port 443
set port-forward rule 1 protocol tcp

set port-forward rule 2 description https10443
set port-forward rule 2 forward-to address
set port-forward rule 2 forward-to port 443
set port-forward rule 2 original-port 10443
set port-forward rule 2 protocol tcp

commit ; save

Related Articles

Back to Top

We're sorry to hear that!