EdgeRouter - Port Forwarding and Destination NAT

 Overview

Readers will learn how to forward UDP and TCP ports to an internal server using either Port-Forwarding or Destination NAT.

book_25x25.png    NOTES & REQUIREMENTS:

Applicable to EdgeOS 1.9.7 + firmware in all EdgeRouter models. Knowledge of the Command Line Interface (CLI), and basic networking knowledge is required. Please see the Related Articles below for more information and see the attachments for the configurations used in this article.

 

Equipment used in this article:

- EdgeRouter-X (ER-X)

- Ubiquiti Network Management System (UNMS)

Table of Contents


  1. Network Diagram
  2. Steps: Port Forwarding
  3. Steps: Destination NAT
  4. Steps: Testing & Verification
  5. Related Articles

Network Diagram


Back to Top

The network topology is shown below. The following interfaces are in use on the EdgeRouter:

ER-X

  • eth0 (WAN) - 203.0.113.1/29
                                          203.0.113.2/29
  • eth1 (LAN) - 192.168.1.1/24


Steps: Port Forwarding


Back to Top

In this example the EdgeRouter (ER) has been pre-configured using the Basic Setup wizard. For the purpose of this article we will assume that the masquerade rules are in place so that the hosts on the LAN can communicate with hosts on Internet.

The ER will be configured forward TCP port 80, 443 and 8443 to the UNMS server at 192.168.1.10. The quickest way to forward ports is to use the Port Forwarding wizard in the GUI. The downside of using port forwarding is that it only applies to the primary address on the WAN interface, in this case 203.0.113.1/29. If you require the ER to forward ports on secondary addresses, then configure destination NAT instead (section 3 of this article).

www.png  GUI STEPS: Access the router’s Web-Management Portal (GUI).

1. Create the rules that forward the relevant HTTP and HTTPS ports to the UNMS server.

Firewall/NAT > Port Forwarding

  • Show advanced options
  • Enable Hairpin NAT
  • Enable Auto firewall
WAN interface: eth0
LAN interface: eth1
info_i_25x25.png Note: If you are using the switch0 interface to group eth1-4 under a single LAN then the LAN interface should be set to switch0 instead.

+Add Rule

Original port: 443
Protocol: TCP
Forward-to address: 192.168.1.10
Forward-to port: 443
Description: HTTPS

+Add Rule

Original port: 80
Protocol: TCP
Forward-to address: 192.168.1.10
Forward-to port: 80
Description: HTTP

+Add Rule

Original port: 8443
Protocol: TCP
Forward-to address: 192.168.1.10
Forward-to port: 443
Description: HTTPS
info_i_25x25.png Note: Because the auto firewall functionality has been enabled, there is no need to create additional firewall rules that allow these ports. If you are interested in creating your own firewall rules, please see the destination NAT section below.

2. Apply the changes.

3. (Optional) Change the router’s web-management listening ports (10080 and 10443 in this example).

Config Tree > Service > GUI

http-port: 10080
https-port: 10443

Preview > Apply

info_i_25x25.png Note: You can view all ports that the router is currently listening on (and the process that is using it) by running the sudo netstat -anp statement in the CLI.


CLI_circle.png  (ALTERNATIVE) CLI STEPS: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Create the rules that forward the relevant HTTP and HTTPS ports to the UNMS server.

set port-forward auto-firewall enable
set port-forward hairpin-nat enable
set port-forward wan-interface eth0
set port-forward lan-interface eth1

set port-forward rule 1 description HTTPS
set port-forward rule 1 forward-to address 192.168.1.10
set port-forward rule 1 forward-to port 443
set port-forward rule 1 original-port 443
set port-forward rule 1 protocol tcp

set port-forward rule 2 description HTTP
set port-forward rule 2 forward-to address 192.168.1.10
set port-forward rule 2 forward-to port 80
set port-forward rule 2 original-port 80
set port-forward rule 2 protocol tcp

set port-forward rule 3 description HTTPS
set port-forward rule 3 forward-to address 192.168.1.10
set port-forward rule 3 forward-to port 443
set port-forward rule 3 original-port 8443
set port-forward rule 3 protocol tcp

3. (Optional) Change the router’s web-management listening ports (10080 and 10443 in this example).

set service gui http-port 10080
set service gui https-port 10443

4. Commit the changes and save the configuration.

commit ; save

5. (Optional) View the function of the automatic firewall and NAT exclusion feature.
The automatic function adds these rules to iptables in the background:

  • Allow TCP port 80 (HTTP), TCP port 443 (HTTPS) in the inbound direction
  • NAT incoming TCP ports 80, 443 and 8443 on the eth0 address (ADDRv4_eth0) to 192.168.1.10

You can verify this with:

sudo iptables -L -vn
Chain UBNT_PFOR_FW_HOOK (1 references)
pkts bytes target prot opt in out source destination
33642 3777K UBNT_PFOR_FW_RULES all -- eth0 * 0.0.0.0/0 0.0.0.0/0

Chain UBNT_PFOR_FW_RULES (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.10 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.10 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.10 tcp dpt:443
sudo iptables -t nat -L -vn
Chain POSTROUTING (policy ACCEPT 23847 packets, 7267K bytes)
pkts bytes target prot opt in out source destination
59437 14M UBNT_PFOR_SNAT_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0
20314 1793K MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0 /* NAT-5010 */

Chain UBNT_PFOR_DNAT_HOOK (1 references)
pkts bytes target prot opt in out source destination
0 0 UBNT_PFOR_DNAT_RULES all -- eth0 * 0.0.0.0/0 0.0.0.0/0 match-set ADDRv4_eth0 dst
0 0 UBNT_PFOR_DNAT_RULES all -- eth1 * 0.0.0.0/0 0.0.0.0/0 match-set ADDRv4_eth0 dst

Chain UBNT_PFOR_DNAT_RULES (2 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:192.168.1.10:443
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.1.10:80
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443 to:192.168.1.10:443

Chain UBNT_PFOR_SNAT_RULES (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE tcp -- * eth1 0.0.0.0/0 192.168.1.10 match-set NETv4_eth1 src tcp dpt:443
0 0 MASQUERADE tcp -- * eth1 0.0.0.0/0 192.168.1.10 match-set NETv4_eth1 src tcp dpt:80
0 0 MASQUERADE tcp -- * eth1 0.0.0.0/0 192.168.1.10 match-set NETv4_eth1 src tcp dpt:443

Steps: Destination NAT


Back to Top

The port-forwarding rules configured in the first section only apply to the primary address on the WAN interface. If incoming traffic destined towards 203.0.113.2/29 needs to be forwarded, then destination NAT needs to be implemented. Unlike port forwarding, the destination NAT feature does not support the automatic creation of firewall rules.

 

www.png  GUI STEPS: Access the router’s Web-Management Portal (GUI).

1. Add the secondary IP address to the WAN interface.

Dashboard > eth0 interface > Actions > Config > +Add IP

203.0.113.2/29

 

info_i_25x25.png Note: All IP address that are used for forwarding need to be added as secondary IP addresses under the WAN interface.

2. Create the rules that forward the relevant HTTP and HTTPS ports to the UNMS server.

Firewall/NAT > NAT > +Add Destination NAT Rule

Description: HTTPS
Inbound Interface: eth0
Translations Address: 192.168.1.10
Translations Port: 443
Protocol: TCP
Dest Address: 203.0.113.2
Dest Port: 443

Firewall/NAT > NAT > +Add Destination NAT Rule

Description: HTTP
Inbound Interface: eth0
Translations Address: 192.168.1.10
Translations Port: 80
Protocol: TCP
Dest Address: 203.0.113.2
Dest Port: 80

Firewall/NAT > NAT > +Add Destination NAT Rule

Description: HTTPS
Inbound Interface: eth0
Translations Address: 192.168.1.10
Translations Port: 443
Protocol: TCP
Dest Address: 203.0.113.2
Dest Port: 8443

 

3. Create firewall rules that allow HTTP and HTTPS traffic to reach the UNMS server.

Firewall/NAT > Firewall Policies > WAN_IN > Actions > Edit Ruleset

info_i_25x25.png Note: The name of the inbound firewall rule applied to the WAN interface might be different in your environment. Whatever the naming scheme, make sure that the correct firewall rule is applied under the WAN interface, or manually apply it under Firewall/NAT > Firewall Policies > [rule-name] > Actions > Interfaces.

+Add New Rule

Description: HTTPS
Action: Accept
Protocol: TCP
Destination Port: 443

+Add New Rule

Description: HTTP
Action: Accept
Protocol: TCP
Destination Port: 80
info_i_25x25.png Note: It is only required to allow the ports that are configured under the ‘Translations’ in the destination NAT settings, ie the ports that are translated to the server. For this reason it is not required to create a rule for TCP port 8443, because the translated port is the same as the regular HTTPS rule (TCP port 443).
 

CLI_circle.png  (ALTERNATIVE) CLI STEPS: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Add the secondary IP address to the WAN interface.

set interfaces ethernet eth0 address 203.0.113.2/29

3. Create the rules that forward the relevant HTTP and HTTPS ports to the UNMS server.

set service nat rule 1 description HTTPS
set service nat rule 1 destination address 203.0.113.2
set service nat rule 1 destination port 443
set service nat rule 1 inbound-interface eth0
set service nat rule 1 inside-address address 192.168.1.10
set service nat rule 1 inside-address port 443
set service nat rule 1 log disable
set service nat rule 1 protocol tcp
set service nat rule 1 type destination

set service nat rule 2 description HTTP
set service nat rule 2 destination address 203.0.113.2
set service nat rule 2 destination port 80
set service nat rule 2 inbound-interface eth0
set service nat rule 2 inside-address address 192.168.1.10
set service nat rule 2 inside-address port 80
set service nat rule 2 log disable
set service nat rule 2 protocol tcp
set service nat rule 2 type destination

set service nat rule 3 description HTTPS
set service nat rule 3 destination address 203.0.113.2
set service nat rule 3 destination port 8443
set service nat rule 3 inbound-interface eth0
set service nat rule 3 inside-address address 192.168.1.10
set service nat rule 3 inside-address port 443
set service nat rule 3 log disable
set service nat rule 3 protocol tcp
set service nat rule 3 type destination

4. Create firewall rules that allow HTTP and HTTPS traffic to reach the UNMS server.

set firewall name WAN_IN rule 21 action accept
set firewall name WAN_IN rule 21 description HTTPS
set firewall name WAN_IN rule 21 destination port 443
set firewall name WAN_IN rule 21 log disable
set firewall name WAN_IN rule 21 protocol tcp

set firewall name WAN_IN rule 22 action accept
set firewall name WAN_IN rule 22 description HTTP
set firewall name WAN_IN rule 22 destination port 80
set firewall name WAN_IN rule 22 log disable
set firewall name WAN_IN rule 22 protocol tcp

5. Commit the changes and save the configuration.

commit ; save

Steps: Testing & Verification


Back to Top

After configuring the port forwarding or destination NAT rules, verify using the following commands.

1. Verify the stats on the port forwarding rules:

2. Verify the counters on the destination NAT rules:
 

3. Verify the translations of the port forwarding / destination NAT rules:

show nat translations destination detail 
Pre-NAT src Pre-NAT dst Post-NAT src Post-NAT dst
192.0.2.1:1547 203.0.113.2:80 192.0.2.1:1547 192.168.1.10:80
tcp: dnat: 203.0.113.2 ==> 192.168.1.10 timeout: 48 use: 1

192.0.2.1:1566 203.0.113.2:8443 192.0.2.1:1566 192.168.1.10:443
tcp: dnat: 203.0.113.2:8443 ==> 192.168.1.10:443 timeout: 117 use: 1

192.0.2.1:1594 203.0.113.2:443 192.0.2.1:1594 192.168.1.10:443
tcp: dnat: 203.0.113.2 ==> 192.168.1.10 timeout: 104 use: 1

4. Capture the arrival of HTTP or HTTPS traffic on the ER external WAN interface:

sudo tcpdump -i eth0 -n tcp dst port 80 or port 443 or port 8443
IP 192.0.2.1.1672 > 203.0.113.2.80: Flags [.], ack 339, win 255, length 0
IP 192.0.2.1.1641 > 203.0.113.2.443: Flags [.], ack 8356, win 255, length 0
IP 203.0.113.2.443 > 192.0.2.1.1642: Flags [F.], seq 999, ack 959, win 245, length
IP 192.0.2.1.1667 > 203.0.113.2.8443: Flags [.], ack 868, win 253, length 0
IP 203.0.113.2.8443 > 192.0.2.1.1662: Flags [F.], seq 29493, ack 1416, win 254, length 0
info_i_25x25.png Note: This is a live capture. If there is no output that means that the traffic is either not being generated on the client, or there is something blocking the traffic upstream.

5. Verify the hits on the firewall rules when using destination NAT:

show firewall name WAN_IN statistics 
IPv4 Firewall "WAN_IN" [WAN to internal]

Active on (eth0,IN)

rule packets bytes action description
---- ------- ----- ------ -----------
10 95 9427 ACCEPT Allow established/related
20 0 0 DROP Drop invalid state
21 17 884 ACCEPT HTTPS
22 2 104 ACCEPT HTTP
10000 6 336 DROP DEFAULT ACTION

Related Articles


Back to Top