This article describes the "traditional" way of setting up forwarding using destination NAT and firewall. As of version 1.4.0 there is port-forward wizard in the GUI that greatly simplifies basic port-forwarding. The wizard only handles the primary address on 1 WAN interface, so if you're doing something more complicated than that, you'll still need the "traditional" way.
This article is an example of port forwarding so that a host on Internet can get to a server on your private network. We want to be able to ssh using port 2222 to go from host H1 on Internet to port 22 on server A. Because server A is on a private network we'll need to create a port forwarding (or destination NAT) rule.
In this example we'll be using the following address:
- WAN eth0 203.0.113.1/24
- LAN eth1 192.0.2.1/24
- Server A 192.0.2.15/24
We'll assume there's already a masquerade rule in place so that the hosts on the LAN can communicate with hosts on Internet. That rule would look like:
Now for the port forwarding rule we'll click on Add Destination NAT Rule and for the destination address we'll use the public address of the router with port 2222. For the translation we'll use the private address of server A and port 22.
Note: logging was also enabled to have a record of every outside address that does an ssh to server A.
For this lab test my host H1 and server A also happen to be EdgeRouter LITEs:
On the router R1 we can verify that the port forwarding worked by using "show nat translations" which will show the active translations:
Destination NAT and firewall can be a bit confusing, so in my opinion it's easier to debug NAT and Firewall separately. So in the example above I had temporarily disabled my firewall (this works fine in a lab setting, but you would do that on a production router). Now I'll re-enable my basic firewall which looks like this:
Since I have enable-default-log on my WAN_IN rule set, I'll just try the ssh again and see what gets dropped.
First I see that logging of the NAT translation:
This is one of the most common firewall mistakes with destination NAT - the translation happens before the firewall rules, so your rules need to allow 192.0.2.15:22 instead of 203.0.113.1:2222. We can see this from the feature ordering chart at EdgeOS Feature Ordering.
So lets add our firewall rule to allow 192.0.2.15 tcp port 22:
Now we try it and it works again and if we look at the Stats tab on the firewall we can see that rule 3 has been hit.