In this article, users will learn how to forward ports on airOS.
Table of Contents
Most home routers have NAT (Network Address Translation) enabled. To access a service behind the router's NAT (LAN side), you need to use Port Forwards (sometimes called Destination NAT).
In this example, we will be Port Forwarding TCP 8443 (GUI) and TCP 8080 (device inform) to a UniFi controller behind an airRouter. In Router mode on the airRouter LAN = WAN Port and Bridge0 = your LAN. Depending on your model, this may be different. For the purposes of this article, the private IP address of the UniFi controller will be 192.168.1.48.
User Tip: The device being Port Forwarded to should either have a static IP (with a router as default gateway) or a DHCP Lease Reservation. If not, your Port Forward may stop working on a router or device reboot.
Steps: Port Forwarding on airOS
1. Navigate to the Network tab of the airMAX device.
2. Under Port Forward, enter the port forwarding details. The minimum info required is:
- Private IP
- Private Port
- Public Port.
Once you have entered these details, make sure to click Add and Change.
3. If you would like to restrict access to the port forward, you can also add a Source IP/CIDR subnet mask. For example, adding 22.214.171.124/32 to Source IP/Mask would allow only 126.96.36.199/32 to access the Port Forward.
4. Test your Work. Once all Port Forwards have been added and applied, you can test from outside your LAN. In this example, you would try to access https://public.ip.address:8443 from another connection to verify the port forwarding was set successfully.
Still having trouble? Check the following:
- Verify the device IP and service are available on the LAN.
- Verify that the device has the correct default gateway/subnet if configured with a static IP. The gateway should be the airRouter IP in this example.
- Check that your router is getting a public IP address (not private RFC 1918).
- Some ISPs will block common service ports like http/80, https/443, smtp/25. If trying to forward one of these, please confirm with ISP and/or check with TCPDump to verify packets are hitting the router.
For this example, run this command:
Tcpdump -i eth0 port 8443