In this article, users will learn how to forward ports on airOS.
Most home routers have NAT (Network Address Translation) enabled. To access a service behind (LAN side) the router's NAT, you need to use Port Forwards (sometimes called Destination NAT).
In this example, we will be Port Forwarding TCP 8443 (GUI) and TCP 8080 (device inform) to a UniFi controller behind an airRouter. In Router mode on the airRouter LAN = WAN Port and Bridge0 = your LAN. Depending on your model, this may be different. For the purposes of this article, the private IP address of the UniFi controller will be 192.168.1.48.
The device being Port Forwarded to should either have a static IP (with a router as default gateway) or a DHCP Lease Reservation. If not, your PF may stop working on a router or device reboot.
Table of Contents
Step 1: Navigate to the Network Tab
Step 2: Enter Port Forwarding Details
Under Port Forward, you can enter your PF details. The minimum info required is: Interface, Private IP, Private Port and Public Port. Once you have entered these details, make sure to click Add and Change.
If you would like to restrict access to the port forward, you can also add a Source IP/CIDR subnet mask. For example, adding 126.96.36.199/32 to Source IP/Mask would allow only 188.8.131.52/32 to access the Port Forward.
Here you can see both Port Forwards have been added:
Step 3: Test your Work
Once all Port Forwards have been added and applied, you can test from outside your LAN. In this example, you would try to access https://public.ip.address:8443 from another connection to verify.
Still having trouble? Check the following:
- Verify the device IP and service are available on the LAN.
- Verify that the device has the correct default gateway/subnet if configured with a static IP. The gateway should be the airRouter IP in this example.
- Check that your router is getting a public IP address (not private RFC 1918).
- Some ISPs will block common service ports like http/80, https/443, smtp/25. If trying to forward one of these, please confirm with ISP and/or check with TCPDump to verify packets are hitting the router.
For this example:
Tcpdump -i eth0 port 8443