New Member
Posts: 21
Registered: ‎05-23-2017
Kudos: 10
Solutions: 1

Edge Router Help

Hello, I was wondering if somebody can help me out. I read the Edge router documentation and for some reason I'm having issues getting port forwarding working. I want to switch from another router / UTM (which will go into a bridge mode). Current configuration is as follows: Two static WAN IP's (for different services).

 

WAN IP 2 - 22,80,443,7443,10000,5280 (port forward to x.23 to same ports and also need HairPin NAT)
WAN IP 1 - 80 (port forward to x.8 on port 79 and also need HairPin NAT)
WAN - 3389 (port forward to x.12 to same port)
WAN - 8080,446,8081 (port forward to x.12 to same ports and also need HairPin NAT)
WAN - 443,25 (port forward to x.8 to same ports and also need HairPin NAT)
WAN - 3391 (port forward to x.151 to port 3389)

 

What would be the best configuration for the requirements. For some reason I was not able to access any of the resources and was redirected to the edge router login screen.

SuperUser
Posts: 20,402
Registered: ‎09-17-2013
Kudos: 5136
Solutions: 1458

Re: Edge Router Help

Given you have two WANs, you will have to use explicit DNAT and Firewall rules.

New Member
Posts: 21
Registered: ‎05-23-2017
Kudos: 10
Solutions: 1

Re: Edge Router Help

[ Edited ]

Based on your info and reading the support guides, I want to make sure I undersatnd - I will have to create a DNAT rule for every port, create a firewall rule for every port and create a Hairpin NAT rule for all DNAT rules that require it or can I group some of the ports together as there are several of them that are going to the same destination IP.

New Member
Posts: 21
Registered: ‎05-23-2017
Kudos: 10
Solutions: 1

Re: Edge Router Help

I should have included this as well...

 

WAN IP 2 - 22,80,443,7443,10000,5280 (port forward to x.23 to same ports and also need HairPin NAT) - have problem creating these rules


WAN IP 1 - 80 (port forward to x.8 on port 79 and also need HairPin NAT) - have problem creating these rules


WAN - 3389 (port forward to x.12 to same port) - works fine


WAN - 8080,446,8081 (port forward to x.12 to same ports and also need HairPin NAT) - have problem creating these rules


WAN - 443,25 (port forward to x.8 to same ports and also need HairPin NAT) - have problem creating these rules


WAN - 3391 (port forward to x.151 to port 3389) - works fine

New Member
Posts: 21
Registered: ‎05-23-2017
Kudos: 10
Solutions: 1

Re: Edge Router Help

I'm used to working with untangle (port forward and respective firewall rules) and I'm just having a hard time fully understanding the workflow of DNAT, Firewall rules and Hairpin NAT (as well as port groups). But I'm sure once I understand the workflow it will all make sense.

firewall.PNG
portforward.PNG
SuperUser
Posts: 20,402
Registered: ‎09-17-2013
Kudos: 5136
Solutions: 1458

Re: Edge Router Help

for the hairpin rules, you have to change the interface to "eth+" (so that it'll trigger on "any" interface).

 

See this guide for info.

 

If you need more help, post the config.

New Member
Posts: 21
Registered: ‎05-23-2017
Kudos: 10
Solutions: 1

Re: Edge Router Help

Thanks for the info. Would I have to apply the "eth+" to step 3 or step 4 of the documentation?

SuperUser
Posts: 20,402
Registered: ‎09-17-2013
Kudos: 5136
Solutions: 1458

Re: Edge Router Help

seems that it'd be both (although possibly just step3, and skip step4)

New Member
Posts: 21
Registered: ‎05-23-2017
Kudos: 10
Solutions: 1

Re: Edge Router Help

But my question still remains, do I have to setup DNAT, Firewall rules and Hairpin NAT (where required) for every port? that would be 14 DNAT rules, 14 firewall rules and x Hairpin NAT rules. is that correct?

SuperUser
Posts: 20,402
Registered: ‎09-17-2013
Kudos: 5136
Solutions: 1458

Re: Edge Router Help

you can use port groups to reduce the number of rules, but otherwise yes.

New Member
Posts: 1
Registered: ‎05-23-2017

Re: Edge Router Help

Thank you for your help. I now understand the rule sets and the workflow of the rules. I was able to create port groups that I used in the firewall rules, and created all needed DNST and SNAT rules. All is working. Thank you.