Reply
New Member
Posts: 5
Registered: 3 weeks ago

Edgerouter X Port forwarding issues

[ Edited ]

Hey Guys,

 

I have a weird issue with my Edge Router X not forwarding ports. My setup was working previously on a TP-Link and even Meraki MX so I know the ports are not blocked by ISP. I have reset the Edge Router at least 3 times in pursuit of a functioning setup. Here is my latest....

 

Examples of ports I would like to forward, btw they all go to different internal IP's

  8555

  8089

  4040

  81

  32400

  5050

  1192-1192

 

After setting all of these up I checked the box to enable "autofirewall", I then waited 10 minutes and rebooted the router. This did not work..

 

I then turned off autofirewall rebooted and logged into the CLI and ran "show configuration all" I copied this output to notepad and then toggled the setting back on and rebooted. It does not appear or show the autofirewall does anything at all other then changing from "disabled" to "enabled"

 

I then configured a firewall rule on WAN_IN to allow and created a SNAT rule, I was able to get port 81 working however none of the other ports listed appear to be working.

 

On the portforward screen I can see the packets hitting the rules attempting to gain access but something is amiss here.

 

Issues so far with Ubiquiti EdgeRouter

  1. Autofirewall is broken, does not work at all

  2. Autofirewall does not implement NAT and Firewall rules (how to confirm the device is doing what it supposed to?)

  3. Autofirewall does not change "configuration" in CLI (again how to confirm the device is doing what it supposed to?)

  4. SNAT rules do not appear to be working either (can't trust this device to do anything)

 

I have read through numerous "Edge Router not forwading" articles and cannot believe all the issues people are having with port forward. Not trying to compare this to Cisco Meraki but putting a port forward in should just work...

Capture.PNG
Regular Member
Posts: 334
Registered: ‎11-11-2015
Kudos: 125
Solutions: 31

Re: Edgerouter X Port forwarding issues

[ Edited ]

All of the people having issues have a single theme in common... They do not buy a switch.

 

Instead, they are trying to make a router be a switch and struggling with the setup.

  • Can an ER-X be both a router and a switch?
    Yes.
  • How does it work under 1.10.7?
    I struggled a lot trying to get switch0 to work without vlans before just throwing in the towel.  It's probably broken somewhere, so I found a workaround.  Make the switch vlan aware, and create a vlan.

 

LAB Gear used:  1x ER-X, 1x RaspberryPi-3

Physical Topology:

eth0 - DHCP WAN

eth2 - switch0

eth3 - switch0

 

LAN Network created: 172.17.52.0/24 on vlan 2052

Relevant switch0 config from my lab ER-X:

Spoiler
set interfaces switch switch0 switch-port interface eth2 vlan pvid 2052
set interfaces switch switch0 switch-port interface eth3 vlan pvid 2052
set interfaces switch switch0 switch-port vlan-aware enable
set interfaces switch switch0 vif 2052 address 172.17.52.1/24

The RBP-3 is not configured for vlan tagging by default, so it sits on the native vlan of whatever port it is plugged into.  Thus, when connected to either eth2 or eth3, the pvid 2052 forces it onto vlan 2052.  It pulls a dhcp from my vlan 2052 scope:

Spoiler
lab-erx:~$ show dhcp leases
IP address      Hardware Address   Lease expiration     Pool       Client Name
----------      ----------------   ----------------     ----       -----------
172.17.52.124   aa:bb:cc:dd:ee:ff  2018/11/21 17:33:40  VLAN2052   rbp3-gable

Since it got 172.17.52.124, I can now setup port forwarding to hit that device:

Spoiler
set port-forward auto-firewall enable
set port-forward hairpin-nat enable
set port-forward lan-interface switch0.2052
set port-forward rule 1 description RBP3-SSH
set port-forward rule 1 forward-to address 172.17.52.124
set port-forward rule 1 forward-to port 22
set port-forward rule 1 original-port 8422
set port-forward rule 1 protocol tcp
set port-forward wan-interface eth0

I then connect my test system on eth2 which would also pull another lease from VLAN2052 and verify inside connectivity first.

 

To reach the RBP internally, ssh user@172.17.52.124:22

This has to connect or you'll never get it working externally.

To reach the RBP externally, ssh user@WANIP:8422

 

  • How to verify the automatic rules are configured and working?
    sudo iptables -t nat -L UBNT_PFOR_DNAT_HOOK
    Spoiler
    Chain UBNT_PFOR_DNAT_HOOK (1 references)
    target     prot opt source               destination
    UBNT_PFOR_DNAT_RULES  all  --  anywhere             anywhere             match-set ADDRv4_eth0 dst
    UBNT_PFOR_DNAT_RULES  all  --  anywhere             anywhere             match-set ADDRv4_eth0 dst
    sudo iptables -t nat -L UBNT_PFOR_DNAT_RULES
    Spoiler
    Chain UBNT_PFOR_DNAT_RULES (2 references)
    target     prot opt source               destination
    DNAT       tcp  --  anywhere             anywhere             tcp dpt:8422 to:172.17.52.124:22
    sudo iptables -nvL UBNT_PFOR_FW_HOOK
    Spoiler
    Chain UBNT_PFOR_FW_HOOK (1 references)
     pkts bytes target     prot opt in     out     source               destination
      234 22484 UBNT_PFOR_FW_RULES  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    sudo iptables -nvL UBNT_PFOR_FW_RULES
    Spoiler
    Notice the 23 successful hits here.
    Chain UBNT_PFOR_FW_RULES (1 references)
     pkts bytes target     prot opt in     out     source               destination
       23  3280 ACCEPT     tcp  --  *      *       0.0.0.0/0            172.17.52.124        tcp dpt:22

If for some reason it's still not working, odds are the nat masquerade was missing. It needs to exist to allow traffic through the nat barrier:

Spoiler
set service nat rule 5000 outbound-interface eth0
set service nat rule 5000 type masquerade

Edits: spelling/minor clarifications and added how to verify the auto config is applied.

New Member
Posts: 5
Registered: 3 weeks ago

Re: Edgerouter X Port forwarding issues

Wurgy,

 

Thank you for your reply!

 

To check for my understanding I attached a photo below that shows my network. Based upon my setup in the photo should I do the following.

 

make eth1 pvid 10, vid 3

make eth2-3 pvid 3, no vid

make eth4 part of vlan10

leave eth0 as 192.168.10.1 so I can management

 

switch0 - vlan3 - 192.168.1.1/24

switch0 - vlan10 - dhcp for WAN

 

switch0 vlan aware

eth1-4 in switch

 

netsetup.PNG
SuperUser
Posts: 7,495
Registered: ‎01-05-2012
Kudos: 1976
Solutions: 981

Re: Edgerouter X Port forwarding issues

Maybe is better if you post the full confiig, spoiler tag, code button and paste

Spoiler
paste here the config

Usually, the edgerouters, when correctly configured, do exactly what they have been configured for do ... Man Happy

Cheers,

jonatha

 

Regular Member
Posts: 334
Registered: ‎11-11-2015
Kudos: 125
Solutions: 31

Re: Edgerouter X Port forwarding issues

I count 4 virtual local area networks (vlans) you are trying to create.  I'm a bit lost since you have a switch already and that switch is vlan capable...  Unless you are trying to use more ports on that ER-X, it should really be configured like this:

 

ER-X

eth0 - mgmt port

eth1 - to Aruba S2500 Network 1

eth1.2 - Network 2

eth1.3 - Network 3

eth1.4 - Network 4

eth4 - to SB6141 dhcp

 

You don't need to make a switch0 here.  Only if you want to have those additional eth2, eth3 ports to use would it need to be reconfigured as a switch port.

 

As long as the config matches on the Aruba side of the trunk, you will have 4 networks run by the ER-X over that single trunk port.

New Member
Posts: 5
Registered: 3 weeks ago

Re: Edgerouter X Port forwarding issues

[ Edited ]

Wurgy, I reconfigured using vlans this time.

 

Here is my current config

 

Spoiler
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
description VLAN11
duplex auto
speed auto
}
ethernet eth1 {
description VLAN3
duplex auto
speed auto
}
ethernet eth2 {
description VLAN3
duplex auto
speed auto
}
ethernet eth3 {
description VLAN3
duplex auto
speed auto
}
ethernet eth4 {
address dhcp
description WAN
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
poe {
output off
}
speed auto
}
loopback lo {
}
switch switch0 {
description Local
mtu 1500
switch-port {
interface eth0 {
vlan {
pvid 11
}
}
interface eth1 {
vlan {
pvid 3
}
}
interface eth2 {
vlan {
pvid 3
}
}
interface eth3 {
vlan {
pvid 3
}
}
vlan-aware enable
}
vif 3 {
address 192.168.1.1/24
description "VLAN3 - Home"
mtu 1500
}
vif 11 {
address 192.168.10.1/24
description "VLAN11 - Management"
}
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface switch0.3
rule 1 {
description SSH
forward-to {
address 192.168.1.100
port 22
}
original-port 1000
protocol tcp_udp
}
rule 2 {
description Subsonic
forward-to {
address 192.168.1.13
port 4040
}
original-port 4040
protocol tcp
}
wan-interface eth4
}
protocols {
static {
route 10.0.0.0/24 {
next-hop 192.168.1.2 {
}
}
route 10.10.1.0/24 {
next-hop 192.168.1.2 {
}
}
route 172.16.1.0/24 {
next-hop 192.168.1.2 {
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN {
authoritative enable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 1.1.1.1
dns-server 8.8.8.8
lease 86400
start 192.168.1.155 {
stop 192.168.1.243
}
}
}
shared-network-name Management {
authoritative disable
subnet 192.168.10.0/24 {
default-router 192.168.10.1
dns-server 1.1.1.1
dns-server 8.8.8.8
lease 86400
start 192.168.10.99 {
stop 192.168.10.150
}
}
}
static-arp disable
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on switch0
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth4
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
unms {
disable
}
}
system {
host-name RROUTE1
login {
user admin {
authentication {
encrypted-password ****************
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America
}

I went through the diagram to make it less confusing. My whole goal is to avoid router on a stick for the 10 network as it will primarily be running 10GBe traffic. I prefer to have the 192 network running on the ERX since it has nice interface. The issue is getting the port forwards working for the NAS VIRTUAL HOSTS.

home.PNG
Regular Member
Posts: 334
Registered: ‎11-11-2015
Kudos: 125
Solutions: 31

Re: Edgerouter X Port forwarding issues

Looking at the config, I only spot an issue with the DNS forwarding listen interfaces.  The port forwards look fine, what is not working and how are you testing?

 

Diagram shows 192.168.1.100:1000 which seems incorrect since you mention SSH in the port-forward description.

The port-forward (as configured) is doing this conversion: WANIP:1000 -> 192.168.1.100:22

192.168.1.100:22 is the real service port for SSH and that's probably what should be on the diagram and how you connect internally from anywhere that is not the WAN IP.

 

Spoiler
lab-erx:~$ sudo iptables -t nat -L UBNT_PFOR_DNAT_RULES
Chain UBNT_PFOR_DNAT_RULES (3 references)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere             tcp dpt:1000 to:192.168.1.100:22
DNAT       udp  --  anywhere             anywhere             udp dpt:1000 to:192.168.1.100:22
DNAT       tcp  --  anywhere             anywhere             tcp dpt:4040 to:192.168.1.13:4040

Even though it reads source anywhere to destination anywhere, it's only for packets arriving on eth4 destined to ADDRv4_eth4.

 

Spoiler
lab-erx:~$ sudo iptables -t nat -L UBNT_PFOR_DNAT_HOOK
Chain UBNT_PFOR_DNAT_HOOK (1 references)
target     prot opt source               destination
UBNT_PFOR_DNAT_RULES  all  --  anywhere             anywhere             match-set ADDRv4_eth4 dst
UBNT_PFOR_DNAT_RULES  all  --  anywhere             anywhere             match-set ADDRv4_eth4 dst
UBNT_PFOR_DNAT_RULES  all  --  anywhere             anywhere             match-set ADDRv4_eth4 dst
Veteran Member
Posts: 7,226
Registered: ‎03-24-2016
Kudos: 1860
Solutions: 822

Re: Edgerouter X Port forwarding issues

Stupid (and both obious) question:  Do you get public WAN IP on eth4?

New Member
Posts: 5
Registered: 3 weeks ago

Re: Edgerouter X Port forwarding issues

[ Edited ]

Yes I've got a public WAN IP on eth4 it just comes up on its own since currently configured as DHCP. 

 

As for the ports yes hitting 1000 should redirect to port 22 on 192.168.1.100 internally. Right now getting anything other than SSH working. Here is a list of port forwards I would like to enter.

 

Im testing with a device on a different network using telnet and simultaneously trying to access the web page.

virtual server1.PNG
virtual server2.PNG
SuperUser
Posts: 7,495
Registered: ‎01-05-2012
Kudos: 1976
Solutions: 981

Re: Edgerouter X Port forwarding issues

You have to declare, under the port-forward tab, all the 'Lan' interfaces from which you want connect to the services using the FQDN, currently, is declared only switch0.3 (and from that network, should work). With

Spoiler
sudo iptables -t nat -nvL UBNT_PFOR_DNAT_HOOK

You should see for which interfaces the DNAT rules are created, while the auto-firewall creates the rules for allows the access only from the wan interface.

Cheers,

jonatha

 

Highlighted
Ubiquiti Employee
Posts: 2,299
Registered: ‎05-08-2017
Kudos: 419
Solutions: 345

Re: Edgerouter X Port forwarding issues

Hi @anon5354,

 

Is the WAN interface assigned an address in the 100.64.0.0/10 range by any chance?

 

Can you try running a tcpdump packet capture on the WAN interface to verify if the traffic is arriving at the EdgeRouter? For port 1000 for example:

sudo tcpdump -i eth4 -n tcp dst port 1000

 

-Ben

 


Ben Pin - EdgeMAX Support

Reply