Highlighted
New Member
Posts: 8
Registered: ‎01-13-2013
Kudos: 1
Solutions: 1
Accepted Solution

Port Forward - Help!

I recently got the edgemax router deployed in a home environment. Its working but would like some step by step examples for port forwarding in GUI. Thanks in advance!

Accepted Solutions
New Member
Posts: 8
Registered: ‎01-13-2013
Kudos: 1
Solutions: 1

Update

Thanks for the tutorial, it works great now thanks! One question, instead of using my external IP address is it possible to replace with wan interface or dns name as I have a dynamic ip. Thanks!

View solution in original post


All Replies
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5479
Solutions: 1656
Contributions: 2

Re: Port Forward - Help!

Here's some basic information about destination NAT rules in the GUI:

wiki.ubnt.com/Destination_NAT_Rules#Add_or_Configure_a_Destination_NAT_Rule

Could you post what specific issues you are encountering? Thanks.
New Member
Posts: 8
Registered: ‎01-13-2013
Kudos: 1
Solutions: 1

Port Forward -3389 issue

Hi,
Thanks for your reply. I am under the impression that my nat rule is not configured properly, but I included screenshots of my firewall policy as well. Reason I say this is because I tested the nat rule with allowing all traffic through the firewall. Basically I am trying to forward port 3389 to my PC at 192.168.1.1 from any network address.
Thanks in Advance for your help!
NAT 1.png
NAT 2.png
firewall policy 1.png
firewall policy 2.png
firewall policy 3.png
firewall policy 4.png
firewall policy 5.png
New Member
Posts: 33
Registered: ‎01-11-2013
Kudos: 32

Re: Port Forward - Help!

I think your problem is on Page 2... Src Port should be empty as it could come from any port not only the RDP one. Also Dest-Address should be your WAN IP instead of the internal. Translation should work.
Don't have yet the router to test it but I think if you modify src-port and dst-address and leave the rest like it is, it might work. Give it a try or someone with more experience could help you with the rest of the config.
New Member
Posts: 8
Registered: ‎01-13-2013
Kudos: 1
Solutions: 1

Re: Port Forward - Help!

alfarobl,
Thanks for your reply. I made the changes you suggested but still no luck, hopefully someone who has set this up before can help us out.
Also I just wanted to update that I am not using my windows firewall and using http://www.yougetsignal.com/tools/open-ports/ to test my port connectivity. This was working fine with my sonicwall that I am replacing.
New Member
Posts: 33
Registered: ‎01-11-2013
Kudos: 32

Re: Port Forward - Help!

alfarobl,
Thanks for your reply. I made the changes you suggested but still no luck, hopefully someone who has set this up before can help us out.

Make sure you do changes to both NAT and Firewall rule... you need to open From All (any port) to your Internal IP (TCP port 3389). On NAT same rule but to WAN IP with traslation to internal IP TCP 3389.
Maybe you only did for NAT and not the Firewall rule? Make sure all is correct. If still fails maybe someone with more experience can help... but I will be with the same problem when I get my router.
New Member
Posts: 33
Registered: ‎01-11-2013
Kudos: 32

Re: Port Forward - Help!

As they say EdgeOS is based on Vyatta you could use some of its examples...

I have modified my reply to fix some info that should now make it work for you. But if you want to take a look:
http://roggyblog.blogspot.com.es/2009/12/vyatta-as-internet-gateway.html


Check Firewall WAN_IN example to open RDP Port (IP is Internal LAN Server)
rule 20 {
action accept
destination {
address 192.168.10.10
port 3389
}
log enable
protocol tcp
}


Check NAT first IP is WAN IP then Internal LAN Server IP:
rule 30 {
destination {
address 192.168.0.84
port 3389
}
inbound-interface eth0
inside-address {
address 192.168.10.10
port 3389
}
protocol tcp
type destination
}
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3141
Solutions: 945
Contributions: 16

Re: Port Forward - Help!

I started to put together a wiki page on port forwarding. It's still needs work, but may be helpful: EdgeOS Port Fowarding
EdgeMAX Router Software Development
New Member
Posts: 8
Registered: ‎01-13-2013
Kudos: 1
Solutions: 1

Update

Thanks for the tutorial, it works great now thanks! One question, instead of using my external IP address is it possible to replace with wan interface or dns name as I have a dynamic ip. Thanks!
New Member
Posts: 33
Registered: ‎01-11-2013
Kudos: 32

Re: Port Forward - Help!

Thanks for the replies. Have not had a chance yet to test but should today, I will post my results tonight.
Thanks

I got the router today so I will also check that it works. I am currently working on the WAN side to get it to connect. Next step will be to open ports.
UPDATE: Got the port forwarding rules working. I have posted my working configuration here if you want to take a look: forum.ubnt.com/showpost.php?p=418929&postcount=14
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3141
Solutions: 945
Contributions: 16

Re: Port Forward - Help!

Thanks for the tutorial, it works great now thanks! One question, instead of using my external IP address is it possible to replace with wan interface or dns name as I have a dynamic ip. Thanks!
Come to think of it, I don't think the destination address is necessary in the destination NAT rule. Destination port should be enough.
EdgeMAX Router Software Development
New Member
Posts: 33
Registered: ‎01-11-2013
Kudos: 32

Re: Port Forward - Help!

Come to think of it, I don't think the destination address is necessary in the destination NAT rule. Destination port should be enough.

Thank you.
Yes that is how I did it (after reading your tutorial of course) as I was not able to define an IP (pppoe with dinamic IP)... It is important to assign NAT rule to correct interface and that should be enough for it to work.
But if your WAN IP is static it makes sense to define it.
nat {
rule 1 {
description "port forward to Server"
destination {
port 11000
}
inbound-interface pppoe0

inside-address {
address 192.168.0.3
port 11000
}
log disable
protocol tcp
type destination
}
New Member
Posts: 11
Registered: ‎10-12-2012

Re: Port Forward - Help!

I'm using Firehol (firehol.sourceforge.net/) for iptables configuration on servers, like it very much. Anyone have any experience of using it on routers? Any thoughts?
Established Member
Posts: 1,211
Registered: ‎06-14-2012
Kudos: 1008
Solutions: 80
Contributions: 9

Re: Port Forward - Help!

I'm using Firehol (firehol.sourceforge.net/) for iptables configuration on servers, like it very much. Anyone have any experience of using it on routers? Any thoughts?


EOS has its own system for building FW rules. Using firehol on an ERL would likely mangle the iptables into a state of failure.
New Member
Posts: 31
Registered: ‎08-06-2010
Kudos: 13
Solutions: 1

Re: Port Forward - Help!


@UBNT-stig wrote:
Come to think of it, I don't think the destination address is necessary in the destination NAT rule. Destination port should be enough.


Please update Wiki to indicate this.  Thanks!

New Member
Posts: 26
Registered: ‎02-05-2016

Re: Port Forward - Help!

I have a similar problem establising a port forwarding; I appreciate the advice.

I have two virtual LANs, and need to open ports 8888 and 9999 for remote access to a security camera system.

I fololowed all the articles, adn the advice above, and yet can not estabilish the port forwarding to work properly.

  

The internal IP adddress of the Security camera system is: 192.168.4.249.  I need all external access to ports 8888 and 9999 router to this system.  I have a static mapping of the ip address.

 

 

Attached config below.

Thanks for the review and advice ahead of time.  Do I have some internal conflict?

 

 

 


Linux ubnt 3.10.20-UBNT #1 SMP Tue Jun 16 12:05:05 PDT 2015 mips64
Welcome to EdgeOS
~$ show configuration
firewall {
all-ping enable
broadcast-ping disable
group {
network-group PROTECT_VLANS {
description ""
network 192.168.3.0/24
}
port-group UniFi_Guest_Portal {
description "UniFi Portal"
port 8443
port 8880
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name PROTECT_VLANS {
default-action accept
rule 1 {
action accept
description "Accept est / rel"
log disable
protocol all
state {
established enable
related enable
}
}
rule 2 {
action drop
description "Drop Route"
destination {
group {
network-group PROTECT_VLANS
}
}
log disable
}
}
name WAN_IN {
default-action drop
description "packets from Internet to LAN & WLAN"
enable-default-log
rule 1 {
action accept
description "allow established sessions"
log disable
protocol all
:
firewall {
all-ping enable
broadcast-ping disable
group {
network-group PROTECT_VLANS {
description ""
network 192.168.3.0/24
}
port-group UniFi_Guest_Portal {
description "UniFi Portal"
port 8443
port 8880
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name PROTECT_VLANS {
default-action accept
rule 1 {
action accept
description "Accept est / rel"
log disable
protocol all
state {
established enable
related enable
}
}
rule 2 {
action drop
description "Drop Route"
destination {
group {
network-group PROTECT_VLANS
}
}
log disable
}
}
name WAN_IN {
default-action drop
description "packets from Internet to LAN & WLAN"
enable-default-log
rule 1 {
action accept
description "allow established sessions"
log disable
protocol all
:
firewall {
all-ping enable
broadcast-ping disable
group {
network-group PROTECT_VLANS {
description ""
network 192.168.3.0/24
}
port-group UniFi_Guest_Portal {
description "UniFi Portal"
port 8443
port 8880
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name PROTECT_VLANS {
default-action accept
rule 1 {
action accept
description "Accept est / rel"
log disable
protocol all
state {
established enable
related enable
}
}
rule 2 {
action drop
description "Drop Route"
destination {
group {
network-group PROTECT_VLANS
}
}
log disable
}
}
name WAN_IN {
default-action drop
description "packets from Internet to LAN & WLAN"
enable-default-log
rule 1 {
action accept
description "allow established sessions"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action drop
description "drop invalid state"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
name WAN_LOCAL {
default-action drop
description "packets from Internet to the router"
enable-default-log
rule 1 {
action accept
description "allow established session to the router"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action drop
description "drop invalid state"
log enable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description WAN
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
traffic-policy {
out shaper1
}
}
ethernet eth1 {
address 192.168.1.1/24
description LAN
duplex auto
firewall {
in {
name PROTECT_VLANS
}
}
speed auto
traffic-policy {
out shaper1
}
}
ethernet eth2 {
address 192.168.2.1/24
description LAN2
duplex auto
firewall {
in {
name PROTECT_VLANS
}
}
speed auto
traffic-policy {
out shaper1
}
vif 20 {
address 192.168.4.1/24
address 192.168.4.249/24
description BOSS_POS
firewall {
in {
name PROTECT_VLANS
}
}
}
vif 30 {
address 192.168.3.1/24
description "Guest Network"
firewall {
in {
name PROTECT_VLANS
}
}
}
}
loopback lo {
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth2.20
lan-interface eth2
rule 1 {
description "Security Remote"
forward-to {
address 192.168.4.249
}
original-port 8888
protocol tcp
}
rule 2 {
description "Security Media Port"
forward-to {
address 192.168.4.249
}
original-port 9999
protocol tcp
}
wan-interface eth0
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name BOSS_POS {
authoritative disable
subnet 192.168.4.0/24 {
default-router 192.168.4.1
dns-server 192.168.4.1
lease 14400
start 192.168.4.100 {
stop 192.168.4.200
}
static-mapping BOSS_TMC_Security_Video {
ip-address 192.168.4.249
mac-address EC:71Man Very HappyB:F3Man Very HappyD:8C
}
}
}
shared-network-name Guest_Network {
authoritative disable
subnet 192.168.3.0/24 {
default-router 192.168.3.1
dns-server 192.168.3.1
lease 14400
start 192.168.3.100 {
stop 192.168.3.200
}
}
}
shared-network-name LAN {
authoritative disable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.1
lease 86400
start 192.168.1.2 {
stop 192.168.1.254
}
}
}
shared-network-name LAN2 {
authoritative disable
subnet 192.168.2.0/24 {
lease 86400
start 192.168.2.100 {
stop 192.168.2.150
}
}
}
}
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on eth2
listen-on eth2.30
listen-on eth2.20
}
}
gui {
https-port 443
}
nat {
rule 5000 {
description "masquerade for WAN"
log disable
outbound-interface eth0
type masquerade
}
rule 5001 {
description "masquerade for public Network"
log disable
outbound-interface eth0
protocol all
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
conntrack {
expect-table-size 4096
hash-size 4096
table-size 32768
tcp {
half-open-connections 512
loose enable
max-retrans 3
}
}
host-name ubnt
login {
user BOSSAdmin {
authentication {
encrypted-password ****************
plaintext-password ****************
}
level admin
}
user Jeff {
authentication {
encrypted-password ****************
plaintext-password ****************
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
ipsec enable
ipv4 {
forwarding enable
}
ipv6 {
forwarding disable
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America/Los_Angeles
traffic-analysis {
dpi disable
export disable
}
}
traffic-policy {
shaper shaper1 {
bandwidth 64mbit
class 2 {
bandwidth 10%
burst 15k
ceiling 70%
match port80 {
ip {
source {
port 80
}
}
}
priority 5
queue-type fair-queue
}
class 3 {
bandwidth 10%
burst 15k
ceiling 70%
match port20 {
ip {
source {
port 20
}
}
}
match port21 {
ip {
source {
port 21
}
}
}
priority 6
queue-type fair-queue
}
class 4 {
bandwidth 10%
burst 15k
ceiling 30%
match port443 {
ip {
source {
port 443
}
}
}
priority 4
queue-type fair-queue
}
class 5 {
bandwidth 10%
burst 15k
ceiling 70%
match port80 {
ip {
source {
port 80
}
}
}
priority 5
queue-type fair-queue
}
class 6 {
bandwidth 5%
burst 15k
ceiling 15%
match port53 {
ip {
source {
port 53
}
}
}
priority 0
queue-type fair-queue
}
class 7 {
bandwidth 30%
burst 20k
ceiling 100%
match port5060 {
ip {
source {
port 5060
}
}
}
match port5061 {
ip {
source {
port 5061
}
}
}
match port5062 {
ip {
source {
port 5062
}
}
}
match port5063 {
ip {
source {
port 5063
}
}
}
match port5064 {
ip {
source {
port 5064
}
}
}
match port5065 {
ip {
source {
port 5065
}
}
}
match port5066 {
ip {
source {
port 5066
}
}
}
match port5067 {
ip {
source {
port 5067
}
}
}
match port5068 {
ip {
source {
port 5068
}
}
}
match port5069 {
ip {
source {
port 5069
}
}
}
match port5070 {
ip {
source {
port 5070
}
}
}
match port10000 {
ip {
source {
port 10000
}
}
}
match port10001 {
ip {
source {
port 10001
}
}
}
match port20000 {
}
match port20001 {
}
priority 1
queue-type fair-queue
}
default {
bandwidth 15%
burst 15k
ceiling 35%
priority 7
queue-type fair-queue
}
}
}

New Member
Posts: 10
Registered: ‎07-14-2016

Re: Port Forward - Help!

Hi All!

 

I am having an issue with port forwarding as well. I configured it as it states here but for some reason when i use yougetsignal it is still reporting that the ports are closed. I am a little confused by source and destination as well... one spot says destination is your external IP (i have a static IP) and one says its the IP of the device (IP Camera in my situation). Also, I am doing 10 cameras so I would prefer to use groups or ranges rather than setting up 10 seperate firewall & NAT rules. 

Thanks so much for your help!