Reply
New Member
Posts: 30
Registered: ‎06-08-2016
Kudos: 8
Solutions: 1
Accepted Solution

clear guide on Dual Wan Port Forwarding

[ Edited ]

I should preface this by saying I have never used an Edge Router before. I have no issues digging into cli to configure this correctly if need be, I do not know the cli commands. With the constant issues with the USG dual WAN (which they may have fixed by now, I'm not sure) we decided to use an Edge Router for the WAN failover to feed the USG and leave the USG as the Firewall/DHCP/DNS Server for the network.

 net issue.png

 

That is the network Topology at a site where I can not for the life of me get port forwarding to work.

I have all the ports forwarded on the USG. This was working before we added the Edge Router Pro and the Second WAN connection. Basically I am trying to use the Edge Router PRO as a dual wan failover router and leave the USG as the DHCP server and firewall for the network.

 

I tried doing something with the DNAT rules but those weren't working for me (Or I just don't know how to configure properly which is more likely).

 

Basically I have a NVR on 192.168.1.50 and need ports 3389 and 55756-55757 to forward from either wan connection to the NVR. The dual WAN is setup in Failover Only. I used the Load Balancing wizard and left the firewalls enabled. I tried it again leaving the firewalls disabled on both Wans in the wizard and port forwarding isn't even working without adding any additional rules (again, I'm not sure that it should or shouldn't be).

 

Is there a clear guide or somebody that can tell me exactly what I'm supposed to do to make port forwarding work for Both WANS?

 

 

 

 

 

-Edited for new topology picture and some typos.


Accepted Solutions
Established Member
Posts: 823
Registered: ‎07-23-2015
Kudos: 479
Solutions: 46

Re: clear guide on Dual Wan Port Forwarding

You will need masquerading rules as well for outbound connectivity to still work. I assumed those were already setup but since you are defaulting the config here is the exact syntax you should put in your router from the command line configuration mode:

 

set service nat rule 1 destination group address-group ADDRv4_eth0
set service nat rule 1 inbound-interface eth0
set service nat rule 1 inside-address address 192.168.1.2
set service nat rule 1 log disable
set service nat rule 1 protocol all
set service nat rule 1 type destination
set service nat rule 2 destination group address-group ADDRv4_eth1
set service nat rule 2 inbound-interface eth1
set service nat rule 2 inside-address address 192.168.1.2
set service nat rule 2 log disable
set service nat rule 2 protocol all
set service nat rule 2 type destination
set service nat rule 5001 outbound-interface eth0
set service nat rule 5001 source address 192.168.1.2
set service nat rule 5001 type masquerade
set service nat rule 5002 log disable
set service nat rule 5002 outbound-interface eth1
set service nat rule 5002 source address 192.168.1.2
set service nat rule 5002 type masquerade
Please don't forget to kudo helpful posts and mark accepted solutions accordingly!
jcm.me - Personal Site | Joyn.Tech - Consulting Site

Add Auto-Provisioning Support to UNMS

View solution in original post


All Replies
Established Member
Posts: 823
Registered: ‎07-23-2015
Kudos: 479
Solutions: 46

Re: clear guide on Dual Wan Port Forwarding

So why not disable firewall entirely on Edgerouter (except to local) and do a 1to1 NAT to the USG and let the USG handle the port forwarding/firewall? I’m assuming your USG is doing masquerading (PAT) as well.

Please post the IP addresses of your USG WAN and eth0 and eth1.
Please don't forget to kudo helpful posts and mark accepted solutions accordingly!
jcm.me - Personal Site | Joyn.Tech - Consulting Site

Add Auto-Provisioning Support to UNMS
New Member
Posts: 30
Registered: ‎06-08-2016
Kudos: 8
Solutions: 1

Re: clear guide on Dual Wan Port Forwarding

I tried setting it up with no firewall rules and port forwarding still doesn't work.

The USG has no custom JSON or anything, only the port forwarding rules.

 

the address from the comcast cable modem and the at&t modem are both Public IP addresses so I will not be posting those.

 

I am using 192.168.2.1/24 from the Edge Router to the USG.

I am using 192.168.1.1/24 for the USG LAN.

Established Member
Posts: 823
Registered: ‎07-23-2015
Kudos: 479
Solutions: 46

Re: clear guide on Dual Wan Port Forwarding

[ Edited ]

I'm assuming 192.168.2.1 is the WAN IP on your USG, not on the Edgerouter. If not, then adjust the code below to reflect 192.168.2.1 as the WAN IP of the USG.

 

  1. Delete all in and out firewall rules on eth0, eth1, and eth2.
  2. Delete all NAT rules currently on the Edgeroute.
  3. Set new NAT rules as follows:

 

rule 1 {
    destination {
        address <public ip eth0>
    }
    inbound-interface eth0
    inside-address {
        address 192.168.2.1
    }
    protocol all
    type destination
}
rule 2 {
    destination {
        address <public ip eth1>
    }
    inbound-interface eth1
    inside-address {
        address 192.168.2.1
    }
    protocol all
    type destination
}

 

Please don't forget to kudo helpful posts and mark accepted solutions accordingly!
jcm.me - Personal Site | Joyn.Tech - Consulting Site

Add Auto-Provisioning Support to UNMS
New Member
Posts: 30
Registered: ‎06-08-2016
Kudos: 8
Solutions: 1

Re: clear guide on Dual Wan Port Forwarding

the only issue with setting the public ips in the config is they are DHCP and the at&t one changes at least monthly.

I'm also trying to keep web access to the Edge Router from inside the USG network. Currently the Edge Router access from inside the USG works, it is just the port forwards.

 

If this can work for both port forwards and the usg lan to edge router access then I will make these changes tomorrow (currently 647pm my time).

 

I make those rules on Destination NAT correct?

Established Member
Posts: 823
Registered: ‎07-23-2015
Kudos: 479
Solutions: 46

Re: clear guide on Dual Wan Port Forwarding

[ Edited ]

Ok. In that case you can use the following syntax:

 

rule 1 {
    destination {
        group {
            address-group ADDRv4_eth0
        }
    }
    inbound-interface eth0
    inside-address {
        address 192.168.2.1
    }
    protocol all
    type destination
}
rule 2 {
    destination {
        group {
            address-group ADDRv4_eth1
        }
    }
    inbound-interface eth1
    inside-address {
        address 192.168.2.1
    }
    protocol all
    type destination
}

In the GUI you would use "or Interface Addr" and select your interface to get around DHCP related issues. These are destination NAT rule, yes. There is no reason why you should not be able to access the Edgerouter on the 192.168.2.x subnet from devices behind the USG. Just add a firewall local rule that allows this on the eth2 interface of the Edgerouter. Please don't forget that you need to disable firewall rules in on eth0 and eth1 and delete all other NAT/port forwarding rules if any exist in the Edgerouter.

Please don't forget to kudo helpful posts and mark accepted solutions accordingly!
jcm.me - Personal Site | Joyn.Tech - Consulting Site

Add Auto-Provisioning Support to UNMS
New Member
Posts: 30
Registered: ‎06-08-2016
Kudos: 8
Solutions: 1

Re: clear guide on Dual Wan Port Forwarding

Will do tomorrow. I will start by defaulting the config in the Edge Router and Running the Load Balancing Wizard again making sure to uncheck Enable Firewall and I will check for the WAN 2 that it is fail over only.

Then I will delete the Default NAT rules (I believe there is a NAT Masquarade rule for each WAN) and make sure there are no firewall rules.

 

Then I can add the syntax you posted. Do I just copy and paste into the cli and then do commit and save?

 

Thanks so much for the help so far, this was driving me crazy and my boss is a bit upset with me currently.

Established Member
Posts: 823
Registered: ‎07-23-2015
Kudos: 479
Solutions: 46

Re: clear guide on Dual Wan Port Forwarding

You will need masquerading rules as well for outbound connectivity to still work. I assumed those were already setup but since you are defaulting the config here is the exact syntax you should put in your router from the command line configuration mode:

 

set service nat rule 1 destination group address-group ADDRv4_eth0
set service nat rule 1 inbound-interface eth0
set service nat rule 1 inside-address address 192.168.1.2
set service nat rule 1 log disable
set service nat rule 1 protocol all
set service nat rule 1 type destination
set service nat rule 2 destination group address-group ADDRv4_eth1
set service nat rule 2 inbound-interface eth1
set service nat rule 2 inside-address address 192.168.1.2
set service nat rule 2 log disable
set service nat rule 2 protocol all
set service nat rule 2 type destination
set service nat rule 5001 outbound-interface eth0
set service nat rule 5001 source address 192.168.1.2
set service nat rule 5001 type masquerade
set service nat rule 5002 log disable
set service nat rule 5002 outbound-interface eth1
set service nat rule 5002 source address 192.168.1.2
set service nat rule 5002 type masquerade
Please don't forget to kudo helpful posts and mark accepted solutions accordingly!
jcm.me - Personal Site | Joyn.Tech - Consulting Site

Add Auto-Provisioning Support to UNMS
New Member
Posts: 30
Registered: ‎06-08-2016
Kudos: 8
Solutions: 1

Re: clear guide on Dual Wan Port Forwarding

[ Edited ]

I noticed this broke hairpin nat. Is there something I can add to the config to fix hairpin nat working again?

We are still testing, but it is working with primary WAN online and the failover wan online but in fail over mode.

Port forwards also worked when failed over to the at&t.

 

Problem is the system does not fail back. I opened up the cli and did show load-balance watchdog and it shows both routes are offline. *EDIT* I changed the route test to point at 8.8.8.8 and this fixed the fail over and fail back. This is all working now. Now the only thing I would like to figure out is to get hairpin NAT working.

 

 

Established Member
Posts: 823
Registered: ‎07-23-2015
Kudos: 479
Solutions: 46

Re: clear guide on Dual Wan Port Forwarding

Hairpin would be handled on your USG, right? What address/port are you trying to access where hairpin is not working?
Please don't forget to kudo helpful posts and mark accepted solutions accordingly!
jcm.me - Personal Site | Joyn.Tech - Consulting Site

Add Auto-Provisioning Support to UNMS
New Member
Posts: 30
Registered: ‎06-08-2016
Kudos: 8
Solutions: 1

Re: clear guide on Dual Wan Port Forwarding

Trying to access the camera nvr using the DDNS we have for the house. Using 1 of those port forwards we have on the USG.

Established Member
Posts: 823
Registered: ‎07-23-2015
Kudos: 479
Solutions: 46

Re: clear guide on Dual Wan Port Forwarding

Please provide source IP and destination IP you are trying to access.
Please don't forget to kudo helpful posts and mark accepted solutions accordingly!
jcm.me - Personal Site | Joyn.Tech - Consulting Site

Add Auto-Provisioning Support to UNMS
Veteran Member
Posts: 7,050
Registered: ‎03-24-2016
Kudos: 1824
Solutions: 803

Re: clear guide on Dual Wan Port Forwarding

The ER8 should do the NAT and port forwarding..

 

You can have the USG in between (quite useless though), if you do, set ip up for no NAT , no firewall , only routing.

Established Member
Posts: 823
Registered: ‎07-23-2015
Kudos: 479
Solutions: 46

Re: clear guide on Dual Wan Port Forwarding

@16again, his current setup uses the USG for masquerading, PAT, and firewalling his LAN. He would have to configure routing between edgerouter and USG if he disabled these features on it.
Please don't forget to kudo helpful posts and mark accepted solutions accordingly!
jcm.me - Personal Site | Joyn.Tech - Consulting Site

Add Auto-Provisioning Support to UNMS
New Member
Posts: 30
Registered: ‎06-08-2016
Kudos: 8
Solutions: 1

Re: clear guide on Dual Wan Port Forwarding

[ Edited ]

The source IP could be a different IP every day. (it is accessed from cell phones and ipads they have).

The destination is the NVR. 192.168.1.50

Before adding the Edge Router and the Second WAN they could just point to the DDNS and it would work. (example.myddns.com)

 

This is no longer working, they are ok with having the 2 different listings in the phone and ipad apps for when they are home on the wifi and when they are away but I'm sure there is a way to fix it without setting up Split DNS. (although if there is an easy way to do that on the USG without a JSON I can try that but I looked for those options in the controller and didn't find any).

 

 

The USG DHCP Server is set to hand out 192.168.1.1 as primary DNS (The USG IP).

The USG WAN setting it set to Static with 192.168.2.1 (the Edge Router) as primary DNS and 8.8.8.8 as secondary DNS.

USG wan is 192.168.2.39 (which I changed in the script you gave me to copy and paste)

Regular Member
Posts: 339
Registered: ‎02-16-2014
Kudos: 40
Solutions: 7

Re: clear guide on Dual Wan Port Forwarding

I just don't understand why you just don't get rid of the USG. The ER Pro will do everything without the USG already is. You just have another redundant device getting in the way.
New Member
Posts: 30
Registered: ‎06-08-2016
Kudos: 8
Solutions: 1

Re: clear guide on Dual Wan Port Forwarding

The client likes the DPI stats and everything being lit up in the controller. They have their own login (with minimal access). Otherwise I would have been happy to remove the USG and only use the Edge Router. When they release the NAT control to the Stable Unifi controller I may change the USG to be there for monitoring only and use the Edge Router as the Router/Firewall for the entire system to make it simpler.

 

One day I hope to be able to lab things like this but I can't afford to buy the different componets I would need yet. (No USG at home or Edge Router and only 1 internet connection).

Established Member
Posts: 823
Registered: ‎07-23-2015
Kudos: 479
Solutions: 46

Re: clear guide on Dual Wan Port Forwarding

This is kind of an odd workaround but you could set static hostnames in the Edgerouter to resolve this for your clients as a private IP:

set system static-host-mapping host-name example.myddns.com inet 192.168.1.50
Please don't forget to kudo helpful posts and mark accepted solutions accordingly!
jcm.me - Personal Site | Joyn.Tech - Consulting Site

Add Auto-Provisioning Support to UNMS
New Member
Posts: 30
Registered: ‎06-08-2016
Kudos: 8
Solutions: 1

Re: clear guide on Dual Wan Port Forwarding

So I would actually set the IP as the USG WAN IP correct? 192.168.2.39 ?

Just want to confirm. I think that is where I messed up the original DNAT rules I was trying to do before posting here.

 

You have been most helpful with this. Thank you again!

Established Member
Posts: 823
Registered: ‎07-23-2015
Kudos: 479
Solutions: 46

Re: clear guide on Dual Wan Port Forwarding

No, just use the actual IP configured on the server network interface.
Please don't forget to kudo helpful posts and mark accepted solutions accordingly!
jcm.me - Personal Site | Joyn.Tech - Consulting Site

Add Auto-Provisioning Support to UNMS
Reply