New Member
Posts: 11
Registered: ‎11-12-2018

USG WAN2 port forwarding

Quick background - i'm setting up our Unifi gateway. WAN 1 and LAN 1 is all good - our VLANs are all working and everything seems happy minus some cleanup.

 

What I'm trying to do - forward port 443 and 80 for a Microsoft RDP gateway from WAN2 to our RDP gateway server.

 

I found this guide and did exactly what it stated to do in order to set this up. I created the rule within the controller and I've created the following within the ssh session:

 

rule 4000 {
-    description "WAN2 tcp http RDP"
     destination {
>        address 11.11.11.11
         port 80
     }
     inbound-interface eth3
     inside-address {
         address 10.100.50.103
         port 80
     }
     protocol tcp
     type destination
 }
 rule 4001 {
-    description "WAN2 tcp https RDP"
     destination {
>        address 11.11.11.11
         port 443
     }
     inbound-interface eth3
     inside-address {
         address 10.100.50.103
         port 443
     }
     protocol tcp
     type destination
 }

Obviously I changed the external IPs.

 

However that doesn't appear to be working. When I check internally, I can access the gateway just fine, but that doesn't appear to be fowrading it to the destination. Am I missing an additional step not noted?

Ubiquiti Employee
Posts: 1,481
Registered: ‎02-28-2017
Kudos: 479
Solutions: 148

Re: USG WAN2 port forwarding

You can combine this into one rule by comma separating the destination port to 80,443 and taking away the "inside-address port" node. 

For example:

rule 4000 {
-    description "WAN2 tcp http(s) RDP"
     destination {
>        address 11.11.11.11
         port 80,443
     }
     inbound-interface eth3
     inside-address {
         address 10.100.50.103
     }
     protocol tcp
     type destination

 

Have you tested this from an external client? You said you checked internally, yet I'm guessing eth3 is your WAN2 interface, and when you check internally, the inbound-interface will not be eth3. What you're describing is hairpin NAT. Another rule is needed for that with the inbound-interface matching the ethernet interface of your source client (for example if you're testing from internal vlan 50 on LAN1, the inbound interface would be eth0.50). You could just change "eth3" to "eth+" and it will listen on all interfaces so you don't have to make extra rules.

Brandon Jaffe | UniFi Routing & Switching | Austin, TX
Highlighted
New Member
Posts: 11
Registered: ‎11-12-2018

Re: USG WAN2 port forwarding

Thanks for the info - i'll get that updated once I get this sorted out.

 

Yep I did try externally - sorry meant to include that. So, internally it works just fine, externally is where I've got the issue. I'm getting an HTTP ERROR 403 when I try and get it externally.

New Member
Posts: 11
Registered: ‎11-12-2018

Re: USG WAN2 port forwarding

Any other thoughts?

Ubiquiti Employee
Posts: 1,481
Registered: ‎02-28-2017
Kudos: 479
Solutions: 148

Re: USG WAN2 port forwarding

When you test externally, SSH to the USG and type:
show nat statistics

See if your rule's byte/packet counter is incrementing. Also, can I see the details of the firewall rule(s) you added? It should be on WAN_IN.
Brandon Jaffe | UniFi Routing & Switching | Austin, TX
New Member
Posts: 11
Registered: ‎11-12-2018

Re: USG WAN2 port forwarding

Ok did the show nat statistics before:

 

rule  count       type  IN        OUT       description
----  ----------  ----  --------  --------  -----------
6001  1223957     MASQ  -         eth2      MASQ corporate_network to WAN
6002  0           MASQ  -         eth2      MASQ remote_user_vpn_network to WAN
6003  0           MASQ  -         eth2      MASQ guest_network to WAN
6004  15108       MASQ  -         eth2      MASQ eth3 out other WAN
6005  0           MASQ  -         eth3      MASQ corporate_network to WAN
6006  0           MASQ  -         eth3      MASQ remote_user_vpn_network to WAN
6007  0           MASQ  -         eth3      MASQ guest_network to WAN
6008  0           MASQ  -         eth3      MASQ eth2 out other WAN

And then after I tried to connect via the web interface for that domain and this is the output of the show nat statistics:

rule  count       type  IN        OUT       description
----  ----------  ----  --------  --------  -----------
6001  1225382     MASQ  -         eth2      MASQ corporate_network to WAN
6002  0           MASQ  -         eth2      MASQ remote_user_vpn_network to WAN
6003  0           MASQ  -         eth2      MASQ guest_network to WAN
6004  15112       MASQ  -         eth2      MASQ eth3 out other WAN
6005  0           MASQ  -         eth3      MASQ corporate_network to WAN
6006  0           MASQ  -         eth3      MASQ remote_user_vpn_network to WAN
6007  0           MASQ  -         eth3      MASQ guest_network to WAN
6008  0           MASQ  -         eth3      MASQ eth2 out other WAN

Both increased but I'm assuming I should be seeing something on the eth3 port and there's nothing there.

In addition, I've attached a screenshot of the firewall rule that's been entered via the GUI.

2019-04-15 - Unifi - 01.JPG
Ubiquiti Employee
Posts: 1,481
Registered: ‎02-28-2017
Kudos: 479
Solutions: 148

Re: USG WAN2 port forwarding

Your custom rule 4000 isn't present in the output of "show nat statistics", which means you've reprovisioned or rebooted the USG since creating that rule. Not that custom changes via the CLI aren't persistent without a config.gateway.json file. You'll want to enter those commands in the CLI once more and test this out. If you can confirm it's working, then you can build the config.gateway.json using the article I've hyperlinked above.

Brandon Jaffe | UniFi Routing & Switching | Austin, TX
New Member
Posts: 11
Registered: ‎11-12-2018

Re: USG WAN2 port forwarding

OK - I got the rule added again and I can see it when I do "show nat statistics" - I haven't made it permanent yet, just verifying proof-of-concept. So this is what I see when I do the "show nat statistics" after I attempted to connect to the rdp gateway webpage and the gateway itself:

 

rule  count       type  IN        OUT       description
----  ----------  ----  --------  --------  -----------
4000  0           DST   eth3      -         WAN2 RDP 80
4001  0           DST   eth3      -         WAN2 RDP 443
6001  2698018     MASQ  -         eth2      MASQ corporate_network to WAN
6002  0           MASQ  -         eth2      MASQ remote_user_vpn_network to WAN
6003  5534        MASQ  -         eth2      MASQ guest_network to WAN
6004  27534       MASQ  -         eth2      MASQ eth3 out other WAN
6005  0           MASQ  -         eth3      MASQ corporate_network to WAN
6006  0           MASQ  -         eth3      MASQ remote_user_vpn_network to WAN
6007  0           MASQ  -         eth3      MASQ guest_network to WAN
6008  0           MASQ  -         eth3      MASQ eth2 out other WAN

When I tried to add the rule with both ports it gave an error. Not a big deal and I'm not concerned with it at the moment. With the rules showing and it visible in the config, I still can't get to it. I've tried externally again and I get nothing. Is there some other step I'm missing?

 

Here's the outputs again:

 

nladmin@AME-GW-01# show service nat
 rule 4000 {
     description "WAN2 RDP 80"
     destination {
         address 11.11.11.11
         port 80
     }
     inbound-interface eth3
     inside-address {
         address 10.100.50.103
         port 80
     }
     protocol tcp
     type destination
 }
 rule 4001 {
     description "WAN2 RDP 443"
     destination {
         address 11.11.11.11
         port 443
     }
     inbound-interface eth3
     inside-address {
         address 10.100.50.103
         port 443
     }
     protocol tcp
     type destination
 }

The rule hasn't changed. 

 

Thanks again for the assistance - this project has been huge and I'm finally winding down the big stuff - this is one of the last pieces.

Ubiquiti Employee
Posts: 1,481
Registered: ‎02-28-2017
Kudos: 479
Solutions: 148

Re: USG WAN2 port forwarding

By the looks of "show nat statistics", the rule isn't being matched. I would tcpdump on eth3(wan2) to verify whatever external client you're testing is actually reaching this USG. You can do so by executing:
sudo tcpdump -npi eth3 port 80 or port 443

Also can you verify eth3 has internet access with:
sudo ping -I eth3 8.8.8.8
Brandon Jaffe | UniFi Routing & Switching | Austin, TX
New Member
Posts: 11
Registered: ‎11-12-2018

Re: USG WAN2 port forwarding

Sorry for the delay - our Vcenter decided it wanted to crash along with 3 other core services (it's been a great week so far).

 

I run the ping command with eth3 and it can ping out just fine. With the tcpdump - i'm just getting a flashing cursor. Should I be seeing more than that? I haven't used that one before so I'm not sure of what it's expected output should be. However, I let that run while I attempted to access it remotely and it shows 0 packets captured/received/dropped when I control-c'd out of the command. So i'm assuming traffic isn't hitting it - which is weird because obviously it can access external addresses - so what would be preventing it from receiving?

New Member
Posts: 11
Registered: ‎11-12-2018

Re: USG WAN2 port forwarding

One thing I did notice was that the WAN2 was set for failover only so I changed that to load balancing - that doesn't appear to have any effect though.
Ubiquiti Employee
Posts: 1,481
Registered: ‎02-28-2017
Kudos: 479
Solutions: 148

Re: USG WAN2 port forwarding

Your assumption of traffic isn't reaching the interface is correct, if you don't see it on tcpdump, then the traffic isn't reaching the USG.

It can possibly either be filtered upstream, or something in the test is going wrong (wrong IP address, wrong tcpdump filter, etc.). Are you using a hostname to test? If so, use the exact IP on eth3 instead. Also can you name your step-by-step process in testing the port forward from the external client?
Brandon Jaffe | UniFi Routing & Switching | Austin, TX
New Member
Posts: 11
Registered: ‎11-12-2018

Re: USG WAN2 port forwarding

I was pinging with the IP not a dns entry as I didn't want the possibility of it going to the wrong location.

 

I do a couple of things. 

 

1.) I test the web page that the RDP gateway presents by just opening a browser and going to remote.domain.com - this fails

2.) I open up a remote desktop session, set the gateway parameters, then try to connect - this fails

Ubiquiti Employee
Posts: 1,481
Registered: ‎02-28-2017
Kudos: 479
Solutions: 148

Re: USG WAN2 port forwarding

The web page test should be sufficient enough, the remote desktop session wouldn't work unless it's operating over port 443/80, IIRC RDP works over TCP/UDP 3389 by default.

 

https://help.ubnt.com/hc/en-us/articles/235723207-UniFi-USG-Port-Forward-Port-Forwarding-Configurati...

from the article:

4. Traffic not reaching WAN 

If the traffic isn’t showing up on your USG WAN interface, something upstream of the USG is blocking it. Often this is a firewall or other packet filter of sorts built into your modem, or on some other upstream firewall or router. Refer to your modem’s manual to find out more about its configuration in that regard.

The other common circumstance is your ISP blocking the port you’re trying to use. Business class Internet service generally does not have any ports blocked, however, it’s relatively common for residential service to have the ports of common servers (25, 80, 443, etc.) blocked.

Brandon Jaffe | UniFi Routing & Switching | Austin, TX
New Member
Posts: 11
Registered: ‎11-12-2018

Re: USG WAN2 port forwarding

Ok - I've been distracted with a few other projects and finally got to get back to this.

 

This isn't working and it's not an issue with the connectivity. Where I'm at, we have 4 ports to our WAN provider. I have one port going to WAN1, one going to WAN2, and then one goes to our ASA for VPN stuff and one goes to a completely segregated test network. When I switch the port from my known working test network over to WAN2 - I continue to get the exact same response. It's as though nothing is there.

 

I tried again today with the following:

 

set service nat rule 4000 destination address 1.1.1.2
set service nat rule 4000 destination port 80
set service nat rule 4000 inbound-interface eth3
set service nat rule 4000 inside-address address 10.100.50.103
set service nat rule 4000 inside-address port 80
set service nat rule 4000 protocol tcp
set service nat rule 4000 type destination

set service nat rule 4001 destination address 1.1.1.2
set service nat rule 4001 destination port 443
set service nat rule 4001 inbound-interface eth3
set service nat rule 4001 inside-address address 10.100.50.103
set service nat rule 4001 inside-address port 443
set service nat rule 4001 protocol tcp
set service nat rule 4001 type destination

In addition, I still have the firewall rule 2000 within the WAN IN section for IPv4 that is to accept all packets from any to the internal IP i'm targetting.

 

Any other thoughts?

Ubiquiti Employee
Posts: 1,481
Registered: ‎02-28-2017
Kudos: 479
Solutions: 148

Re: USG WAN2 port forwarding

You'll want to run the tcpdump again and show me screenshots of the entire command with your filter and everything that shows under it when you're attempting to test this forward. I just want to make sure the tests and the syntax is all proper.
Brandon Jaffe | UniFi Routing & Switching | Austin, TX