New Member
Posts: 7
Registered: ‎11-12-2018

USG WAN2 port forwarding

Quick background - i'm setting up our Unifi gateway. WAN 1 and LAN 1 is all good - our VLANs are all working and everything seems happy minus some cleanup.

 

What I'm trying to do - forward port 443 and 80 for a Microsoft RDP gateway from WAN2 to our RDP gateway server.

 

I found this guide and did exactly what it stated to do in order to set this up. I created the rule within the controller and I've created the following within the ssh session:

 

rule 4000 {
-    description "WAN2 tcp http RDP"
     destination {
>        address 11.11.11.11
         port 80
     }
     inbound-interface eth3
     inside-address {
         address 10.100.50.103
         port 80
     }
     protocol tcp
     type destination
 }
 rule 4001 {
-    description "WAN2 tcp https RDP"
     destination {
>        address 11.11.11.11
         port 443
     }
     inbound-interface eth3
     inside-address {
         address 10.100.50.103
         port 443
     }
     protocol tcp
     type destination
 }

Obviously I changed the external IPs.

 

However that doesn't appear to be working. When I check internally, I can access the gateway just fine, but that doesn't appear to be fowrading it to the destination. Am I missing an additional step not noted?

Ubiquiti Employee
Posts: 1,383
Registered: ‎02-28-2017
Kudos: 463
Solutions: 138

Re: USG WAN2 port forwarding

You can combine this into one rule by comma separating the destination port to 80,443 and taking away the "inside-address port" node. 

For example:

rule 4000 {
-    description "WAN2 tcp http(s) RDP"
     destination {
>        address 11.11.11.11
         port 80,443
     }
     inbound-interface eth3
     inside-address {
         address 10.100.50.103
     }
     protocol tcp
     type destination

 

Have you tested this from an external client? You said you checked internally, yet I'm guessing eth3 is your WAN2 interface, and when you check internally, the inbound-interface will not be eth3. What you're describing is hairpin NAT. Another rule is needed for that with the inbound-interface matching the ethernet interface of your source client (for example if you're testing from internal vlan 50 on LAN1, the inbound interface would be eth0.50). You could just change "eth3" to "eth+" and it will listen on all interfaces so you don't have to make extra rules.

Brandon Jaffe | UniFi Routing & Switching | Austin, TX
New Member
Posts: 7
Registered: ‎11-12-2018

Re: USG WAN2 port forwarding

Thanks for the info - i'll get that updated once I get this sorted out.

 

Yep I did try externally - sorry meant to include that. So, internally it works just fine, externally is where I've got the issue. I'm getting an HTTP ERROR 403 when I try and get it externally.

New Member
Posts: 7
Registered: ‎11-12-2018

Re: USG WAN2 port forwarding

Any other thoughts?

Highlighted
Ubiquiti Employee
Posts: 1,383
Registered: ‎02-28-2017
Kudos: 463
Solutions: 138

Re: USG WAN2 port forwarding

When you test externally, SSH to the USG and type:
show nat statistics

See if your rule's byte/packet counter is incrementing. Also, can I see the details of the firewall rule(s) you added? It should be on WAN_IN.
Brandon Jaffe | UniFi Routing & Switching | Austin, TX
New Member
Posts: 7
Registered: ‎11-12-2018

Re: USG WAN2 port forwarding

Ok did the show nat statistics before:

 

rule  count       type  IN        OUT       description
----  ----------  ----  --------  --------  -----------
6001  1223957     MASQ  -         eth2      MASQ corporate_network to WAN
6002  0           MASQ  -         eth2      MASQ remote_user_vpn_network to WAN
6003  0           MASQ  -         eth2      MASQ guest_network to WAN
6004  15108       MASQ  -         eth2      MASQ eth3 out other WAN
6005  0           MASQ  -         eth3      MASQ corporate_network to WAN
6006  0           MASQ  -         eth3      MASQ remote_user_vpn_network to WAN
6007  0           MASQ  -         eth3      MASQ guest_network to WAN
6008  0           MASQ  -         eth3      MASQ eth2 out other WAN

And then after I tried to connect via the web interface for that domain and this is the output of the show nat statistics:

rule  count       type  IN        OUT       description
----  ----------  ----  --------  --------  -----------
6001  1225382     MASQ  -         eth2      MASQ corporate_network to WAN
6002  0           MASQ  -         eth2      MASQ remote_user_vpn_network to WAN
6003  0           MASQ  -         eth2      MASQ guest_network to WAN
6004  15112       MASQ  -         eth2      MASQ eth3 out other WAN
6005  0           MASQ  -         eth3      MASQ corporate_network to WAN
6006  0           MASQ  -         eth3      MASQ remote_user_vpn_network to WAN
6007  0           MASQ  -         eth3      MASQ guest_network to WAN
6008  0           MASQ  -         eth3      MASQ eth2 out other WAN

Both increased but I'm assuming I should be seeing something on the eth3 port and there's nothing there.

In addition, I've attached a screenshot of the firewall rule that's been entered via the GUI.

2019-04-15 - Unifi - 01.JPG
Ubiquiti Employee
Posts: 1,383
Registered: ‎02-28-2017
Kudos: 463
Solutions: 138

Re: USG WAN2 port forwarding

Your custom rule 4000 isn't present in the output of "show nat statistics", which means you've reprovisioned or rebooted the USG since creating that rule. Not that custom changes via the CLI aren't persistent without a config.gateway.json file. You'll want to enter those commands in the CLI once more and test this out. If you can confirm it's working, then you can build the config.gateway.json using the article I've hyperlinked above.

Brandon Jaffe | UniFi Routing & Switching | Austin, TX
New Member
Posts: 7
Registered: ‎11-12-2018

Re: USG WAN2 port forwarding

OK - I got the rule added again and I can see it when I do "show nat statistics" - I haven't made it permanent yet, just verifying proof-of-concept. So this is what I see when I do the "show nat statistics" after I attempted to connect to the rdp gateway webpage and the gateway itself:

 

rule  count       type  IN        OUT       description
----  ----------  ----  --------  --------  -----------
4000  0           DST   eth3      -         WAN2 RDP 80
4001  0           DST   eth3      -         WAN2 RDP 443
6001  2698018     MASQ  -         eth2      MASQ corporate_network to WAN
6002  0           MASQ  -         eth2      MASQ remote_user_vpn_network to WAN
6003  5534        MASQ  -         eth2      MASQ guest_network to WAN
6004  27534       MASQ  -         eth2      MASQ eth3 out other WAN
6005  0           MASQ  -         eth3      MASQ corporate_network to WAN
6006  0           MASQ  -         eth3      MASQ remote_user_vpn_network to WAN
6007  0           MASQ  -         eth3      MASQ guest_network to WAN
6008  0           MASQ  -         eth3      MASQ eth2 out other WAN

When I tried to add the rule with both ports it gave an error. Not a big deal and I'm not concerned with it at the moment. With the rules showing and it visible in the config, I still can't get to it. I've tried externally again and I get nothing. Is there some other step I'm missing?

 

Here's the outputs again:

 

nladmin@AME-GW-01# show service nat
 rule 4000 {
     description "WAN2 RDP 80"
     destination {
         address 11.11.11.11
         port 80
     }
     inbound-interface eth3
     inside-address {
         address 10.100.50.103
         port 80
     }
     protocol tcp
     type destination
 }
 rule 4001 {
     description "WAN2 RDP 443"
     destination {
         address 11.11.11.11
         port 443
     }
     inbound-interface eth3
     inside-address {
         address 10.100.50.103
         port 443
     }
     protocol tcp
     type destination
 }

The rule hasn't changed. 

 

Thanks again for the assistance - this project has been huge and I'm finally winding down the big stuff - this is one of the last pieces.

Ubiquiti Employee
Posts: 1,383
Registered: ‎02-28-2017
Kudos: 463
Solutions: 138

Re: USG WAN2 port forwarding

By the looks of "show nat statistics", the rule isn't being matched. I would tcpdump on eth3(wan2) to verify whatever external client you're testing is actually reaching this USG. You can do so by executing:
sudo tcpdump -npi eth3 port 80 or port 443

Also can you verify eth3 has internet access with:
sudo ping -I eth3 8.8.8.8
Brandon Jaffe | UniFi Routing & Switching | Austin, TX