modified on 27 March 2014 at 21:02 ••• 43,820 views

EdgeMAX PortForward

From Ubiquiti Wiki

Jump to: navigation, search

Note: this article describes the "traditional" way of setting up forwarding using destination NAT and firewall. As of version 1.4.0 there is a port-forward wizard in the GUI that greatly simplifies basic port-forward. The wizard only handles the primary address on 1 WAN interface, so if you're doing something more complicated than that, you'll still need the "traditional" way.


This article is an example of port forwarding so that a host on Internet can get to a server on your private network. We want to be able to ssh using port 2222 to go from host H1 on Internet to port 22 on server A. Because server A is on a private network we'll need to create a port forwarding (or destination NAT) rule.

Contents

Network Diagram

In this example we'll be using the following address:

  1. WAN eth0 203.0.113.1/24
  2. LAN eth1 192.0.2.1/24
  3. Server A 192.0.2.15/24
caption Network Diagram

We'll assume there's already a masquerade rule in place so that the hosts on the LAN can communicate with hosts on Internet. That rule would look like:

caption NAT Masquerade Rule

Port Forward

Now for the port forwarding rule we'll click on Add Destination NAT Rule and for the destination address will use the public address of the router with port 2222. For the translation we'll use the private address of server A and port 22. Note: I also enabled logging so that I can have a record of every outside address that does an ssh to server A.

caption Port Forwarding Rule

Testing

For this lab test my host H1 and server A also happen to be EdgeRouter LITEs:

ubnt@H1:~$ ssh -p 2222 ubnt@203.0.113.1 
 Welcome to EdgeOS

 By logging in, accessing, or using the Ubiquiti product, you
 acknowledge that you have read and understood the Ubiquiti
 License Agreement (available in the Web UI at, by default,
 http://192.168.1.1) and agree to be bound by its terms.

 ubnt@203.0.113.1's password: 
 Linux R2 2.6.32.13-UBNT #1 SMP Thu Jan 10 11:58:06 PST 2013 mips64
 Welcome to EdgeOS
 Last login: Mon Jan 14 15:44:00 2013 from 203.0.113.100
 ubnt@server-A:~$ 

On the router R1 we can verify that the port forwarding worked by using "show nat translations" which will show the active translations:

ubnt@R1:~$ show nat translations 
 Pre-NAT              Post-NAT             Type  Prot  Timeout 
 203.0.113.1:2222     192.0.2.15:22        dnat  tcp   115     


ubnt@R1:~$ show nat translations detail 
 Pre-NAT src          Pre-NAT dst        Post-NAT src         Post-NAT dst      
 203.0.113.100:33718  203.0.113.1:2222   203.0.113.100:33718  192.0.2.15:22     
   tcp: dnat: 203.0.113.1:2222 ==> 192.0.2.15:22  timeout: 109 use: 2 

Since I enabled logging on this NAT rule, I can also use "show log" to look for the message:

Jan 14 16:35:00 R1 kernel: [NAT-1-DNAT] IN=eth0 OUT= MAC=dc:9f:db:17:13:8c:dc:9f:db:17:13:74:08:00 SRC=203.0.113.100 DST=203.0.113.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=24457 DF PROTO=TCP SPT=33718 DPT=2222 WINDOW=5840 RES=0x00 SYN URGP=0 

Firewall

Destination NAT and firewall can be a bit confusing, so in my opinion it's easier to debug NAT and Firewall separately. So in the example above I had temporarily disabled my firewall (this works fine in a lab setting, but you would do that on a production router). Now I'll re-enable my basic firewall which looks like:

ubnt@R1# show firewall 
name WAN_IN {
    default-action drop
    description "Internet forwarded packets"
    enable-default-log
    rule 1 {
        action accept
        description "allow established"
        log disable
        protocol all
        state {
            established enable
            invalid disable
            new disable
            related enable
        }
    }
    rule 2 {
        action drop
        description "drop invalid"
        log enable
        protocol all
        state {
            established disable
            invalid enable
            new disable
            related disable
        }
    }
 }
name WAN_LOCAL {
    default-action drop
    description "Internet forwarded packets"
    enable-default-log
    rule 1 {
        action accept
        description "allow establishedd"
        log disable
        protocol all
        state {
            established enable
            invalid disable
            new disable
            related enable
        }
    }
    rule 2 {
        action drop
        description "drop invalid"
        log enable
        protocol all
        state {
            established disable
            invalid enable
            new disable
            related disable
        }
    }
}
ubnt@R1# show interfaces ethernet eth0 
address 203.0.113.1/24
description Internet
firewall {
    in {
        name WAN_IN
    }
    local {
        name WAN_LOCAL
    }
}
[edit]

Testing Firewall

Since I have enable-default-log on my WAN_IN rule set, I'll just try the ssh again and see what gets dropped.

First I see that logging of the NAT translation:

Jan 14 16:53:48 R1 kernel: [NAT-1-DNAT] IN=eth0 OUT= MAC=dc:9f:db:17:13:8c:dc:9f:db:17:13:74:08:00 SRC=203.0.113.100 DST=203.0.113.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=17132 DF PROTO=TCP SPT=49150 DPT=2222 WINDOW=5840 RES=0x00 SYN URGP=0 

Right below that I see the following log for a drop on the default-drop:

Jan 14 16:53:48 R1 kernel: [WAN_IN-default-D]IN=eth0 OUT=eth1 SRC=203.0.113.100 DST=192.0.2.15 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=17132 DF PROTO=TCP SPT=49150 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

This is one of the most common firewall mistakes with destination NAT - the translation happens before the firewall rules, so your rules need to allow 192.0.2.15:22 instead of 203.0.113.1:2222. We can see this from the feature ordering chart at EdgeOS Feature Ordering


So lets add our firewall rule to allow 192.0.2.15 tcp port 22:

caption Firewall Rule


Now we try it and it works again and if we look at the Stats tab on the firewall we can see that rule 3 has been hit.

caption Firewall Stats


caption Network Diagram

To see the full configuration for router R1 Port Fowarding Example