EdgeRouter - Destination NAT
Overview
Readers will learn how to forward UDP and TCP ports to an internal server using Destination NAT.
Table of Contents
Frequently Asked Questions (FAQ)
1. What is the difference between Destination NAT and Port Forwarding?
Destination NAT and Port Forwarding serve the same purpose and can both be used to forward ports to an internal host behind NAT. |
2. Do I need to manually add firewall entries for the Destination NAT rules?
Yes, see the steps below. |
3. Do I need to manually configure Hairpin NAT?
Yes, see the Hairpin NAT article. |
4. Can I also configure Source NAT?
Yes, see the Source NAT and Masquerade article. |
Adding Destination NAT Rules
The HTTPS traffic with TCP port 443 and 10443 from external clients will be forwarded to the UNMS server.
Follow the steps below to add the Destination NAT and firewall rules to the EdgeRouter:
1. Add a Destination NAT rule for TCP port 443, referencing the primary WAN IP address.
Firewall / NAT > NAT > +Add Destination NAT Rule
Description: https443
Inbound Interface: eth0
Translation Address: 192.168.1.10
Translation Port: 443
Protocol: TCP
Destination Address: 203.0.113.1
Destination Port: 443
2. Add a Destination NAT rule for TCP port 10443, referencing the secondary WAN IP address.
Firewall / NAT > NAT > +Add Destination NAT Rule
Description: https10443
Inbound Interface: eth0
Translation Address: 192.168.1.10
Translation Port: 443
Protocol: TCP
Destination Address: 203.0.113.2
Destination Port: 10443
3. Add a firewall rule that allows the HTTPS traffic to reach the UNMS server.
Firewall/NAT > Firewall Policies > WAN_IN > Actions > Edit Ruleset > Add New Rule
Description: https
Action: Accept
Protocol: TCP
Destination > Port: 443
Destination > Address: 192.168.1.10
The above configuration can also be set using the CLI:
configure
set firewall name WAN_IN rule 21 action accept
set firewall name WAN_IN rule 21 description https
set firewall name WAN_IN rule 21 destination port 443
set firewall name WAN_IN rule 21 destination address 192.168.1.10
set firewall name WAN_IN rule 21 log disable
set firewall name WAN_IN rule 21 protocol tcp
set service nat rule 1 description https443
set service nat rule 1 destination address 203.0.113.1
set service nat rule 1 destination port 443
set service nat rule 1 inbound-interface eth0
set service nat rule 1 inside-address address 192.168.1.10
set service nat rule 1 inside-address port 443
set service nat rule 1 log disable
set service nat rule 1 protocol tcp
set service nat rule 1 type destination
set service nat rule 2 description https10443
set service nat rule 2 destination address 203.0.113.2
set service nat rule 2 destination port 10443
set service nat rule 2 inbound-interface eth0
set service nat rule 2 inside-address address 192.168.1.10
set service nat rule 2 inside-address port 443
set service nat rule 2 log disable
set service nat rule 2 protocol tcp
set service nat rule 2 type destination
commit ; save
Related Articles
EdgeRouter - Source NAT and Masquerade
EdgeRouter - Packets Processing
Intro to Networking - How to Establish a Connection Using SSH