Endian banner

Port forwarding / NAT

The Port forwarding / NAT module is composed by three tabs: Port forwarding / DNAT, Source NAT, and Incoming routed traffic. Its purpose is to manage all the traffic that flows through the uplink, from the RED zone to the Endian UTM Appliance and the NAT-ed traffic, both incoming and outgoing.

Port forwarding / Destination NAT

Destination NAT is usually employed to limit network accesses from an untrusted network or to redirect the traffic coming from the untrusted network and directed to a given port or address-port combination. It is possible to define which port on which interface should be forwarded to which host and port.

The list of the configured rules shows several information: The ID (#) showing the order in which the rules are matched against the traffic, the Incoming IP address, the service (i.e., port and protocol) to which the traffic is directed, the Policy applied to the traffic, the Translate to address (i.e., the host and port where to redirect the traffic), a custom Remark, and the available Actions.

When editing a rule, the same form open as when adding a new rule, by clicking on the Add a new Port forwarding / Destination NAT rule. A link on the top right of the form allows to chose between a Simple mode or an Advanced mode. The latter mode allows also to fine-tune the Access from, the policy, and the type of Translate to.

Besides the common options, these other settings can be configured:

Translate to

This part of the form changes depending on the current active editing mode, simple or advanced. If the mode is set to advanced, besides adding Access from sub-rules, there is an additional Type drop-down menu that allows to chose among different types of translations.

  1. The first one is IP and corresponds to the only one available in simple mode. Here should be written the destination IP address (besides port and NAT), the port or port range to forward to and if to apply NAT or not to the incoming packets.

  2. OpenVPN User: choose one OpenVPN user as the destination target for the traffic.

  3. Load Balancing: specify a range of IP addresses to which traffic will be split, to avoid bottlenecks or the overloading of a single IP.

  4. Map the network. Insert a sub-network to which translate the incoming traffic.

    Note

    The Map network translation statically maps a whole network of addresses onto another network of addresses. This can be useful for companies whose subsidiaries all use the same internal network. Indeed, in this case all these networks can be connected to each other through network mapping.

    An example would be:

    original network 1: 192.168.0.0/24
    mapped   network 1: 192.168.1.0/24
    original network 2: 192.168.0.0/24
    mapped   network 2: 192.168.2.0/24
    
  5. L2TP User: choose one L2TP user as the destination target for the traffic.

    Except when selecting the Map the network option, it is always possible to define the port or port range to which the traffic should be sent to, and if to apply NAT on the traffic or not. If Do not NAT is chosen, it is not allowed to define a Filter policy under the Access From (advanced mode).

    Warning

    When selecting IP, OpenVPN User, L2TP User or Load balancing, keep in mind that port ranges will not be mapped 1 to 1, but rather a round robin balancing is performed. For example, mapping incoming ports 137:139 to destination ports 137:139 will result in these ports being used randomly: The incoming traffic to port 138 can unpredictably be redirect to either 137, 138, or 139. Leave the translation Port/Range field empty to avoid such occurrences!

Troubleshooting port-forwarding.

There are mainly two reasons why port-forwarding may not work.

  1. The Endian UTM Appliance is behind a NAT device.

    In this case there is a device like a router or like another firewall between the Endian UTM Appliance and the Internet, which disallows direct incoming connections. The solution is to configure a port forwarding also on that device to the RED IP of the Endian UTM Appliance, if this is possible.

  2. The destination server has wrong default gateway.

    The server set as the destination of a port-forwarding rule is configured with a wrong or no default gateway. Connections will be directed to the target IP address but due to a wrong default gateway, packets will not be directed through the Endian UTM Appliance. The solution is to correct the server’s gateway.

Source NAT

In this page can be defined rules that apply SNAT to outgoing connections. The list of already defined rules is also displayed, for each of which the source and destination IP addresses, the service, the NAT status, a custom description of the rule, and the available actions are shown.

Source NAT can be useful if a server behind the Endian UTM Appliance has an own external IP and the outgoing packets should therefore not use the RED IP address of the firewall, but the one of the server. To add a new rule, click on Add a new source NAT rule and proceed like in the case of adding a port forwarding rule. Besides the common options, only one other setting can be configured:

NAT
Select to either apply NAT, No NAT, or Map Network. The choice to use SNAT allows the selection of the IP address that should be used among those presented in the drop-down menu. The Auto entries will automatically choose the IP address corresponding to the outgoing interface.

SNAT and a SMTP server in the orange zone.

In certain cases it is preferable to explicitly declare that no Source NAT be performed. An example would be a SMTP server in the DMZ, configured with an external IP, but whose outgoing connections should have the REDIP as the source. Configuring an SMTP server running on the IP 123.123.123.123 (assuming that 123.123.123.123 is an additional IP address of the uplink) in the DMZ with Source NAT can be done as follows:

  1. Configure the ORANGE zone with any subnet (e.g., 192.168.100.0).
  2. Setup the SMTP server to listen on port 25 on an IP in the ORANGE zone (e.g., 129.168.100.13).
  3. In the Menubar ‣ Network ‣ Interfaces section, add a static Ethernet uplink with IP 123.123.123.123 to the Endian UTM Appliance.
  4. Add a source NAT rule and specify the ORANGE IP of the SMTP server as source address. Be sure to use NAT and set the NAT-ed source IP address to 123.123.123.123.

See also

Tutorials to define DNAT (Basic Setup), DNAT (Advanced Setup), and SNAT (Basic Setup) rules.

Incoming routed traffic

This tab allows to redirect traffic that has been routed through the Endian UTM Appliance. This is very useful when having more than one external IP addresses and some of them should be used in the DMZ without the necessity to use NAT. The fields shown for every rule in the list are the traffic source and destination, the service, the policy to apply, a remark, and the available actions.

No other setting can be configured besides the common options.