Port forwarding

Best Practice: Configuration of port forwarding

Last adaptation to the version: 12.6.0

New:

Updated to Redesign of the webinterface

notempty

This article refers to a Resellerpreview

11.2022 11.8

Purpose of use

Objective: To make an internal server accessible from the Internet.

Port forwarding

Most companies do not have a subnet with external IPs available. All computers are in a private network and hide behind the IP of the router.

Port forwarding is used to redirect requests on certain ports directed to the public IP of the router to the internal server on another port, so that it can be reached from the Internet.

In this example, a web server with the internal IP 192.168.175.111 is to be accessible from the public network.
Public IP is 192.0.2.192/32

The creation of network objects and services must of course only take place if they do not yet exist on the firewall in the form described here!

Configuration of the appliance

Create network object

For port forwarding, the server must first be created as a network object.

Menu → Firewall →Network Objects Button Add object
The input mask "Add network object" appears.

Caption	Value	Description	Adding network objects UTMuser@firewall.name.fqdnFirewallNetwork objects Create network object
Name:	Server	Name for the network object
Type:	Host	The packages are nattened to the destination
Address:	192.168.175.111/---	The IP address to which the forwarding should be made (in our example: of the web server).
Zone:	internal	Select "internal" as zone
Group:		Assign to a network group (can be left blank).
Save and close		Saves the network object and closes the dialog

Create service

If the port used to access the external IP from the outside, and which is forwarded internally to the server on another port, has not yet been configured as a service, it must now be created.

Menu Firewall Services Button Add object

The input mask "Add service" appears.

Caption	Value	Description	Add Service Object UTMuser@firewall.name.fqdnFirewallServices Create service
Name:	extern-https	Enter a name for the service
Protocol:	tcp	Choose protocol
Protocol type:		Not required for "tcp" protocol
Target port type:	Single port Port range	Select single port or port range
Target port:	4443	Port or port range on the target computer
Source port type:	All Single port Port range	Specifying the source port is only useful in cases where the source port can be predicted (e.g. ftp).
Save and close		Saves the service object and closes the dialog

Create firewall rules

A firewall rule with "Destination NAT" must be created so that external users can now also access the server. Rule can be created under Firewall Packetfilter Button Add rule. Based on the example, the rule should look like this: General			Add rule UTMuser@firewall.name.fqdnFirewallPacketfilter Port forwarding
Source	internet	Access from the internet
Target	Server	Network object for the target server
Service	https	Service with which the port is to be addressed on the target computer
Action	ACCEPT	Accept the data packages
[-] Nat
Type	DESTNAT	The packages are nattened to the destination
Network object	external-interface	Network object for the interface that is to perform the NAT
Service	extern-https	Service with which the port is accessed from the Internet (externally)
Save and close		After new creation (like in this example)
Speichern Save		After change
Update rules		For the changes to take effect

The packetfilter rule will look like below.
After the last configuration step is completed, the port forwarding is active.

		#	Source	Target	Service	NAT	Action	Active
		4	internet	server	https	DN	Accept	On