When using IP Masquerading, devices on the external network cannot initiate connections to devices on the internal network. To work around this, Port Forwards can be set up to allow external users to connect to a specific port, or range of ports on the external interface of the console server/cellular router , and have the console server/cellular router redirect the data to a specified internal address and port range.
To setup a port forward:
- Navigate to the System: Firewall page, and click on the Port Forwarding tab
- Click Add New Port Forward
- Fill in the following fields:
- Name: Name for the port forward. This should describe the target and the service that the port forward is used to access
- Input Interface: This allows the user to only forward the port from a specific interface. In most cases, this should be left as "Any"
- Source Address: This allows the user to restrict access to a port forward to a specific address. In most cases, this should be left blank
- Input Port Range: The range of ports to forward to the destination IP. These will be the port(s) specified when accessing the port forward. These ports need not be the same as the output port range.
- Protocol: The protocol of the data being forwarded. The options are TCP or UDP Output Address: The target of the portforward. This is an address on the internal network where packets sent to the Input Interface on the input port range are sent.
- Output Port Range: The port or ports that the packets will be redirected to on the Output Address.
- Navigate to the System: Firewall page, and click on the Forwarding & Masquerading tab
- Enable IP Masquerading (SNAT) on the Output Address Interface. Eg if 192.168.10.2 is within the Management LAN Interface then this check box is enabled on the IP Masquerading (SNAT) section.
For example, to forward port 8443 to an internal HTTPS server on 192.168.10.2, the following settings would be used:
Input Interface: Any
Input Port Range: 8443
Output Address: 192.168.10.2
Output Port Range: 443