Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 3 subscribers
  • Views 18099 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to port forward? New to this.

steve flann

I am helping out a office setup a port forward on UTM 9 Firewall.

here is message we received from software company

 

.....you need to configure the firewall so that port 22, 80, and 443 is pointing to Pace (192.168.0.47) port 22, 80, 443....

 

Im creating a new NAT rule but get confused on what exactly I need to change and configure



This thread was automatically locked due to age.
  • 0

    I'm assuming that 192.168.0.47 is on your internal network and all clients on that network can reach the internet ie so that 192.168.0.47 can reach the internet also.

    You need to create 3x DNAT rule one for http (80), one for https (443), and one for ssh (22)
    You can select automatic firewall rules here for simplicity otherwise you will need to create the appropriate rules after creating the DNAT's

    Basically it is DNAT under network protection > NAT

    Rule Type = DNAT

    Traffic coming from: ANY
    Using Service = http <<< you create a rule for each service eg http, https, ssh
    Going to = WAN Interface (your outside internet facing interface)

    Change the destination to: 192.168.0.47
    And the service to: leave blank

     

    Tick Auto firewall rules and logging if desired to see the traffic appear in the firewall logs.

    Thats basically it.

     

    My preferred way would be to use the WAF (web application firewall) further down the menu on the UTM which will offer you better protection with http/https (no DNAT required here as it proxies incoming requests)

    You will still need a DNAT for ssh. Make sure your ssh password is strong and that you have further protection on that server eg fail2ban etc as ssh brute force attempts are commonplace. My servers get hit thousands of times a day.

  • 0

      attaching screenshot of how I think its supposed to go. But still not able to access from external ip.

  • +1 in reply to steve flann

    click the sliders (next to the rule numbers) to turn them on (they will go green)

    Under the search for services, search for http, https, ssh and not the port numbers.

    Rule Type = DNAT

    Traffic coming from: ANY
    Using Service = http
    Going to = WAN Interface (your outside internet facing interface)

    Change the destination to: new_paceserver
    And the service to: leave blank

  • 0 in reply to Louis-M

    I did that and used the http , https and ssh. Now only have three rules

     

    They tested from outside and telling me only 22 works

     

    any addl settings to get http and https working?

  • 0 in reply to steve flann

    OK Problem solved. It appears other rules in previous order were overriding the ones I was making. Disabled them and good to go.

  • 0 in reply to steve flann

    Glad it worked out for you. You've just came accross a rule of the UTM or any other firewall for that matter.

    The rules work order ie from top to bottom and once a rule is matched, no other rule is tried for that traffic.

    So if a deny all http rule is number 1 and an allow all http rule is number 2, everything http will be denied.

    I'd advise you to read the RULZ post on this forum and then have another read of it. It's a good bible to have.

     

    Also consider using the WAF as it offers superior protection to web servers compared to DNAT's

Unfiltered HTML