Knowledge Base  >   Firewall  > 

Use Port Redirection to access a LAN server from the Internet

Port Redirection is a feature that redirects a connection request on a specific port of router's WAN to host on router's LAN. While traversing the NAT, the router can change the destination port. This document introduces how to set up port redirection on DrayTek Vigor Routers.

In this example, we would like to provide RDP (Remote Desktop Protocol) access to a computer on LAN for Internet clients.
NOTE: Since firmware version 3.8.4, we can also specify Source IP to limit the access to authorized IP only.

1. Go to NAT >> Port Redirection, and click on an available index to add a new profile.

Add a Port Redirection profile on Vigor Router

2. Edit the profile as follows:

  1. Check Enable
  2. Enter a Service Name for identification
  3. Choose the Protocol, for RDP service it's TCP.
  4. Enter a Pubic Port number, which is the port to which Internet clients should connect
  5. Enter Private IP as the LAN IP of the computer for RDP access
  6. Enter Private Port as the port which the RDP service is listening
  7. Click OK to save the configuration
Port Redirection profile example

3. With the above settings, the connection requests sent to the router on port 11000, it will forward the request to private IP 192.168.1.10, and change the destination port will to 3389, which the RDP service is listening. Now, the clients from the Internet can access the server on router's LAN by router's WAN IP and the defined public port.

checking port redirection

Port Redirection for a range of LAN devices

Vigor router also supports Range mode port redirection, in which a range of public ports will be redirected to the same private port of several LAN devices.

range mode topo

1. Go to NAT >> Port Redirection, and click on an available index to add a new profile.

2. Edit the profile as follows:

  1. Check Enable
  2. Select Range mode
  3. Enter a Service Name for identification
  4. Choose the Protocol, for HTTP service it's TCP.
  5. Enter Pubic Port rnage, which are the port to which Internet clients should connect
  6. Enter Private IP as the LAN IP of the web servers
  7. Enter Private Port as the port which the HTTP service is listening
  8. Click OK to save the configuration
range Port Redirection setting

Now when Internet client accesses http://100.100.100.100:8080, it will be redirected to web server1(192.168.1.2:80); and when Internet client accesses http://100.100.100.100:8081, it will be redirected to web server2(192.168.1.3:80) and so on.

Port Redirection for Limited Source IP

Since firmware version 3.8.4, the network administrator can specify the source IP in Port Redirection and Open Ports. This function can be used in the situation we only want to allow some of the IPs to access the server behind the router, and increase the level of security while allowing Internet access.

For example, if the network administrator only allows the IP 200.200.200.200 to use the RDP service on 192.168.1.10.

Port Redirection for specific source IP

1. Go to Object Setting >> IP Object, select one of the profile indexes.

Specifying the source IP in Port Redirection Profile

2. Edit the profiles as follows:

  1. Enter the Name for identification.
  2. Select "Any" for Interface
  3. Select "Single" for Address Type
  4. Enter the IP Address that is allowed to access RDP at Start IP Address
  5. Click OK to save.

3. Go back to NAT >> Port Redirection, select the profile set for the RDP, select Source IP, click OK to save.
 
Now, this Port Redirection rule will only apply to the connecting request from IP 200.200.200.200 and redirect it to the RDP server.

Port Redirection Setup with Source IP

Troubleshooting

If the port redirection is not working as expected, please check:

  • If the port used by the local service on the router itself.
    The commonly used ports in Vigor router are TCP 80 (for web server), TCP 443 (for web server and SSL VPN), and TCP 21 (for FTP). To avoid port conflicts, please change the ports in Management page ( or access control setting page for Vigor3900/2960 ) or disable those local services for Internet access if not in use.

  • To ensure the server on LAN is alive, we can check
    • If there are firewall rules on the server itself blocking the access.
    • If the LAN server is accessible to other PC on the same network, or we can dial-in VPN to the Vigor router's LAN and try connecting to the server.
    • Try telnet to the server on the specific port to check the connectivity. For example, telnet to 192.168.100.10:21 for an FTP server using the default port 21.

  • The server's gateway must point to the Vigor router.
  • There are no static route or route policy rules on the router that will route the server to the wrong gateway.
  • There are no firewall rules on the router that will block the connection between the Internet client and the server.
  • Capture the router’s LAN/WAN packets to find out which host does not respond.

Go to NAT >> Port Redirection, click Add to create a profile, and edit it as follows:

  1. Give profile name and enable it
  2. Select "One to One" as Port Redirection Mode
  3. Select Protocol
  4. Enter Public Port as the port to which Internet client should connect
  5. Enter Private IP as the IP of the server on LAN
  6. Enter Private Port as the port to which the server is listening
  7. Click Add in More Port to allow more public ports to be redirected to other private ports.
a screenshot of port redirection settings on Vigor3900

Now, we can access the server behind NAT (Vigor3900) from Vigor3900's WAN IP with the specified port.

Published On: 2015-11-13 

Was this helpful?   

book icon

Related Articles