Use Open Port to access a LAN server from the Internet

Open Port is a feature that redirects a connection request on several ports of router's WAN to host on router's LAN. While traversing the NAT, Open Port will not change the destination port. This document introduces how to set up open port on Vigor Router and some troubleshooting tips if it's not working as expected. In this example, we would like to provide RDP (Remote Desktop Protocol) access to a computer on LAN for Internet clients.

Since firmware version 3.8.4, we can also specify Source IP to limit the access to authorized IP only.

1. Go to NAT >> Port Redirection, and click on an available index to add a new profile.

2. Edit the profile as follows:

1. Check Enable Open Ports
2. Enter Comment for identification
3. Choose Interface from which the Internet connection is coming
4. Enter Private IP as the LAN IP of the computer for RDP access
5. Enter Protocol/strong> and Portas which the RDP service is listening
6. Click OK to save the configuration

3. With the above settings, when the connection requests sent to the router on port 3389, the router will forward the request to private IP 192.168.1.10. Now, the clients from the Internet can access the server on router's LAN by router's WAN IP and the defined public port.

Open Ports for Limited Source IP

Since firmware version 3.8.4, the network administrator can specify the source IP in Port Redirection and Open Ports. This function can be used in the situation we only want to allow some of the IPs to access the server behind the router, and increase the level of security while allowing Internet access.

For example, if the network administrator only allows the IP 200.200.200.200 to use the RDP service on 192.168.1.10.

1. Go to Object Setting >> IP Object, select one of the profile indexes.

2. Edit the profiles as follows:

1. Enter the Name for identification.
2. Select "Any" for Interface
3. Select "Single" for Address Type
4. Enter the IP Address that is allowed to access RDP at Start IP Address
5. Click OK to save.

3. Go back to NAT >> Port Redirection, select the profile set for the RDP, select Source IP, click OK to save. Now, the router will only open the ports for IP 200.200.200.200 and redirect it to the RDP server.

Trouble-Shooting

If the open port is not working as expected, please check:

1. If the port used by the local service on the router itself.
   The commonly used ports in Vigor router are TCP 80 (for web server), TCP 443 (for web server and SSL VPN), and TCP 21 (for FTP). To avoid port conflicts, please change the ports in Management page ( or access control setting page for Vigor3900/2960 ) or disable those local services for Internet access if not in use.
   
   
2. To ensure the server on LAN is alive, we can check
   • If there are firewall rules on the server itself blocking the access.
   • If the LAN server is accessible to other PC on the same network, or we can dial-in VPN to the Vigor router's LAN and try connecting to the server.
   • Try telnet to the server on the specific port to check the connectivity. For example, telnet to 192.168.100.10:21 for an FTP server using the default port 21.
   
   
3. The server's gateway must point to the Vigor router.
4. There are no static route or route policy rules on the router that will route the server to the wrong gateway.
5. There are no firewall rules on the router that will block the connection between the Internet client and the server.
6. Capture the router’s LAN/WAN packets to find out which host does not respond.