Port forwarding, also known as Virtual Server Port Forwarding, is a networking method that routes external internet traffic to designated devices or services within a local network. This technique enables external devices to interact with a particular device or service inside a private network by linking an external port to an internal IP address and port.
Virtual Server (Port Forwarding)
Characteristics of Virtual Server:
- Maps specific external ports to specific internal ports.
- Useful for accessing different services (like web, email, FTP) on the same public IP.
- Does not alter the source IP address of incoming traffic (no SNAT).
Configure Virtual Server (Port Forwarding)
Virtual server is most commonly used and is used when you want to make the internal server available to a public network outside the Zyxel Device. On the video at the link you can see how the configuration is performed on the previous version of the firewall. The interface is different, but the configuration process has not changed much.- Login to the device WebGui
- Navigate to
Configuration > Network > NAT
- Create a new rule by clicking on the "Add" button
- Specify rule name
- Select the port mapping type to "Virtual Server"
Mapping rule for Virtual Server (Explanation)
Incoming interface - the interface that the traffic is coming from- Select your incoming interface to "wan"
- Source IP to "any"
It is possible to manually specify the external and internal IP addresses. However, we strongly advise utilizing objects for this purpose. Furthermore, when creating additional security policies, this approach will be necessary. Creating objects for NAT rules simplifies management, improves readability, reduces complexity, enhances policy enforcement, allows reuse and scalability, simplifies backups and rollbacks, and minimizes errors.
To create an object for the external and internal interface, please select the option "Create new object" located in the upper left corner of the same form.
Create two “Address” objects with the type "Interface IP" and “Host” give a clear name to the object and specify in one object the address of your external interface and in the second rule the local address of your NSA device.
Port Mapping Type (Explanation)
any -all traffic on will be forwarded
Service - Select a service-object (a protocol)
Service-Group - Select a service-group object (a group of protocols)
Port - Select a port that needs to be forwarded
Ports - Select a port range that needs to be forwarded
-
External and Internal IP, select the previously created objects
-
Port mapping Type specify “Port"
-
Protocol Typ to "any"
-
External and Internal ports in our example are the same
Note:
- The external port is the port that the external user is using to get to the firewall on WAN
- The internal port is the port that is forwarded internally on LAN
- This can both be a 1:1 translation (port 443 to 443) or port 4433 to 443 for example
NAT loopback
NAT loopback is used inside the network to reach the internal server using the public IP. Check if NAT loopback is enabled and click OK (allows users connected to any interface to use the NAT rule too)
Add a Firewall rule to allow the NAT (Port Forwarding)
Note! You need to allow the internal port and not the external port. Because it's the internal port that is forwarded to the LAN interface of your firewall and needs to be allowed.
- Navigate to
Configuration > Security Policy > Policy Control
-
Create a new rule by clicking on the "Add" button
-
Specify rule name
-
In the “From” field, set "WAN"
-
In the “To” field, set " "LAN"
-
In the “Destination” field, select a previously created "NAS_IP" object
- Service
We need to create a service object for port 50000. In the security policy creation window, click "Create a new object" in the upper right corner.
Configuration > Object > Service
- In the “Action” field, set " "allow"
- Press "Ok"
Open a browser and type in the WAN IP of your USG and the configured port. Now the NAS is behind the USG and reachable through port forwarding.
Example for our WAN IP https://[yourWAN-IP]:50000