Expired
How to apply Firewall Rules to Port Forwarding
Products:
Show all
Keywords:
Show all
DrayTek Vigor routers from the 3.8.4 firmware release can limit access to ports forwarded in the [NAT] section with either [Port Redirection] or [Open Ports] rules with the Source IP setting; a quick way to limit access to port forwards on the router to:
- Single IP Address
- Range of IP Addresses - 198.51.100.1 to 198.51.100.254 for instance
- Subnet Address - i.e. 198.51.100.152/29 which equates to 198.51.100.152 (Network address) to 198.51.100.159 (Broadcast address) as a range of IP addresses
This is a new feature in 3.8.4 and later firmware versions; it is possible to do this using the Firewall with all previous DrayTek routers or earlier firmware versions, as demonstrated in this guide: Firewall - Limit access to Port Forwarding with Firewall Rules
When the Source IP is configured in a NAT rule, the router will only allow the IP address(es) specified to access that port forwarding, other IP addresses are blocked by the router's firewall.
IP Objects
The Source IP is configured with an IP Object, which are the IP address(es) on the Internet that would be allowed access to the forwarded port.
Go to [Object Settings] > [IP Object] and click on the first available index number:
In the IP Object, there are three Address Type settings:
Single Address - This sets a single IP address for the IP object.
Range Address - This sets a range of IP addresses in the IP object, such as this example
Subnet Address - This sets the IP range according to a subnet, the Start IP Address is the Network Address of the subnet and the Subnet Mask defines how large the subnet is.
In this example, the 198.51.100.104 address is the network address, 255.255.255.248 is the subnet mask and this results in an IP range from 198.51.100.104 to 198.51.100.111.
Click OK to save the IP Object once configured and it will show in the list of IP Objects:
Port Forwarding
To configure a port forward on the router, there are two methods:
Types of Port Forwarding
Port Redirection | This method is used to open a single TCP or UDP port to the Internet and direct it to a LAN (Private) IP address on the Private Port specified.This can be used to open a port externally (Public Port) and direct it to the same port internally, or a different port number. This can be useful to open the same Private port on multiple local devices to different External port numbers. For instance Remote Desktop Protocol (TCP 3389) could be opened for many PCs with each having a unique Public Port number, i.e. 192.168.1.10:3389 maps to 33890 externally and 192.168.1.11:3389 maps to 33891 externally. |
Open Ports | This method opens a range of ports to the specified LAN (Private) IP address, with up to 10 TCP or UDP port ranges per Open Ports entry. This can be used to open all required ports to a server in a single NAT - Open Ports rule. |
- Port Redirection
- Open Ports
Port Redirection
To configure a Port Redirection NAT rule on the router, go to [NAT] > [Port Redirection] and click on the first available Index number:
In the Port Redirection entry, configure these settings:
| Mode | Set this to Single to open a single port when forwarding one port. Seting this to Range opens that range of ports i.e. 100-110 to a similar range of internal IPs such as 192.168.1.100 to 192.168.1.110 to the Privite Port specified |
| Service Name | This is used for display purposes to identify the NAT rule |
| Protocol | This can be set to TCP, UDP or TCP/UDP to open both types of port |
| WAN Interface | The Internet connection that the port will be opened to |
| Public Port | This is the external port. In this example, the port forwarded is the same externally as internally |
| Source IP | The Source IP can be left as "Any" to open the port to the Internet, or set to the specified IP Object to limit access to only that Single IP / Range of IPs / Subnet of IPs |
| Private IP | This is the LAN IP of the server that will respond |
| Private Port | This is the port number for the service that the router will send to the LAN IP |
Setting a Source IP will display the IP Objects available on the router; when configured, the port forward rule will allow only that IP address to go through the router's firewall to the forwarded port / service:
Click OK to save the rule and the router will forward requests received on that port to the internal server if the IP address matches the Source IP:
Open Ports
To configure an Open Ports NAT rule on the router, go to [NAT] > [Open Ports] and click on the first available Index number:
In the Open Ports entry, configure these settings:
| Comment | This is used for display purposes to identify the NAT rule |
| WAN Interface | The Internet connection that the port will be opened to |
| Source IP | The Source IP can be left as "Any" to open the port to the Internet, or set to the specified IP Object to limit access to only that Single IP / Range of IPs / Subnet of IPs |
| Private IP | This is the LAN IP of the server that will respond |
| Protocol | This can be set to TCP, UDP or TCP/UDP to open both types of port |
| Start Port | The port that will be opened to the Internet, this can be the same as the End Port if opening a single port entry i.e. 443 to 443 opens port 443 only |
| End Port | The end port of the range of ports that will be opened to the Internet |
Click OK to save the rule and the router will forward requests received on those ports / port ranges to the internal server only if the IP address matches the Source IP.
How do you rate this article?
1 1 1 1 1 1 1 1 1 1
- First Published: 03/11/2016
- Last Updated: 22/04/2021
