Port Forwarding¶
VPF can forward connections from external ports to internal ports, changing the destination address in the process. This is commonly called “port forwarding”. These examples demonstrate how to accomplish these for situations where the port is either the same or different between the external destination and the internal destination.
Forwarding the Same Port Externally and Internally¶
This example forwards port 80 on the current WAN interface address to the
same port on an internal host of 10.30.0.10:
tnsr(config)# vpf nat ruleset WAN-nat
tnsr(config-vpf-nat-ruleset)# rule 100
tnsr(config-vpf-nat-rule)# description Forward port 80
tnsr(config-vpf-nat-rule)# direction in
tnsr(config-vpf-nat-rule)# dynamic
tnsr(config-vpf-nat-rule)# protocol tcp
tnsr(config-vpf-nat-rule)# to ifaddrs WAN
tnsr(config-vpf-nat-rule)# to port 80
tnsr(config-vpf-nat-rule)# nat-prefix 10.30.0.10/32
tnsr(config-vpf-nat-rule)# nat-port 80
tnsr(config-vpf-nat-rule)# exit
tnsr(config-vpf-nat-ruleset)# exit
Next, allow this traffic in with an VPF filter rule which passes connections
to the external address on WAN on the external port 80:
tnsr(config)# vpf filter ruleset WAN-filter
tnsr(config-vpf-filter-ruleset)# rule 50
tnsr(config-vpf-filter-rule)# pass
tnsr(config-vpf-filter-rule)# direction in
tnsr(config-vpf-filter-rule)# stateful
tnsr(config-vpf-filter-rule)# protocol tcp
tnsr(config-vpf-filter-rule)# to ifaddrs WAN
tnsr(config-vpf-filter-rule)# to port 80
tnsr(config-vpf-filter-rule)# exit
tnsr(config-vpf-filter-ruleset)# exit
Forwarding a Different Port¶
This example forwards port 443 on the current WAN interface address to a
different port, 4444, on an internal host of 10.30.0.20:
tnsr(config)# vpf nat ruleset WAN-nat
tnsr(config-vpf-nat-ruleset)# rule 110
tnsr(config-vpf-nat-rule)# description Forward port 443
tnsr(config-vpf-nat-rule)# direction in
tnsr(config-vpf-nat-rule)# dynamic
tnsr(config-vpf-nat-rule)# protocol tcp
tnsr(config-vpf-nat-rule)# to ifaddrs WAN
tnsr(config-vpf-nat-rule)# to port 443
tnsr(config-vpf-nat-rule)# nat-prefix 10.30.0.20/32
tnsr(config-vpf-nat-rule)# nat-port 4444
tnsr(config-vpf-nat-rule)# exit
tnsr(config-vpf-nat-ruleset)# exit
Next, allow this traffic in with an VPF filter rule which passes connections
to the external address on WAN on the external port 443:
tnsr(config)# vpf filter ruleset WAN-filter
tnsr(config-vpf-filter-ruleset)# rule 60
tnsr(config-vpf-filter-rule)# pass
tnsr(config-vpf-filter-rule)# direction in
tnsr(config-vpf-filter-rule)# stateful
tnsr(config-vpf-filter-rule)# protocol tcp
tnsr(config-vpf-filter-rule)# to ifaddrs WAN
tnsr(config-vpf-filter-rule)# to port 443
tnsr(config-vpf-filter-rule)# exit
tnsr(config-vpf-filter-ruleset)# exit