Preface
This article will describe how to use OneView to add a port forwarding rule to a router managed by OneView. Using the method described, OneView will restore the settings if the router ever needs to be replaced or factory reset.
Port forwarding opens up a security hole and this should be carefully considered before setting it up.
To follow this article, you should have OneView, a OneView-managed router, and WAN access set up properly for the Connect network (see Router Management with OneView™ for more details).
Navigate to the menu
Follow the menu sequence:
Config > Advanced Settings > Router > Manual Management
Go to the "Custom Saved Commands" section of the page.
Add a port forwarding rule
The port forwarding rule should go into the "Create new add/other command" section.
An example rule is:
/ip/firewall/nat/add action=dst-nat chain=dstnat protocol=tcp dst-port=8443 to-ports=443 to-addresses=10.2.0.25
In this example, the rule forwards external (WAN) requests targeting port 8443 to port 443 (https) on a device with an internal (LAN) IP address of 10.2.0.25. Note that since port 8443 is non-standard, you will probably need to manually type "https://" before the router's external IP address in order to access the internal device.
For example, if the router's external IP address is 10.100.0.162 and you wanted to access the internal device at IP address 10.2.0.25, you would type the following into your browser's address bar:
https://10.100.0.162:8443
To use this command example for your own purposes, you should change the dst-port, to-ports, and to-addresses fields.
- The dst-port field is the port made by the external requester, e.g. your browser
- The to-ports field is the port that will be used for the internal device
- The to-addresses field is the target device
Forward multiple external IP addresses to internal IP addresses
Another use case is mapping multiple external (WAN) router IP addresses to multiple internal (LAN) IP addresses inside the router. This involves adding firewall rules as well as additional external IP addresses.
The example below contains commands to create 2 new external IP addresses which will be forwarded to 2 different internal IP addresses.
Each line is a separate custom command that should be input into OneView.
/ip/address/add address=10.100.0.163/32 interface=ether1
/ip/address/add address=10.100.0.164/32 interface=ether1
/ip/firewall/nat/add action=dst-nat chain=dstnat dst-address=10.100.0.163 to-addresses=10.2.0.25
/ip/firewall/nat/add action=dst-nat chain=dstnat dst-address=10.100.0.164 to-addresses=10.2.0.26
Unlike the previous example, where an external requester needed to specify port 8443, which would be mapped internally to port 443, in this example all ports are mapped directly from the external (WAN) IP addresses to the internal (LAN) IP addresses. So, port 80 would be forwarded with port 80, port 443 would be forwarded with port 443, etc.
To use these commands for your own purposes, you should change the following:
- The address and interface fields for /ip/address/add commands
- The dst-address and to-addresses fields for /ip/firewall/nat/add commands
The purpose of these fields are as follows:
- The address field is an external IP address for the router. Make sure to keep the /32 subnet so that the router doesn't get confused about routes.
- The interface field is the WAN port according to the WAN & DNS menu in OneView.
- The dst-address field is the router's external (WAN) IP address.
- The to-addresses field is the internal (LAN) IP address that the external IP address is being mapped to.
Comments
0 comments
Please sign in to leave a comment.