Network Address Translation (NAT) and port forwarding are fundamental techniques used in network management to facilitate communication between devices within a private network and the external internet. These methods are particularly crucial for enhancing security, managing public IP usage, and enabling the seamless operation of services hosted behind a firewall
Port forwarding
Port forwarding is a vital feature of the EnGenius Cloud Gateway, enabling external users to access services on your private network. This feature directs traffic coming to specific TCP or UDP ports on the internet-facing interface of the gateway to designated internal IP addresses. Port forwarding is particularly beneficial for networks without a pool of public IP addresses, as it allows multiple servers to be accessible from a single public IP address.
Example of port forwarding configuration
Figure: Example of port forwarding configuration
Illustration of port forwarding configuration
Figure: Illustration of port forwarding configuration
Configuring Port Forwarding
Access the Gateway’s Configuration Interface
Log into your EnGenius Cloud account and navigate to the 'Configure/Gateway/Firewall' section.
Navigate to the Port Forwarding Section
Within the Firewall configuration page, select Port Forwarding tab
Configure Port Forwarding Rules
Add a New Rule: Start by adding a new port forwarding rule. This usually involves specifying the external port that will receive incoming traffic on the gateway’s public IP address.
Specify Internal IP and Port: Enter the internal IP address of the device that should receive the forwarded traffic, along with the port number on which the internal device is set to listen.
Select Protocol: Choose whether the rule applies to TCP or UDP protocols, depending on the requirements of the service you are forwarding to.
Apply Changes: Save or apply the changes to activate the port forwarding rule.
Figure: Add Port Fowarding rule
Repeat for Multiple Services
If you need to forward different ports to different internal IP addresses, repeat the process for each service. This setup allows multiple applications or servers (like web servers, game servers, or file servers) to be accessible from the same public IP address but on different specified ports.
Test and Verify Connectivity
Use tools like port checkers or direct service access attempts to verify that the setup works as expected. After setting up your port forwarding rules, it’s essential to test each service from an external network to ensure that the traffic is correctly directed to the right internal devices.
Ports can be specified individually or as a range
Port ranges must be written with a hyphen; comma-separated lists are not allowed.
When mapping a range of public ports to a range of local ports, the ranges must be of equal length
For example, public ports 8000-8300 must be mapped to local ports 8000-8300.
It is not possible to forward a single TCP or UDP port to multiple LAN devices using port forwarding
Additional Considerations
If a port forward is configured for UDP ports 500 or 4500 to a specific server, the ESG will redirect all non-EnGenius site-to-site and L2TP/IPsec client VPN traffic to the LAN IP specified in the port forward.
EnGenius SecuPoint SSL VPN client, which utilizes TCP port 443, may experience similar issues. Traffic intended for the SSL VPN client will be rerouted to the LAN IP specified in the port forward, potentially disrupting the VPN connection.
1:1 NAT
1:1 NAT (Network Address Translation) is a method used to map one public IP address to one private IP address. It is ideal for users with multiple public IP addresses and several servers behind a firewall, such as multiple web and mail servers. This section will guide you through setting up 1:1 NAT on an EnGenius Cloud Gateway. This setup allows for efficient traffic management and provides each server with its dedicated access route.
Comment
1:1 NAT is particularly useful for networks where multiple servers need to be accessible externally without sharing a single IP address. It ensures that each server has a unique public address, which can be critical for applications that require specific IP reputation management, such as email servers.
Example of 1:1 NAT configuration
Figure: Example of 1:1 NAT configuration
Illustration of 1:1 NAT configuration
Figure: Illustration of 1:1 NAT configuration
Configuring 1:1 NAT
Access the Gateway Management Interface
Sign in to your EnGenius Cloud account. Cloud account and navigate to the 'Configure/Gateway/Firewall' section.
Navigate to the 1:1 NAT Settings
Within the Firewall configuration page, select 1:1 NAT tab.
Configure 1:1 NAT Rules
Choose a Public IP Address: Select a public IP address from your available pool that does not belong to the gateway’s WAN interfaces. This IP address should be routed to your gateway by your ISP, potentially from a different subnet.
Map to an Internal IP Address: Assign this public IP address to a specific internal IP address of a server behind your firewall.
Configure Port Forwarding (Optional): Within each 1:1 NAT rule, you can also specify which ports are to be forwarded to the internal IP. You may enter a range of ports or a comma-separated list of individual ports depending on your needs.
Apply and Save the Configuration
After setting up your 1:1 NAT rules, make sure to save and apply the changes. This will activate the mappings and start routing traffic accordingly.
Test the Configuration:
Verify that the public IP addresses correctly redirect to their respective internal IP addresses. Test access to the services hosted on the servers, such as accessing a web server via its new public IP or sending emails from a mail server.
Additional Considerations
1:1 NAT and Multiple Uplinks
If the ESG primary uplink is not the same as the 1:1 NAT uplink, outbound traffic from the 1:1 NAT LAN device will, by default, egress out of the ESG primary uplink. To prevent asynchronous routing, a policy-based route can be set to ensure that traffic egresses from the same uplink configured for the 1:1 NAT.
Example:
ESG primary uplink is WAN 1
1:1 NAT maps to WAN 2 Uplink
You want all outbound internet traffic sourced from 1:1 NAT LAN device to use WAN 2
Figure: 1:1 NAT maps to WAN 2 Uplink
1:1 NAT and WAN Load Balancing
If ESG is configured to load balance traffic across multiple WAN interfaces, outbound traffic from the 1:1 NAT LAN device will, by default, egress out of both WAN interfaces. To prevent asynchronous routing, the policy based route configuration can be created, as shown in the example above.
Hairpin Routing
Traffic originating from the LAN of the ESG and directed towards the public IP configured in the port forwarding/1:1 NAT section will be directed to the private IP address linked with the specified mapping.
During this process, the ESG will receive the packet on the LAN and modify the IPv4 header. The modified header will originate from the ESG's IP/MAC address or the layer 3 interface where the destination client is located. Additionally, it will be directed towards the private IP/MAC address of the client associated with the 1:1 NAT mapping.
Example Configurations
Basic Security Configuration
A simple yet insecure 1:1 NAT configuration may forward all traffic directly to the internal client. While this setup can be quickly implemented in urgent situations, it is not recommended due to security concerns. When all ports are indiscriminately forwarded to a client, it exposes the internal server to potential attacks. Attackers leveraging port scanning techniques can exploit vulnerabilities in services or gain unauthorized access to the internal network.
Figure: Example of basic security configuration
Figure: Illustration of basic security configuration
Advanced Security Configuration
For a more sophisticated setup (secure), multiple rules should be established, leveraging a secondary uplink to ensure redundancy for the web server. In the event of one uplink failure, the secondary connection remains operational, ensuring continued remote access to the internal server. Additionally, 1:1 NAT rules must be configured to limit access to specific services, such as RDP (TCP/UDP 3389), by restricting access to designated remote IP addresses.
Figure: Example of Advanced security configuration
Figure: Illustration of advanced security configuration
Best Practices for 1:1 NAT
Security Measures: Since each server will be exposed to the internet with its public IP, ensure robust security practices are in place, including firewalls, updated software, and intrusion detection systems.
IP Address Management: Keep a clear record of which public IPs are mapped to which internal IPs to avoid conflicts and to streamline troubleshooting and network management.
Regular Monitoring: Regularly monitor traffic and logs to ensure that the NAT mappings are functioning correctly and to detect any potential security breaches.
Blocking Inbound Traffic
When configuring a network firewall with EnGenius ESG Security Gateways, it's essential to consider the direction of traffic. Outbound traffic, such as users browsing the internet, is initiated by internal network users. Inbound traffic, on the other hand, involves external sources attempting to connect to the network. These scenarios are managed differently because, generally, internal users can be trusted more than external internet connections. Controlling outbound traffic is straightforward: create an allow rule using the Layer 3 Firewall. This rule impacts 1:1 NAT, Port Forwarding, and standard WAN traffic. More details about the outbound firewall feature are available in the Firewall Rules. Inbound firewall control, however, operates differently.
The inbound firewall denies any traffic that does not have a session initiated by a client behind the ESG. This setup allows internal client machines to connect with necessary resources but prevents external devices from initiating connections with internal client machines.
For instance, consider PC , located on the internet, and Server, located within the ESG's LAN. If PC attempts to send traffic to Server, the ESG will check for an existing session/connection between PC and Server.
If an existing session is found, the traffic is allowed through.
If no existing session is found, the traffic is dropped.
The inbound firewall's ability to track existing connections makes it a stateful firewall. Both inbound and outbound firewalls on the ESG are stateful.
Both Port Forwarding and 1:1 NAT include a section for Allowed remote IP, which controls which external addresses can initiate connections. Addresses specified here can connect through the designated public ports. The Any keyword grants access to any address, or multiple addresses can be listed if separated by commas. By specifying which addresses should communicate with internal nodes, unsolicited connections are prevented.
Example: Port Forwarding and 1:1 NAT Rules
Below is an example of both Port Forwarding and 1:1 NAT rules:
Figure: Port Fowarding
Figure: 1:1 NAT
Traffic Flow Using a Port Forwarding Rule
Using the port forwarding rule above, suppose PC attempts to connect to the ESG's WAN IP on TCP port 50000.
Figure: Dual WAN for load balance and failover
Traffic Initiation: PC initiates traffic to ESG on TCP port 50000.
Rule Check: The ESG checks if the packet matches any forwarding rules. If no match is found, the traffic is dropped. If a match is found, it is allowed.
In this example, the inbound traffic is allowed because it meets the port forwarding rule criteria:
Protocol is TCP
Public port used is 50000
Source IP is 100.1.1.1
Traffic from this IP address is allowed due to the Any rule in the Allowed remote IP section.
It's recommended to restrict the IP addresses allowed to use a port forwarding and/or 1:1 NAT rule to prevent unsolicited connections.
Conclusion
Restricting inbound access is crucial for enhancing network security. By limiting inbound connections or controlling outbound replies, unwanted traffic can be minimized, thereby protecting the network from potential threats.