How do you port forward using IP filtering rules?

Question

I'm trying to set up port forwarding for my NAS server for remote access from outside. I've set up Wireguard on my unRAID server and it shows this message:

Remark: configure your router with port forwarding of port 51820/UDP to 192.168.1.7:51820

My router has no option for static device IPs, at the moment my NAS has the local IP address 192.168.1.7.

My router is quite old and has no dedicated page for port forwarding. It does however have a page for setting up port filters / IP filters, it's a form with the following fields: (I've filled a few of them)

filter name:          Tower
protocol:             UDP
source IP Addr.:      ______
end source IP Addr.:  ______
source port:          51820
end source port:      51820
dest. IP Addr.:       ______
end dest. IP Addr.:   ______
dest. port:           51820
end dest. port:       51820

There are 2 separate IP filter pages for inbound and outbound connections respectively. If I wanted to forward the port on my NAS...

1. Should I configure the inbound or outbound port filters?
2. What should the "source IP address" and "dest IP address" be set to? I assume the destination address should be set to the router's IP address, but should I be using the public IP address or just 192.168.1.1?

Answer 1

If you are able to leave source IP blank, then do so, if you are not, try 0.0.0.0 in source IP Addr, or if it wants both feilds completed, enter in 0.0.0.0 in both.

in dest IP enter in 192.168.1.7, if it requires both feilds filled in, then enter in 192.168.1.7 twice.

You want to have this setup as in inbound filter. Any outbound connections, will automatically have NAT applied, and the router will track the connection, allowing for return packets to be forwarded on their own. You need the filter for inbound NEW sessions.

Note: The 0.0.0.0 mean any source IP, for better secuirty, if you know the public IP of the location you will be conencting from, it is best to enter in that IP in the src address.

If you do use 0.0.0.0 make sure you keep your NAS updated with the latest secuirty updates, and you have strong passwords in place, and no default users/password enabled on your NAS. Otherwise it will be just a matter of time, before you are hacked.

Answer 2

How do you port forward using IP filtering rules?

You don't. The core of "port forwarding" is not just packet filtering, it's packet rewriting (address translation), which needs a NAT rule – cannot be achieved with only a filter rule.

(The term 'port forwarding' is a bit of a misnomer; a router already forwards packets while 'port forwarding' alters them.)

It's rare for a home router to be able to do outbound NAT but not inbound port-forwarding; more likely that it's either called something different – some manufacturers call it "Virtual Server" – or the functionality was deliberately hidden in the ISP-branded firmware.

Should I configure the inbound or outbound port filters?

Neither (see above), but if it were the right type of rule, then usually you would only need inbound.

Most home routers have a stateful firewall, where the only filter rule you need depends on the direction of the first packet (i.e. inbound, in your case); all other packets belonging to the same connection will be implicitly allowed in both directions.

(On top of that, most home routers allow everything outbound by default anyway, so only an inbound filter rule does anything useful – unless you've deliberately set up strict outbound filtering, which it doesn't sound like you have.)

What should the "source IP address" and "dest IP address" be set to?

"Source IP address" should stay blank, to accept packets from all sources. If it can't be blank, then 0.0.0.0–255.255.255.255 would have the same effect.

Similarly, "Source port" should remain blank, to accept any source port (it is not the same as the destination port; rather, usually the client-side port number is chosen randomly). If it can't be blank, then 1–65535 would allow all source ports.

I assume the destination address should be set to the router's IP address, but should I be using the public IP address or just 192.168.1.1?

This is not fully answerable, because a filter rule isn't the right type of rule to begin with, and a NAT rule would have two such fields: "original/match destination" and "new destination".

For a NAT rule, the "original" destination IP field would be the router's public IP address, because that's what is on the actual inbound packets; the "forward to" field would be the NAS address.

(That being said, for filter rules, the same idea applies – you use what's on the actual packets. Though NAT complicates things, as it is usually done before filtering; so packets arriving from Internet at the router will have its public IP address as their destination, but if there's a port-forwarding rule, then the packets will actually have the NAS address on them, not the router's anymore.)

---

Obligatory for 2023: Make sure your router's public IP address is, in fact, still public. (That is, make sure you're not behind CGNAT.) Look at the address reported by the router itself (not by a website) and make sure it's neither from any of the usual private IP ranges, nor from the 100.64.0.0/10 (CGNAT) range.