Port Forwarding FAQs

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search

Can I specify multiple ports/IPs in one rule?

Absolutely. You can use comma-separated values or hyphen-separated ranges. In the case of IPs you can even use CIDR notation to cover a network space. Keep in mind though that Linux limits rules to a maximum of 15 unique values per rule, and that hyphen-separated values count as two values.

My port forward isn't working. Why?

Follow the Port Forward Troubleshooting Guide to see if you can discover the issue.

I setup a port forward for HTTPS (port 443) and it is not working. Why?

Untangle and many of the applications use port 443. In order to forward port 443 you need to move Untangle off of port 443 to a different port. This can be done in Config > Network > Services.


I setup a port forward to my FTP server and it is working but transfers fail. Why?

FTP has multiple connections. If you setup a port forward for the control session (port 21) then you must also setup a port forward for the transfer sessions. You can do this in multiple ways.

  1. Configure your server to use a range of ports for a transfer, passive ports (i.e 10000-20000) and configure Untangle to forward all of these ports to the FTP server.
  2. Use 1:1 NAT

Can I port forward traffic destined to a specific hostname like 'mywebserver.com' to a specific server?

No. Packets are destined to IPs not hostnames. When a new packet of a new session arrives from 1.2.3.4 port 1234 to 5.6.7.8 port 5678, the port forward rules must decide if and where to forward that session based on the information present in that packet. This decision can only be made using the information known at this time. If the session is forwarded and its an HTTP or HTTPS session and later it successfully connects, the client may request "mywebserver.com/index.html". At this point in theory the hostname is known, however the port forwards must decide where to forward the session long before the hostname is known. Port forwards rules can not see into the future and know which hostname the client may request at the time the client is trying to initiate the session.

However, This can be accomplished for HTTP and HTTPS traffic using | apache as a reverse proxy. This mechanism will accept all HTTP requests and forward/proxy based on the information in the request and proxy all responses from the final server.

Does Untangle support 1:1 (One to One) NAT?

Yes, Read more about how to setup 1:1 NAT.


What is "Destined Local?"

Destined Local is a flag for port forward rules. It matches on traffic destined to the local untangle machine and one of its IPs. This flag is usually used when you want to redirect a port on the Untangle Server (and all of its IPs) to another server.