Skip to content

Port Forward & NAT

NAT and Reverse Proxy

The CyberEdge supports port forwarding (destination NAT), 1:1 NAT, and reverse proxy, each serving distinct purposes based on the desired outcome. Port forwarding redirects traffic from a specific external IP address and port to a designated internal IP address and port, allowing external access to specific services within a private network. 1:1 NAT creates a direct one-to-one mapping between an external and internal IP address, forwarding all ports to the internal IP, which is ideal for exposing entire devices to the internet. The reverse proxy functions as an intermediary, forwarding client requests to backend servers. Traffic is evaluated sequentially in the following order: DNAT, 1:1, and reverse proxy.

Port Forward (Destination NAT)

Port forwarding (Destination NAT) is a network configuration technique that directs incoming internet traffic to a specific internal IP address and port within a local network. It enables external devices to connect to services hosted on private networks, such as web servers and applications, by mapping an external port to an internal port. This technique is commonly used to allow access to services behind a router or firewall. To configure a Port Forward Rule, navigate to:

  1. Routing > NAT > Add next to Port Forwarding Rules
  2. Configure the Port Forward Rule
    • Automatic Firewall Rule: By default, automatic firewall rules will be created to allow the traffic for the Port Forward. The automatic rules can be disabled and replaced with custom Access Policies
    • Name: The name of the Port Forward
    • Description: A short description of the port forward you are creating
    • Protocol: The protocol of the traffic being forwarded (TCP, UDP or TCP/UDP)
    • Source IPs: The source IP address/es allowed to access this rule. This field requires a standard IPv4 CIDR format.
    • Destination Connections: Select the destination connection the rule will be listening on. Using this option will open the port forward on any IP Address associated with that connection.
    • Destination IPs: The destination IP for the rule. This field requires a standard IPv4 CIDR format
    • Destination Port Ranges: Specify the port/s you wish to use in the rule
    • Target IP: The target IP of the host you are port forwarding to. This field requires a standard IPv4 CIDR format
    • Target Port Ranges: Specify the port/s you wish to use in the rule
    • Log Events: This will log all connections that match the rule. By default, this is left off as it will cause additional logging that may not be necessary. We only recommend enabling logging for testing purposes.
  3. Click “Save”
  4. Click “Save changes ready to apply”
  5. Click “Applies all pending changes” > “Apply Changes”

Info

  1. Destination Connections and IPs are interchangeable, you can use one or the other or both. If using both, consider it an AND rule (e.g. Must be X connection and Y IP address)
  2. Destination and Target ports should always match. If you are wishing to translate from one port to another (e.g. 389 to 11389) then the port forward should be created in a separate rule

1:1 NAT Rules

1:1 NAT (Network Address Translation) is a network configuration technique that maps a single external IP address to a single internal IP address. This method allows for direct access between the external and internal IP addresses, making it seem as though the internal device has the external IP. It is commonly used to enable external access to internal network resources, providing consistent and direct communication without the need for port forwarding. To configure a 1:1 NAT Rule, navigate to:

  1. Routing > NAT > Add next to 1:1 NAT Rules
  2. Configure the 1:1 NAT Rule
    • Automatic Firewall Rule: By default, this is switched on and will create an associated firewall rule to allow the traffic based off of the 1:1 NAT. You can switch this off, and instead create a custom firewall rule, which you can find the instructions for %HERE%
    • Name: The name of the 1:1 NAT
    • Description: A brief description of the rule you are creating
    • Source IPs: The source IP address/es allowed to access this rule. This field requires a standard IPv4 CIDR format
    • Destination IPs: The destination IP for the rule. This field requires a standard IPv4 CIDR format
    • Target IP: The target IP of the host you are NAT-ing to. This field requires a standard IPv4 CIDR format
    • Log Events: This will log all connections that match the rule. By default, this is left off as it will cause additional logging that may not be necessary. We only recommend enabling logging for testing purposes.
  3. Click “Save”
  4. Click “Save changes ready to apply”
  5. Click “Applies all pending changes” > “Apply Changes”

Warning

  • Utilizing the automatic firewall rule in a 1:1 NAT configuration will enable all ports between the destination IP and target IP. When implementing 1:1 NAT, it is advisable to restrict Source IPs to trusted networks. Additionally, you should consider creating custom firewall Access Policies to limit access to specific ports in the relevant zone.

Reverse Proxy Rules

A reverse proxy is a server that functions as an intermediary between client devices and backend servers. It intercepts client requests, forwards them to the appropriate backend server, and then returns the server's response to the clients. Reverse proxies improve security, load balancing, and performance by distributing client requests across multiple backend servers, hiding the backend infrastructure, and caching content to speed up response times. It is recommended to use a reverse proxy when serving internal web servers and applications to external clients.

Prior to configuring a Reverse Proxy rule, the following prerequisites must be considered:

  1. DNS Resolution of Private URL: To correctly proxy traffic to the Private URL, CyberEdge must be able to resolve the Private URL to your internal webserver. The recommended method for achieving this is by using a Local DNS Forward Zone
  2. Certificate: You must provide an SSL Certificate associated with the URL/Domain used for the Public URL

To configure a Reverse Proxy Rule, navigate to:

  1. Routing > NAT > Add next to Reverse Proxy Rule
  2. Configure the Reverse Proxy Rule 
    • Name: The name of the rule 
    • Description: A brief description of the rule you are creating 
    • Source IPs: The source IP address/es allowed to access this rule. This field requires a standard IPv4 CIDR format. 
    • Destination Connections: Select the destination connection the rule will be listening on. 
    • Destination IPs: The destination IP for this rule. This field requires a standard IPv4 CIDR format
    • Public URL: The external URL to be proxied
    • Private URL: The internal URL where the traffic will be sent
    • Certificate: The certificate to be presented on the external URL 
    • TLS Version: Select which TLS versions to be supported by this rule 
    • HTTPS redirect: This will force any HTTP traffic to be redirected to HTTPS 
    • Log Events: This will log all connections that match the rule. By default, this is left off as it will cause additional logging that may not be necessary. We only recommend enabling logging for testing purposes
  3. Click “Save” 
  4. Click “Save changes ready to apply” 
  5. Click “Applies all pending changes” > “Apply Changes”