Firewall rules add another layer of granularity to what is allowed to be forwarded across interfaces and additionally which packets are allowed to be inputted and outputted.
The firewall can collect interfaces into zones to filter traffic logically. A zone can be configured to any set of interfaces. This simplifies the firewall rule logic somewhat by conceptually grouping the interfaces:
A rule for a packet originating in a zone must be entering the router on one of the zone's interfaces,
A rule for a packet being forwarded to a zone must be exiting the router on one of the zone's interfaces.
After accessing the router, go to
Firewall to enter the
Firewall - Zone Settings.The
SYN-flood protection is enabled by default. You can use the below default firewall zone settings in most of the conditions.
Port forwarding is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another. Port Forwarding allows remote computers to connect the outdoor router within a private local-area network (LAN).
Log in to the router, go to
➀ Under the tab of
General Settings, change forward to
➁ In the Zones section, change the Forward on the row of WAN from
Click Save & Apply button on the bottom right corner.
Note: When port forwarding to certain devices, please enable "Masquerading" and "MSS Clamping" for the LAN zone under the firewall general rules.
Click the tab
Port Forwards to enter the configure section, on the New port forward section:
Name : Enter the reference name. e.g.,
Protocol: Select from
📌 If you don't know the protocol, please choose TCP+UDP. Please select TCP or UDP if you are aware of whether it is TCP or UDP, it can effectively reduce resource consumption.
External zone : Select
External port : Set the port number want to access from the external network
📌 Suggest selecting the WAN port between 1025~25534. Do not use the standard ports occupied by the other services such as 23, 80, 433, 3389, 7700, 10080, etc.
Internal zone : Select
Internal IP Address : Select from the list of connected intranet hosts
📌 If can not find the host in the list, please recheck the IP settings on the host.
Internal port : Choose the port number which needs to forward from the intranet host
Click the button
Save & Apply
The below example was forwarded localhost 192.168.30.113:80 to WAN port 1180. You can access the 80 port on the host of 192.168.30.113 from the public IP address plus port number 1180. It's NOT accessible from the router's local IP, eg. 192.168.30.1:1180.
NAT Loopback is turned on after saved a new port forward rule. It allows the intranet terminal to access the local hosts by using the public IP address of the routed external network interface. To reduce the consumption of router resources, you can click Edit button on the saved port forward rule list to disable it.
To access another host from the router IP address, we can set up intranet forwarding base on
iptables. Go to the tab
Custom Rules, add the new iptable rules. Below is the example codes to forward 192.168.30.113:80 to router IP 192.168.30.1:1180.
iptables -t nat -A PREROUTING -d 192.168.30.1 -p tcp --dport 1180 -j DNAT --to-destination 192.168.30.113:80
iptables -t nat -A POSTROUTING -d 192.168.30.113 -p tcp --dport 80 -j SNAT --to 192.168.30.1
After accessing the router, go to
Network > Firewall > Traffic Rules: Open port on router. You can add a new port on the router.
Name: Input name of the new port
Protocol: Choose from TCP or UDP
External port: The new port number
After input the above parameters, click the
Add button. Then click
Save & Apply button on the bottom right corner. You will find the new port on the
Traffic Rules list.