In this article, users will learn how to forward ports on airOS.
Table of Contents
Most home routers have NAT (Network Address Translation) enabled. To access a service behind the router's NAT (LAN side), Port Forwards must be used (sometimes called Destination NAT). For example, if you choose not to enable remote accessibility for your UniFi Network application, and you are attempting to reach it from outside your network, you will need to use Port Forwarding.
In this example, we will be Port Forwarding TCP 8443 (GUI) and TCP 8080 (device inform) to a UniFi Network application behind an airRouter. In Router mode on the airRouter LAN = WAN Port and Bridge0 = your LAN. Depending on your model, this may be different. For the purposes of this article, the private IP address of the UniFi Network application will be 203.0.113.48.
Steps: Port Forwarding on airOS
1. Navigate to the Network tab of the airMAX device.
2. Under Port Forward, enter the port forwarding details. The minimum info required is:
- Private IP
- Private Port
- Public Port
Once you have entered these details, make sure to click Add and Change.
3. If you would like to restrict access to the port forward, you can also add a Source IP/CIDR subnet mask. For example, adding 192.0.2.1/32 to Source IP/Mask would allow only 192.0.2.1/32 to access the Port Forward.
4. Test your Work. Once all Port Forwards have been added and applied, you can test from outside your LAN. In this example, you would try to access https://203.0.113.48:8443 from another connection to verify the port forwarding was set successfully.
Still having trouble? Check the following:
- Verify the device IP and service are available on the LAN.
- Verify that the device has the correct default gateway/subnet if configured with a static IP. The gateway should be the airRouter IP in this example.
- Check that your router is getting a public IP address (not private RFC 1918).
- Some ISPs will block common service ports like http/80, https/443, smtp/25. If trying to forward one of these, please confirm with ISP and/or check with TCPDump to verify packets are hitting the router.
For this example, run this command:
tcpdump -i eth0 port 8443