Support Downloads Community

UniFi Video is an obsolete product line.

This application and its related devices will no longer receive any manner of technical support, including functional and security updates. Additionally, there will be no further updates to Help Center content pertaining to UniFi Video.

UniFi - USG/UDM: Port Forwarding Configuration and Troubleshooting

With UniFi Network you can forward UDP and TCP ports to an internal LAN device using the Port Forwarding feature on the Dream Machine (UDM and UDM Pro) and USG models.

Requirements

  • Applicable to the latest firmware on all UDM and USG models.
  • The Port Forwarding feature is designed to only work on WAN1 on the USG models, but it can use both WAN1 and WAN2 on the UDM-Pro.
  • It is necessary to manually configure a Destination NAT (DNAT) + WAN firewall rule(s) to forward ports on the WAN2 interface on the USG models, see the section below.

Frequently Asked Questions (FAQ)

Do I need to manually create firewall rules for Port Forwarding?

No, firewall rules are automatically created to allow the ports to be forwarded to the internal LAN devices. It is not necessary to manually add firewall rules for the forwarded ports.

Can I forward ports on the WAN2 interface of the UDM/USG?

It is possible to use the Port Forwarding feature on the WAN2 interface of the UDM-Pro. Navigate to Settings > Advanced Features > Advanced Gateway Settings and create a new port forwarding rule or modify an existing one.

Afterwards, you can select the WAN interface to be WAN1, WAN2 or both. The base UDM model only has a single WAN port.

On the USG models, it is necessary to manually configure a Destination NAT (DNAT) + WAN firewall rule to forward ports on the WAN2 interface, see the section below.

How does the Port Forwarding feature interact with UPnP?

Automatic entries created by UPnP take precedence over manually created Port Forwarding rules.

Do I need to manually configure Hairpin NAT?

No, Hairpin NAT is automatically enabled when configuring the Port Forwarding feature.

The exception is when configuring Destination NAT (DNAT) manually on the WAN2 port of the USG. In this case, you will also need to manually configure a Hairpin NAT entry for this DNAT rule.

Can I limit which remote devices are allowed to use the forwarded ports? 

Yes, by using the from option when creating or modifying a Port Forwarding rule. The default option is to allow all remote clients to use the forwarded port.

My Port Forwarding rule does not work, what should I do?

See the troubleshooting section below for more details.

Configuring a Port Forwarding Rule

1. Navigate to Settings > Advanced Features > Advanced Gateway Settings and create new port forwarding.

2. Fill in the settings:

  • Name: webserver
  • Enable Forward Rule: turn this on when ready to activate this rule
  • Interface: WAN / WAN2 / Both (UDM Pro only)
  • From: Anywhere or Limited
  • Port: 443
  • Forward IP: 192.168.1.10
  • Forward Port: 443
  • Protocol: TCP
  • Logging: Optional

From:

The clients on the Internet that are allowed to use the Port Forwarding rule. Set to Anywhere by default, meaning all hosts. It is possible to limit the allowed hosts by specifying an IP address (for example 198.51.100.1) or subnet range (for example 198.51.100.0/24). 

Port: The WAN port that the clients on the Internet connect to, for example 443. This does not need to match the port used on the internal LAN host. You can forward TCP port 10443 to TCP port 443, for example.
Forward IP:

The IP address used by the internal LAN host, for example 192.168.1.10.

Forward Port: The port used by the internal LAN host, for example TCP port 443.

port-forwarding.wan.png

3. Apply the changes.

Note: On the USG models, it is necessary to manually configure a Destination NAT (DNAT) + WAN firewall rule to forward ports on the WAN2 interface, see the section below.

4. The firewall rule(s) needed for the new Port Forwarding rule you created are automatically added.

5. You can verify the automatically created rules in the Settings > Security > Internet Threat Management > Firewall > Internet section.

firewall.internet.automatic.rule.png

USG/USG-Pro: Forwarding Ports on WAN2 using Destination NAT

ATTENTION: This is an advanced configuration that requires creating and modifying the config.gateway.json file. See the UniFi - USG/USG-Pro: Advanced Configuration Using JSON article for more information on using the JSON file.

Follow the steps below to forward ports on the WAN2 interface of the USG models. It is necessary to manually create a Destination NAT (DNAT) rule using the Command Line Interface (CLI) and a custom Firewall Rule using the UniFi Network application. Afterwards, the config.gateway.json file needs to be created or updated to incorporate the custom configuration into UniFi Network.

1. Begin by creating a new custom Firewall Rule within  Settings > Security > Internet Threat Management > Firewall > Internet section.

2. Create a new Firewall Port Group by clicking Create New Group.

firewall.internet.png

3. Fill in the information and specify the port that needs to be allowed through the firewall (443 in this example) and apply changes.

  • Name: https
  • Type: Port Group
  • Port: 443

firewall.create-new-group.png

4. Navigate to    Settings > Security > Internet Threat Management > Firewall > Internet and create new rule.

5. Fill in the information, selecting the previously created Port Group and apply changes.

  • General
    • Type: Internet In
    • Description: webserver
    • Enabled: turned on when ready to take this rule live
    • Rule Applied: After (after predefined rules)
    • Action: Accept
    • IPv4 Protocol: TCP
    • Match all protocols except for this: disabled
  • Source: Optional
  • Destination
    • Destination Type: Address/Port Group
    • IPv4 Address Group: Any
    • Port Group: https (select from any previously created firewall port groups)
  • Advanced: Optional

firewall.create-new-rule.png

6. The next step is to access the USG using the Command Line Interface (CLI) and add a custom Destination NAT (DNAT) rule. SSH access to your devices must be enabled within    Settings > System Settings > Controller Configuration > Device SSH Authentication.

7. Connect to the USG via SSH.

SSH using Windows

7.1. Download PuTTY and open the putty.exe executable file.

7.2. Fill in the below settings and select Open.

Host Name (or IP address): IP of USG/USG-Pro (for example 192.168.1.1)
Port: 22
Connection type: SSH

putty.png

NOTE: See the How to Establish a Connection Using SSH article for more information on how to connect to the USG using SSH.

7.3. Accept the SSH security alert if prompted.

7.4. Login using the SSH Username and SSH Password from the UniFi Network application:

Username: <ssh-username>
Password:
<ssh-password>
SSH using macOS

7.1. Open the macOS Terminal by searching for Terminal in the Launcher or by navigating to the Finder > Applications > Utilities section.

7.2. Using the ssh command and specify the UniFi Network SSH Username followed by the @ symbol and the IP address of the USG/USG-Pro.

ssh <username>@<ip-address>

For example, to connect to the USG/USG-Pro that is using the default 192.168.1.1 IP address and unifiadmin username, run:

ssh unifiadmin@192.168.1.1

NOTE: See the How to Establish a Connection Using SSH article for more information on how to connect to the USG using SSH.

7.3. Accept the SSH security alert if prompted.

7.4. Enter the SSH Password to log in:

Username: <ssh-username>
Password: <ssh-password>

8. Verify that the WAN2 interface is UP and that it is assigned an IP address by running the following command: 

show interfaces ; sudo ipset list ADDRv4_eth2
unifiadmin@usg:~$ show interfaces 
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description                 
---------    ----------                        ---  -----------                 
eth0         203.0.113.1/24                    u/u  WAN                         
eth1         192.168.1.1/24                    u/u  LAN                         
eth2         192.0.2.1/24                      u/u  WAN2                           
lo           127.0.0.1/8                       u/u                              
             ::1/128                          
unifiadmin@usg:~$ sudo ipset list ADDRv4_eth2
Name: ADDRv4_eth2
Type: hash:net
Revision: 3
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16792
References: 1
Members:
192.0.2.1

NOTE: The ADDRv4_eth2 is a special address group that automatically uses the IP address that is assigned to the eth2 interface. On the USG-Pro, the WAN2 interface uses eth3 instead and thus the address group will be ADDRv4_eth3.

9. Enter configuration mode by typing configure and hitting enter.

10. Add the Destination NAT rule for the WAN2 interface of the USG/USG-Pro (replace eth2 with eth3 for the USG-Pro):

set service nat rule 4001 description 'webserver'
set service nat rule 4001 destination group address-group ADDRv4_eth2
set service nat rule 4001 destination port 443
set service nat rule 4001 inbound-interface eth2
set service nat rule 4001 inside-address address 192.168.1.10
set service nat rule 4001 inside-address port 443
set service nat rule 4001 protocol tcp
set service nat rule 4001 type destination

11. Commit the changes and exit back to operational mode by typing commit ; exit and hitting enter.

This is an example of the process:

custom-dnat-rule.gif

12. Use the mca-ctrl -t dump-cfg command to display the entire config in JSON format:

mca-ctrl -t dump-cfg

13. The Destination NAT section of the configuration in JSON format can then be used in the config.gateway.json file.

{
       "service": {
                "nat": {
                        "rule": {
                                "4001": {
                                        "description": "webserver",
                                        "destination": {
                                                "group": {
                                                        "address-group": "ADDRv4_eth2"
                                                },
                                                "port": "443"
                                        },
                                        "inbound-interface": "eth2",
                                        "inside-address": {
                                                "address": "192.168.1.10",
                                                "port": "443"
                                        },
                                        "protocol": "tcp",
                                        "type": "destination"
                                }
                        }
                }
       }
}

14. See the UniFi - USG/USG-Pro: Advanced Configuration Using JSON article for more information on how to create and modify the config.gateway.json file.

Troubleshooting Port Forwarding Issues

Refer to the troubleshooting steps below if the Port Forwarding or custom Destination NAT rule is not working. Either of the following options can be the cause:

 lan.png  Possible Cause #1 - The USG/UDM is located behind NAT and does not have a public IP address.

In this scenario, the UDM/USG is located behind another router/modem that uses NAT. A sign of this setup is that the device is using a private (RFC1918) or CGNAT (RFC6598) IP address on the WAN1 or WAN2 interface. Your UDM/USG is located behind NAT if it is using an IP address on the WAN interface that is inside one of the ranges below:

  • 10.0.0.0/8 10.0.0.0 - 10.255.255.255
  • 172.16.0.0/12 172.16.0.0 - 172.31.255.255
  • 192.168.x.0/24 192.168.0.0 - 192.168.255.255
  • 100.64.0.0/10 100.64.0.0 - 100.127.255.255

To fix this issue, try re-configuring the ISP modem/router in bridged mode so that the UDM/USG is able to use a public IP address on the WAN interface. If this is not supported, then you will need to first forward the port(s) on the upstream router/modem to the WAN address of the UDM/USG. Depending on your ISP, these ports will either need to be manually forwarded or there is a DMZ option that allows you to automatically forward the ports.

 tools.png  Possible Cause #2 - The UDM/USG is already forwarding the port to another device or has UPnP enabled.

In this case, the UDM/USG already has an existing port forwarding rule that is forwarding the port to another device. The same WAN port (for example TCP port 443) can only be forwarded to a single device, but you can forward multiple different WAN ports to the same port on the LAN (for example TCP port 10443 to 443 and TCP port 8443 to 443).

Another possible cause is that UPnP is enabled and is already using the port. Try disabling the UPnP option in the    Settings > Gateway > UPnP section of the New Web UI or the    Settings > Services > UPnP section of the Classic Web UI.

 lan.png  Possible Cause #3 - The traffic from the Internet clients is not reaching the WAN interface of the UDM/USG.

In this case, the traffic is either blocked upstream at the ISP modem/router or there is an issue affecting the client device.

You can verify if the traffic is arriving by accessing the UDM/USG using SSH and running a tcpdump packet capture on the WAN1 or WAN2 interface. See the UniFi - UDM/UDM-Pro: How to Login to the Dream Machine using SSH article for more information on how to access the UDM/UDM-Pro using SSH and the section above for the USG/USG-Pro steps.

CLI: Access the Command Line Interface on the UDM/USG using SSH.

After logging in with SSH, run the following command to capture the traffic. This command will print the traffic output directly to the screen when an Internet client tries to access the port (cancel with CTRL+C).

UDM-Pro WAN1 (eth8) and WAN2 (eth9)

# tcpdump -n -i eth8 tcp port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth8, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [S], seq 1979002112, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [S.], seq 2749614086, ack 1979002113, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [.], ack 1, win 256, length 0
IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [F.], seq 1, ack 1, win 256, length 0
IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [.], ack 2, win 1026, length 0
IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [F.], seq 1, ack 2, win 1026, length 0
IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [.], ack 2, win 256, length 0g
# tcpdump -n -i eth9 tcp port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth9, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 198.51.100.1.1679 > 192.0.2.1.443: Flags [S], seq 987770491, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 192.0.2.1.443 > 198.51.100.1.1679: Flags [S.], seq 4189175926, ack 987770492, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 198.51.100.1.1679 > 192.0.2.1.443: Flags [.], ack 1, win 256, length 0
IP 198.51.100.1.1679 > 192.0.2.1.443: Flags [F.], seq 1, ack 1, win 256, length 0
IP 192.0.2.1.443 > 198.51.100.1.1679: Flags [.], ack 2, win 1026, length 0
IP 192.0.2.1.443 > 198.51.100.1.1679: Flags [F.], seq 1, ack 2, win 1026, length 0
IP 198.51.100.1.1679 > 192.0.2.1.443: Flags [.], ack 2, win 256, length 0

UDM WAN (eth4)

# tcpdump -n -i eth4 tcp port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth8, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [S], seq 1979002112, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [S.], seq 2749614086, ack 1979002113, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [.], ack 1, win 256, length 0
IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [F.], seq 1, ack 1, win 256, length 0
IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [.], ack 2, win 1026, length 0
IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [F.], seq 1, ack 2, win 1026, length 0
IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [.], ack 2, win 256, length 0g

USG WAN1 (eth0) and WAN2 (eth2)

unifiadmin@usg:~$ sudo tcpdump -n -i eth0 tcp port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth8, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [S], seq 1979002112, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [S.], seq 2749614086, ack 1979002113, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [.], ack 1, win 256, length 0
IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [F.], seq 1, ack 1, win 256, length 0
IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [.], ack 2, win 1026, length 0
IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [F.], seq 1, ack 2, win 1026, length 0
IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [.], ack 2, win 256, length 0g
unifiadmin@usg:~$ sudo tcpdump -n -i eth2 tcp port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 198.51.100.1.1562 > 192.0.2.1.443: Flags [S], seq 3731603662, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 192.0.2.1.443 > 198.51.100.1.1562: Flags [S.], seq 67104030, ack 3731603663, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 198.51.100.1.1562 > 192.0.2.1.443: Flags [.], ack 1, win 256, length 0
IP 198.51.100.1.1562 > 192.0.2.1.443: Flags [F.], seq 1, ack 1, win 256, length 0
IP 192.0.2.1.443 > 198.51.100.1.1562: Flags [.], ack 2, win 1026, length 0
IP 192.0.2.1.443 > 198.51.100.1.1562: Flags [F.], seq 1, ack 2, win 1026, length 0

USG-Pro WAN (eth2) and WAN2 (eth3)

unifiadmin@usg-pro:~$ sudo tcpdump -n -i eth2 tcp port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth8, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [S], seq 1979002112, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [S.], seq 2749614086, ack 1979002113, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [.], ack 1, win 256, length 0
IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [F.], seq 1, ack 1, win 256, length 0
IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [.], ack 2, win 1026, length 0
IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [F.], seq 1, ack 2, win 1026, length 0
IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [.], ack 2, win 256, length 0g
unifiadmin@usg-pro:~$ sudo tcpdump -n -i eth3 tcp port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 198.51.100.1.1562 > 192.0.2.1.443: Flags [S], seq 3731603662, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 192.0.2.1.443 > 198.51.100.1.1562: Flags [S.], seq 67104030, ack 3731603663, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 198.51.100.1.1562 > 192.0.2.1.443: Flags [.], ack 1, win 256, length 0
IP 198.51.100.1.1562 > 192.0.2.1.443: Flags [F.], seq 1, ack 1, win 256, length 0
IP 192.0.2.1.443 > 198.51.100.1.1562: Flags [.], ack 2, win 1026, length 0
IP 192.0.2.1.443 > 198.51.100.1.1562: Flags [F.], seq 1, ack 2, win 1026, length 0

You can modify these tcpdump commands listed above to match the ones used by your Port Forwarding or Destination NAT rule. For example to match on UDP port 10001 on interface eth8 and internal LAN host 192.168.1.50, use:

sudo tcpdump -n -i eth8 udp port 10001 and host 192.168.1.50

If the packet capture is not displaying any traffic, then the requests are not arriving at the UDM/USG and are possibly filtered somewhere upstream. You can try using a different port to verify if the port is being blocked. One other possible reason as to why the client traffic is not arriving, is that the UDM/USG is located behind NAT. See Cause #1 above.

lock.png  Possible Cause #4 - The LAN host is not allowing the port through the local firewall or does not have the correct route configured. 

In this case, the host/server on the LAN is not allowing outside connections to access the port. For example, the Web Server used in this example will need to allow connections to TCP port 443.

On Windows computers, verify the Windows Firewall rules. On Linux, verify if the connection is allowed in the iptables firewall.

You can verify if the traffic is arriving by accessing the UDM/USG using SSH and running a tcpdump packet capture on the WAN1 or WAN2 interface. See the UniFi - UDM/UDM-Pro: How to Login to the Dream Machine using SSH article for more information on how to access the UDM/UDM-Pro using SSH and the section above for the USG/USG-Pro steps.

CLI: Access the Command Line Interface on the UDM/USG using SSH.

After logging in with SSH, run the following command to capture the traffic on the LAN interface of the UDM/USG. This command will print the traffic output directly to the screen when the port is forwarded to the internal LAN host (cancel with CTRL+C).

UDM/UDM-Pro LAN (br0)

# tcpdump -n -i br0 tcp port 443 and host 192.168.1.10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [S], seq 3590991252, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [S.], seq 3853666586, ack 3590991253, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [.], ack 1, win 256, length 0
IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [F.], seq 1, ack 1, win 256, length 0
IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [.], ack 2, win 1026, length 0
IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [F.], seq 1, ack 2, win 1026, length 0
IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [.], ack 2, win 256, length 0

USG LAN (eth1)

unifiadmin@usg:~$ sudo tcpdump -n -i eth1 tcp port 443 and host 192.168.1.10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [S], seq 3590991252, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [S.], seq 3853666586, ack 3590991253, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [.], ack 1, win 256, length 0
IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [F.], seq 1, ack 1, win 256, length 0
IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [.], ack 2, win 1026, length 0
IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [F.], seq 1, ack 2, win 1026, length 0
IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [.], ack 2, win 256, length 0

USG-Pro LAN1 (eth0) and LAN2 (eth1)

unifiadmin@usg-pro:~$ sudo tcpdump -n -i eth0 tcp port 443 and host 192.168.1.10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [S], seq 3590991252, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [S.], seq 3853666586, ack 3590991253, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [.], ack 1, win 256, length 0
IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [F.], seq 1, ack 1, win 256, length 0
IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [.], ack 2, win 1026, length 0
IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [F.], seq 1, ack 2, win 1026, length 0
IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [.], ack 2, win 256, length 0
unifiadmin@usg-pro:~$ sudo tcpdump -n -i eth1 tcp port 443 and host 192.168.1.10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [S], seq 3590991252, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [S.], seq 3853666586, ack 3590991253, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [.], ack 1, win 256, length 0
IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [F.], seq 1, ack 1, win 256, length 0
IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [.], ack 2, win 1026, length 0
IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [F.], seq 1, ack 2, win 1026, length 0
IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [.], ack 2, win 256, length 0

You can modify these tcpdump commands listed above to match the ones used by your Port Forwarding or Destination NAT rule. For example to match on UDP port 10001 on interface br0 and internal LAN host 192.168.1.50, use:

sudo tcpdump -n -i br0 udp port 10001 and host 192.168.1.50

If you only see traffic in one direction, for example 198.51.100.1.1611 > 192.168.1.10.443 repeatedly, then the internal LAN host is not able to respond to the traffic. There are two likely causes as to why this is occurring:

  • The firewall on the internal LAN host is blocking the traffic
  • The internal LAN host does not know how to reach the IP address of the Internet client. This will happen if the default gateway is not set correctly.

Verify the firewall and routing settings on the internal LAN host to resolve this issue.

Related Articles

UniFi - USG/USG-Pro: Advanced Configuration Using JSON

Intro to Networking - How to Establish a Connection Using SSH

Was this article helpful?
98 out of 227 found this helpful