×

UniFi - USG/UDM: Port Forwarding Configuration and Troubleshooting

Overview

Readers will learn how to forward UDP and TCP ports to an internal LAN device using the Port Forwarding feature on the UDM and USG models. 

NOTES & REQUIREMENTS:
  • Applicable to the latest firmware on all UDM and USG models.
  • The Port Forwarding feature is designed to only work on WAN1 on the USG models, but it can use both WAN1 and WAN2 on the UDM-Pro.
  • It is necessary to manually configure a Destination NAT (DNAT) + WAN firewall rule(s) to forward ports on the WAN2 interface on the USG models, see the section below.
  • Join the UniFi discussion on the Ubiquiti Community and interact with other experts that are active on forum.

Table of Contents

  1. Frequently Asked Questions (FAQ)
  2. Configuring a Port Forwarding Rule
  3. USG/USG-Pro: Forwarding Ports on WAN2 using Destination NAT
  4. Troubleshooting Port Forwarding Issues
  5. Related Articles

Frequently Asked Questions (FAQ)

Do I need to manually create firewall rules for Port Forwarding?

No, firewall rules are automatically created to allow the ports to be forwarded to the internal LAN devices. It is not necessary to manually add firewall rules for the forwarded ports.
Can I forward ports on the WAN2 interface of the UDM/USG?

It is possible to use the Port Forwarding feature on the WAN2 interface UDM-Pro when using the Classic Web UI. Navigate to the
settings.png  Settings > Routing & Firewall > Port Forwarding section and create a Port Forwarding rule or modify an existing one.

Afterwards, you can select the WAN interface to be WAN1, WAN2 or both. The base UDM model only has a single WAN port.

On the USG models, it is necessary to manually configure a Destination NAT (DNAT) + WAN firewall rule to forward ports on the WAN2 interface, see the section below.
How does the Port Forwarding feature interact with UPnP?

Automatic entries created by UPnP take precedence over manually created Port Forwarding rules.
Do I need to manually configure Hairpin NAT?

No, Hairpin NAT is automatically enabled when configuring the Port Forwarding feature.

The exception is when configuring Destination NAT (DNAT) manually on the WAN2 port of the USG. In this case, you will also need to manually configure a Hairpin NAT entry for this DNAT rule.
Can I limit which remote devices are allowed to use the forwarded ports? 

Yes, by using the from option when creating or modifying a Port Forwarding rule. The default option is to allow all remote clients to use the forwarded port.
My Port Forwarding rule does not work, what should I do?

See the troubleshooting section below for more details.

Configuring a Port Forwarding Rule

The diagram below shows an example setup where the ISP provided modem/router is running in a bridged mode and the UDM-Pro is using a public IP address on the WAN interface.

topology.gif

After configuring a Port Forwarding rule for a TCP or UDP port (TCP port 443 in this example), the remote clients on the Internet will be able to directly communicate with the Web Server on the internal LAN.

There are several options available when created a Port Forwarding rule:

  • From The clients on the Internet that are allowed to use the Port Forwarding rule. Set to Anywhere by default, meaning all hosts. It is possible to limit the allowed hosts by specifying an IP address (for example 198.51.100.1) or subnet range (for example 198.51.100.0/24). 
  • Port The WAN port that the clients on the Internet connect to, for example 443. This does not need to match the port used on the internal LAN host. You can forward TCP port 10443 to TCP port 443, for example.
  • Forward IP The IP address used by the internal LAN host, for example 192.168.1.10.
  • Forward Port The port used by the internal LAN host, for example TCP port 443.
GUI: Access the UniFi Controller Web Portal.

Follow the steps below to configure the Port Forwarding rule on the USG/UDM models:

New Web UI Port Forwarding Rule
Classic Web UI Port Forwarding Rule

1. Navigate to the settings.png  Settings > Gateway > Port Forwarding section to add a Port Forwarding rule.

2. Select Create New Port Forward Rule and fill in the settings:

Name: webserver
Enable Forward Rule: Checked
From: Anywhere or Limited
Port: 443
Forward IP: 192.168.1.10
Forward Port: 443
Protocol: TCP
Enable Logging: Optional

create-new-portforward-rule.png

3. Apply the settings.

ATTENTION: This is a Port Forwarding rule for the primary WAN interface (WAN1). If you need to forward ports on WAN2 on the UDM-Pro, then specify the interface in the Classic Web UI settings. See the Classic Web UI Port Forwarding Rule section in this article.

On the USG models, it is necessary to manually configure a Destination NAT (DNAT) + WAN firewall rule to forward ports on the WAN2 interface, see the section below.

4. The firewall rule(s) needed for the new Port Forwarding rule are automatically added.

5. You can verify the automatically created rules in the  settings.png  Settings > Internet Security > Firewall > WAN section.

wan-firewall-rules.png

1. Navigate to the settings.png  Settings > Routing & Firewall > Port Forwarding section to add a Port Forwarding rule.

2. Select Create New Port Forward Rule and fill in the settings:

Name: webserver
Enabled: Enable this port forward rule
Interface: WAN / WAN2 / Both (UDM-Pro only)
From: Anywhere or Limited
Port: 443
Forward IP: 192.168.1.10
Forward Port: 443
Protocol: TCP
Enable Logging: Optional

3. Apply the changes.

4. The firewall rule(s) needed for the new Port Forwarding rule are automatically added.

5. You can verify the automatically created rules in the  settings.png  Settings > Routing & Firewall > Firewall section.

USG/USG-Pro: Forwarding Ports on WAN2 using Destination NAT

ATTENTION: This is an advanced configuration that requires creating and modifying the config.gateway.json file. 

See the UniFi - USG/USG-Pro: Advanced Configuration Using JSON article for more information on using the JSON file.

Follow the steps below to forward ports on the WAN2 interface of the USG models (USG/USG-Pro). It is necessary to manually create a Destination NAT (DNAT) rule using the Command Line Interface (CLI) and a custom Firewall Rule using the Web UI. Afterwards, the config.gateway.json file needs to be created or updated to incorporate the custom configuration into the UniFi controller.

GUI: Access the UniFi Controller Web Portal.

The first step is to create a new custom Firewall Rule using either the New or Classic Web UI:

New Web UI Custom Firewall Rule
Classic Web UI Custom Firewall Rule

1. Navigate to the  settings.png  Settings > Internet Security > Firewall > WAN section.

2. Create a new Firewall Port Group by selecting the Create New Group option.

create-new-group1.png

3. Fill in the information and specify the port that needs to be allowed through the firewall (443 in this example).

Name: https
Type: Port Group
Port: 443

create-new-group2.png

4. Navigate to the  settings.png  Settings > Internet Security > Firewall > WAN section.

5. Create a new WAN Firewall Rule by selecting the Create New Rule option.

create-new-rule1.png

6. Fill in the information and select the previously created Port Group. 

Type: WAN In
Description: webserver
Enabled: Checked
Rule Applied: After Predefined Rules
Action: Accept
IPv4 Protocol: TCP
Match all protocols except for this: Unchecked
Source: Optional
Destination > Destination Type: Address/Port Group
Destination > IPv4 Address Group: Any
Destination > Port Group: https (previously created)
Advanced: Optional

create-new-rule2.png

7. Apply the changes.

1. Navigate to the  settings.png  Settings > Routing & Firewall > Firewall > Groups section.

2. Create a new Firewall Port Group by selecting the Create New Group option.

3. Fill in the information and specify the port that needs to be allowed through the firewall (443 in this example).

Name: https
Type: Port
Port: 443

4. Navigate to the  settings.png  Settings > Routing & Firewall > Firewall > Rules IPv4 > WAN IN section.

5. Create a new WAN IN Firewall Rule by selecting the Create New Rule option.

6. Fill in the information and select the previously created Port Group. 

Name: webserver
Enabled: Checked
Rule Applied: After predefined rules
Action: Accept
IPv4 Protocol: TCP
Match all protocols except for this: Unchecked
Advanced > Logging: Optional
Advanced > States: Unchecked
Advanced > IPsec: Don't match on IPsec packets
Source: Optional
Destination > Destination Type: Address/Port Group
Destination > IPv4 Address Group: Any
Destination > Port Group: https (previously created)

7. Apply the changes. 

The next step is to access the USG/USG-Pro using the Command Line Interface (CLI) and add a custom Destination NAT (DNAT) rule:

GUI: Access the UniFi Controller Web Portal.

1. Enable SSH Authentication in the settings.png  Settings > Network Settings > Device Authentication section and specify your username and password.

Enable SSH Authentication: Checked
SSH Username: <your-username>
SSH Password: <your-password>

ssh-authentication.png

NOTE: When using the Classic Web UI, navigate to the  settings.png  Settings > Site > Device Authentication section instead.

Check and apply the settings.png  Settings > Site > Enable Advanced Features first to see the SSH Authentication options.

2. Apply the changes.

CLI: Access the Command Line Interface on the USG/USG-Pro using SSH.

 windows.png  Windows Client

1. Download PuTTY and open the putty.exe executable file. 

2. Fill in the below settings and select Open.

Host Name (or IP address): IP of USG/USG-Pro (for example 192.168.1.1)
Port: 22
Connection type: SSH

putty.png

NOTE: See the How to Establish a Connection Using SSH article for more information on how to connect to the USG using SSH.


3. Accept the SSH security alert if prompted.

4. Login using the SSH Username and SSH Password from the UniFi Controller:

Username: <ssh-username>
Password: <ssh-password>

 macos.png  macOS client

1. Open the macOS Terminal by searching for Terminal in the Launcher or by navigating to the Finder > Applications > Utilities section.

2. Using the ssh command and specify the UniFi Controller SSH Username followed by the @ symbol and the IP address of the USG/USG-Pro.

ssh <username>@<ip-address>


3. To connect to the USG/USG-Pro that is using the default 192.168.1.1 IP address and unifiadmin username, run:

ssh unifiadmin@192.168.1.1
NOTE: See the How to Establish a Connection Using SSH article for more information on how to connect to the USG using SSH.


4. Accept the SSH security alert if prompted.

5. Enter the SSH Password to log in:

Username: <ssh-username>
Password: <ssh-password>

3. After logging into the USG/USG-Pro, verify that the WAN2 interface is UP and that it is assigned an IP address. 

show interfaces ; sudo ipset list ADDRv4_eth2
unifiadmin@usg:~$ show interfaces 
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description                 
---------    ----------                        ---  -----------                 
eth0         203.0.113.1/24                    u/u  WAN                         
eth1         192.168.1.1/24                    u/u  LAN                         
eth2         192.0.2.1/24                      u/u  WAN2                           
lo           127.0.0.1/8                       u/u                              
             ::1/128                          
unifiadmin@usg:~$ sudo ipset list ADDRv4_eth2
Name: ADDRv4_eth2
Type: hash:net
Revision: 3
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16792
References: 1
Members:
192.0.2.1
NOTE: The ADDRv4_eth2 is a special address group that automatically uses the IP address that is assigned to the eth2 interface.

On the USG-Pro, the WAN2 interface uses eth3 instead and thus the address group will be ADDRv4_eth3

4. Enter configuration mode with the command below:

configure

5. Add the Destination NAT rule for the WAN2 interface of the USG/USG-Pro (replace eth2 with eth3 for the USG-Pro):

set service nat rule 4001 description 'webserver'
set service nat rule 4001 destination group address-group ADDRv4_eth2
set service nat rule 4001 destination port 443
set service nat rule 4001 inbound-interface eth2
set service nat rule 4001 inside-address address 192.168.1.10
set service nat rule 4001 inside-address port 443
set service nat rule 4001 protocol tcp
set service nat rule 4001 type destination

6. Commit the changes and exit back to operational mode.

commit ; exit

The image below shows an example of the process:

custom-dnat-rule.gif

7. Use the mca-ctrl -t dump-cfg command to display the entire config in JSON format:

mca-ctrl -t dump-cfg

8. The Destination NAT section of the configuration in JSON format can then be used in the config.gateway.json file.

{
       "service": {
                "nat": {
                        "rule": {
                                "4001": {
                                        "description": "webserver",
                                        "destination": {
                                                "group": {
                                                        "address-group": "ADDRv4_eth2"
                                                },
                                                "port": "443"
                                        },
                                        "inbound-interface": "eth2",
                                        "inside-address": {
                                                "address": "192.168.1.10",
                                                "port": "443"
                                        },
                                        "protocol": "tcp",
                                        "type": "destination"
                                }
                        }
                }
       }
}

9. See the UniFi - USG/USG-Pro: Advanced Configuration Using JSON article for more information on how to create and modify the config.gateway.json file.

Troubleshooting Port Forwarding Issues

Refer to the troubleshooting steps below if the Port Forwarding or custom Destination NAT rule is not working. Either of the following options can be the cause:

 lan.png  Possible Cause #1 - The USG/UDM is located behind NAT and does not have a public IP address.

In this scenario, the UDM/USG is located behind another router/modem that uses NAT. A sign of this setup is that the device is using a private (RFC1918) or CGNAT (RFC6598) IP address on the WAN1 or WAN2 interface. Your UDM/USG is located behind NAT if it is using an IP address on the WAN interface that is inside one of the ranges below:

  • 10.0.0.0/8 10.0.0.0 - 10.255.255.255
  • 172.16.0.0/12 172.16.0.0 - 172.31.255.255
  • 192.168.x.0/24 192.168.0.0 - 192.168.255.255
  • 100.64.0.0/10 100.64.0.0 - 100.127.255.255


To fix this issue, try re-configuring the ISP modem/router in bridged mode so that the UDM/USG is able to use a public IP address on the WAN interface. If this is not supported, then you will need to first forward the port(s) on the upstream router/modem to the WAN address of the UDM/USG. Depending on your ISP, these ports will either need to be manually forwarded or there is a DMZ option that allows you to automatically forward the ports.

 tools.png  Possible Cause #2 - The UDM/USG is already forwarding the port to another device or has UPnP enabled.

In this case, the UDM/USG already has an existing port forwarding rule that is forwarding the port to another device. The same WAN port (for example TCP port 443) can only be forwarded to a single device, but you can forward multiple different WAN ports to the same port on the LAN (for example TCP port 10443 to 443 and TCP port 8443 to 443).

Another possible cause is that UPnP is enabled and is already using the port. Try disabling the UPnP option in the  settings.png  Settings > Gateway > UPnP section of the New Web UI or the  settings.png  Settings > Services > UPnP section of the Classic Web UI.

 lan.png  Possible Cause #3 - The traffic from the Internet clients is not reaching the WAN interface of the UDM/USG.

In this case, the traffic is either blocked upstream at the ISP modem/router or there is an issue affecting the client device. 

You can verify if the traffic is arriving by accessing the UDM/USG using SSH and running a tcpdump packet capture on the WAN1 or WAN2 interface. See the UniFi - UDM/UDM-Pro: How to Login to the Dream Machine using SSH article for more information on how to access the UDM/UDM-Pro using SSH and the section above for the USG/USG-Pro steps.

CLI: Access the Command Line Interface on the UDM/USG using SSH.

After logging in with SSH, run the following command to capture the traffic. This command will print the traffic output directly to the screen when an Internet client tries to access the port (cancel with CTRL+C).


UDM-Pro WAN1 (eth8) and WAN2 (eth9)

# tcpdump -n -i eth8 tcp port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth8, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [S], seq 1979002112, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [S.], seq 2749614086, ack 1979002113, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [.], ack 1, win 256, length 0
IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [F.], seq 1, ack 1, win 256, length 0
IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [.], ack 2, win 1026, length 0
IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [F.], seq 1, ack 2, win 1026, length 0
IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [.], ack 2, win 256, length 0g
# tcpdump -n -i eth9 tcp port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth9, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 198.51.100.1.1679 > 192.0.2.1.443: Flags [S], seq 987770491, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 192.0.2.1.443 > 198.51.100.1.1679: Flags [S.], seq 4189175926, ack 987770492, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 198.51.100.1.1679 > 192.0.2.1.443: Flags [.], ack 1, win 256, length 0
IP 198.51.100.1.1679 > 192.0.2.1.443: Flags [F.], seq 1, ack 1, win 256, length 0
IP 192.0.2.1.443 > 198.51.100.1.1679: Flags [.], ack 2, win 1026, length 0
IP 192.0.2.1.443 > 198.51.100.1.1679: Flags [F.], seq 1, ack 2, win 1026, length 0
IP 198.51.100.1.1679 > 192.0.2.1.443: Flags [.], ack 2, win 256, length 0

UDM WAN (eth4)

# tcpdump -n -i eth4 tcp port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth8, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [S], seq 1979002112, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [S.], seq 2749614086, ack 1979002113, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [.], ack 1, win 256, length 0
IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [F.], seq 1, ack 1, win 256, length 0
IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [.], ack 2, win 1026, length 0
IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [F.], seq 1, ack 2, win 1026, length 0
IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [.], ack 2, win 256, length 0g

USG WAN1 (eth0) and WAN2 (eth2)

unifiadmin@usg:~$ sudo tcpdump -n -i eth0 tcp port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth8, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [S], seq 1979002112, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [S.], seq 2749614086, ack 1979002113, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [.], ack 1, win 256, length 0
IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [F.], seq 1, ack 1, win 256, length 0
IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [.], ack 2, win 1026, length 0
IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [F.], seq 1, ack 2, win 1026, length 0
IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [.], ack 2, win 256, length 0g
unifiadmin@usg:~$ sudo tcpdump -n -i eth2 tcp port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 198.51.100.1.1562 > 192.0.2.1.443: Flags [S], seq 3731603662, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 192.0.2.1.443 > 198.51.100.1.1562: Flags [S.], seq 67104030, ack 3731603663, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 198.51.100.1.1562 > 192.0.2.1.443: Flags [.], ack 1, win 256, length 0
IP 198.51.100.1.1562 > 192.0.2.1.443: Flags [F.], seq 1, ack 1, win 256, length 0
IP 192.0.2.1.443 > 198.51.100.1.1562: Flags [.], ack 2, win 1026, length 0
IP 192.0.2.1.443 > 198.51.100.1.1562: Flags [F.], seq 1, ack 2, win 1026, length 0

USG-Pro WAN (eth2) and WAN2 (eth3)

unifiadmin@usg-pro:~$ sudo tcpdump -n -i eth2 tcp port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth8, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [S], seq 1979002112, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [S.], seq 2749614086, ack 1979002113, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [.], ack 1, win 256, length 0
IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [F.], seq 1, ack 1, win 256, length 0
IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [.], ack 2, win 1026, length 0
IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [F.], seq 1, ack 2, win 1026, length 0
IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [.], ack 2, win 256, length 0g
unifiadmin@usg-pro:~$ sudo tcpdump -n -i eth3 tcp port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 198.51.100.1.1562 > 192.0.2.1.443: Flags [S], seq 3731603662, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 192.0.2.1.443 > 198.51.100.1.1562: Flags [S.], seq 67104030, ack 3731603663, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 198.51.100.1.1562 > 192.0.2.1.443: Flags [.], ack 1, win 256, length 0
IP 198.51.100.1.1562 > 192.0.2.1.443: Flags [F.], seq 1, ack 1, win 256, length 0
IP 192.0.2.1.443 > 198.51.100.1.1562: Flags [.], ack 2, win 1026, length 0
IP 192.0.2.1.443 > 198.51.100.1.1562: Flags [F.], seq 1, ack 2, win 1026, length 0


You can modify these tcpdump commands listed above to match the ones used by your Port Forwarding or Destination NAT rule. For example to match on UDP port 10001 on interface eth8 and internal LAN host 192.168.1.50, use:

sudo tcpdump -n -i eth8 udp port 10001 and host 192.168.1.50


If the packet capture is not displaying any traffic, then the requests are not arriving at the UDM/USG and are possibly filtered somewhere upstream. You can try using a different port to verify if the port is being blocked. One other possible reason as to why the client traffic is not arriving, is that the UDM/USG is located behind NAT. See Cause #1 above.

 lock.png  Possible Cause #4 - The LAN host is not allowing the port through the local firewall or does not have the correct route configured. 

In this case, the host/server on the LAN is not allowing outside connections to access the port. For example, the Web Server used in this example will need to allow connections to TCP port 443.

On Windows computers, verify the Windows Firewall rules. On Linux, verify if the connection is allowed in the iptables firewall.

You can verify if the traffic is arriving by accessing the UDM/USG using SSH and running a tcpdump packet capture on the WAN1 or WAN2 interface. See the UniFi - UDM/UDM-Pro: How to Login to the Dream Machine using SSH article for more information on how to access the UDM/UDM-Pro using SSH and the section above for the USG/USG-Pro steps.

CLI: Access the Command Line Interface on the UDM/USG using SSH.

After logging in with SSH, run the following command to capture the traffic on the LAN interface of the UDM/USG. This command will print the traffic output directly to the screen when the port is forwarded to the internal LAN host (cancel with CTRL+C).


UDM/UDM-Pro LAN (br0)

# tcpdump -n -i br0 tcp port 443 and host 192.168.1.10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [S], seq 3590991252, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [S.], seq 3853666586, ack 3590991253, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [.], ack 1, win 256, length 0
IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [F.], seq 1, ack 1, win 256, length 0
IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [.], ack 2, win 1026, length 0
IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [F.], seq 1, ack 2, win 1026, length 0
IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [.], ack 2, win 256, length 0

USG LAN (eth1)

unifiadmin@usg:~$ sudo tcpdump -n -i eth1 tcp port 443 and host 192.168.1.10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [S], seq 3590991252, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [S.], seq 3853666586, ack 3590991253, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [.], ack 1, win 256, length 0
IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [F.], seq 1, ack 1, win 256, length 0
IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [.], ack 2, win 1026, length 0
IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [F.], seq 1, ack 2, win 1026, length 0
IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [.], ack 2, win 256, length 0

USG-Pro LAN1 (eth0) and LAN2 (eth1)

unifiadmin@usg-pro:~$ sudo tcpdump -n -i eth0 tcp port 443 and host 192.168.1.10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [S], seq 3590991252, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [S.], seq 3853666586, ack 3590991253, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [.], ack 1, win 256, length 0
IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [F.], seq 1, ack 1, win 256, length 0
IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [.], ack 2, win 1026, length 0
IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [F.], seq 1, ack 2, win 1026, length 0
IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [.], ack 2, win 256, length 0
unifiadmin@usg-pro:~$ sudo tcpdump -n -i eth1 tcp port 443 and host 192.168.1.10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [S], seq 3590991252, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [S.], seq 3853666586, ack 3590991253, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [.], ack 1, win 256, length 0
IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [F.], seq 1, ack 1, win 256, length 0
IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [.], ack 2, win 1026, length 0
IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [F.], seq 1, ack 2, win 1026, length 0
IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [.], ack 2, win 256, length 0


You can modify these tcpdump commands listed above to match the ones used by your Port Forwarding or Destination NAT rule. For example to match on UDP port 10001 on interface br0 and internal LAN host 192.168.1.50, use:

sudo tcpdump -n -i br0 udp port 10001 and host 192.168.1.50


If you only see traffic in one direction, for example 198.51.100.1.1611 > 192.168.1.10.443 repeatedly, then the internal LAN host is not able to respond to the traffic. There are two likely causes as to why this is occurring:

  • The firewall on the internal LAN host is blocking the traffic
  • The internal LAN host does not know how to reach the IP address of the Internet client. This will happen if the default gateway is not set correctly.


Verify the firewall and routing settings on the internal LAN host to resolve this issue.

Related Articles

UniFi - UDM/UDM-Pro: How to Login to the Dream Machine using SSH

UniFi - USG/USG-Pro: Advanced Configuration Using JSON

Intro to Networking - How to Establish a Connection Using SSH

 

Was this article helpful?
22 out of 51 found this helpful
Can't find what you're looking for?
Visit our worldwide community of Ubiquiti experts for more answers
Visit the Ubiquiti Community