Online help

Netfilters - Example for a NAT Rule for Port Forwarding

A control (IP address 192.168.5.31) in the machine network (net2) shall be accessed via the local company network (net3) from a PC (IP address 192.168.200.156). The communication port is TCP port 102. The router is the link between both networks and has the IP address 192.168.5.1 in the machine network and the IP address 192.168.200.189 in the company network. The PC in the company network addresses the company network address of the router (192.168.200.189); everything else will be done by the router. A destination NAT rule and an IP filter rule are necessary for this.

The destination NAT rule (port forwarding rule) must be defined as follows:

  • Description: Forward to control
  • Type: Portforward
  • Protocol: TCP
  • Input interface: net3 (over which the packet reaches the router)
  • Destination port: 102
  • Destination NAT to address: 192.168.5.31
  • Destination NAT to port: 102

The IP filter rule (firewall rule) must be defined as follows:

  • Description: Forward to control
  • Packet direction: FORWARD
  • IP version: all
  • Protocol: TCP
  • Input interface: net3 (over which the packet reaches the router)
  • Output interface: net2 (over which the packet leaves the router)
  • Source IP address: 192.168.200.156 / 32
  • Source port: (field remains empty)
  • Destination IP address: 192.168.5.31 / 32
  • Destination port: 102

Notes:

  • Port forwarding is only necessary if no routing for the machine network is configured from the company network.
  • The device in the company network communicates always with the company network address of the router and not with the machine network address of the control.
  • No source port is entered in the IP filter rule since this will be determined dynamically by the respective device and is not predictable therefore.
  • If it shall be possible to access the control from more than one device in the company network, the field Source IP address must be modified. Two examples for this:
    • Source IP address: 192.168.200.0 / 24 (permits all devices from the company network: IP addresses 192.168.200.1 to 192.168.200.254)
    • Source IP address: 192.168.200.64 / 26 (permits the following devices from the company network: IP addresses 192.168.200.65 to 192.168.200.126)
  • The IP address over which the router receives the packet (192.168.200.189) is not used as Destination IP address of the IP filter rule, but the IP address modified by the DNAT rule (192.165.5.31), because the DNAT rule is applied before the IP filter rule.
  • INSYS Network Info Tool for calculating IP addresses and netmasks