How can I setup port forwarding on a BR200 and how can I setup port forwarding rules?

  • 3
  • Question
  • Updated 3 years ago
  • Answered
I'm attempting to route internet traffic that comes from the internet hosts on port 8080 to a host with a static IP on my LAN that is connected to a Eth port on my BR200. I have taken away the check mark for 'Disable Port Forwarding' but I don't see where it is that I would go to manage the rules for Port Forwarding.

I found this post for the BR100 but it doesn't seem to translate to the BR200.
http://community.aerohive.com/aerohiv...

Thank you in advance.
Photo of Shawn Collier

Shawn Collier

  • 2 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 3
Photo of Shawn Collier

Shawn Collier

  • 2 Posts
  • 0 Reply Likes
I'm not sure if this makes a difference but the model type is: BR200-WP
Photo of Brian Ambler

Brian Ambler

  • 245 Posts
  • 126 Reply Likes
Hello Shawn,

To enable Port Forwarding on a Branch Router (the config is the same for the BR100, BR200 and BR200-WP), navigate to "Configuration > Networks", select the network on which your client has its static IP address assigned and click on the link for the subnetwork you have configured.


Make sure you have DHCP configured on the subnetwork and have reserved up to the IP address which you have assigned to your server. Keep in mind that the reserved IP addresses are offset by the address of Branch Router. For example, if you have selected to use the first IP address of the partitioned subnetwork for the default gateway (x.x.x.1) then if you have reserved 10 addresses they will be x.x.x.2 through x.x.x.11. Once you have reserved addresses from the DHCP pool, expand the option for "Network Address Translation (NAT) Settings"


From here you can tick the checkbox to "Enable port forwarding through the WAN intefaces". Be sure to click the button to "View Aerohive Ports" to view the system ports that are reserved on the Branch Router and therefore unable to be used in forwarding ports.


Once enabled you are now able to configure the port forwarding rules required for your server(s) by clicking "New"


At this point you can configure the rule to forward the needed ports to your server. For example, if Branch Router has an IP address of 1.1.1.1 and your server has been assigned 1.1.1.11, make sure that you choose 10 for the "Local Host IP Address (Position in Excluded IP Addresses)" as the addresses are offset by one.


All that is needed at this point is to save these changes and push them out to your Branch Router. If you need more detailed descriptions to any of the above settings, please see the help, which I have excerpted below for convenience. OF course, if you have any specific questions which I have not addresses thoroughly, please let me know and I will do my best to address them.

Enable port forwarding through the WAN interfaces: (select)

Port forwarding on the WAN interface of a BR100, BR200, AP330, or AP350 in branch router mode allows remote computers on the public network to connect to a specific host, such as an HTTP server, on the private network behind the router.

The Aerohive branch router has a single public IP address on its WAN interface and performs NAT on all outbound traffic to the Internet. If you require access to your LAN behind the router, you can use port forwarding to map inbound traffic to the internal IP address and port number of servers on the private LAN.

A router accomplishes this by mapping incoming traffic to a specific destination port on its WAN/ETH0 interface to a host on the private LAN connected to one of its LAN interfaces.

To set up port forwarding, configure the IP addresses to which hosts send traffic the destination port number, the local host IP address, internal host port number, and traffic protocol.

For example, Site 2 operates an HTTP server on port 8080. By default, the router denies all incoming connections to avoid exposure to potential security risks. In this example, you can configure a port forwarding rule that maps all incoming TCP connections to port 8080 on the WAN/ETH0 interface to port 80 of the host at 192.168.1.2. If a client at 1.1.1.1 initializes an HTTP connection request to 2.2.2.2:8080, which is the IP address of the WAN/ETH0 interface on the router and the destination port number in the port forwarding rule, the router translates the destination to 192.168.1.2:80. For the HTTP response, the router reverses the translation from 192.168.1.2:80 to 2.2.2.2:8080.

For each WAN interface, the current port forwarding feature allows you to map up to 16 ports to the first 50 reserved static IP addresses that you excluded from the larger DHCP address pool for access to certain branch devices.

Click View Aerohive Ports to display the ports on the WAN interface.
Click the New and enter the following parameters to map inbound traffic to an internal host, and then click Apply:

Destination Port Number: Select and enter the destination port number of the inbound traffic. Map WAN interfaces inbound traffic to an internal host based on the destination port number.

Local Host IP Address: Enter the private IP address of the internal host, such as that of an HTTP server. The IP address of the host must be among the excluded addresses at the start of the DHCP pool. If DHCP is not enabled for the subnetwork, all IP addresses are considered excluded.

Internal Host Port Number: Enter the port number on which the host receives traffic. This can be the same as the destination port number or a different one.

Traffic Protocol: Use the drop-down list to choose the protocol of the inbound traffic: Any, TCP, or UDP.


Photo of Shawn Collier

Shawn Collier

  • 2 Posts
  • 0 Reply Likes
Very good instructions here. Took me a minute to configure thanks to the level of detail provided. Worked like a charm.
Thank you Brian and thank you to all the Aerohive support team.
Photo of Jornt Weyts

Jornt Weyts

  • 26 Posts
  • 3 Reply Likes
Is there a way to forward port 80 and/or 443?
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Jornt,
I believe that Brian's steps documented above should work for you simply by changing the ports, have you tried that already and had problems? 
Photo of Jornt Weyts

Jornt Weyts

  • 26 Posts
  • 3 Reply Likes
Hi Mike,
I did use the method of Brian to forward several ports successfully, but ports 80 and 443 appear to be on the 'no go'-list from Aerohive (including [TCP] 22,23,80,443,3007,32768-61000).
I'm wondering if anyone found a way around this because obviously users will be requesting to forward these ports a lot.

Photo of ulf

ulf

  • 1 Post
  • 0 Reply Likes
Jornt,
I'm using port 80 on outside interface, and it works smooth. It's ver 6.1r3.
See conf...


/Ulf
Photo of Brian Ambler

Brian Ambler

  • 245 Posts
  • 126 Reply Likes
Hi Jornt,

While you may not be able to forward Aerohive reserved ports such as 80/443, by the nature of port forwarding the destination port does not need to match the source port. For example, at home I have a BR200-WP as my main router and have a number of reserved ports forwarded through to different destination ports:


The ports that we filter/block from being forwarded are the destination ports, not the internal port. This allows you to forward 80/443/22 or any other reserved ports to non-reserved ports such as 8443 or 333 as in the above screencap.

Sorry if you already knew this and were looking for a way to directly forward reserved ports (443 => 443), but there is no current way to do this of which I am aware. Since the Branch Routers host a web server, SSH server, VPN client, etc. those ports are reserved in the destination list for other Aerohive products to utilize.

Hope this helps
(Edited)
Photo of Chris

Chris

  • 1 Post
  • 0 Reply Likes
How does this work if you only wan't to apply the port forward to a specific branch?  This looks like a global network policy setting.  We use the same policy for a whole state and break up the subnets using the tags.
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
Might want to go with Supplemental CLI. Add these two commands.

ip nat-policy <appname> type virtual-host inside-host <internal IP address> inside-port <realportnumber> outside-port <externalportnuumber> protocol <tcp/udp>
interface eth0 mode wan nat-policy <appname>