Port Forwarding - Cipafilter Documentation

Manual - Port Forwarding

Port Forwarding is a system by which traffic to the filter can be forwarded directly to devices inside your network. When a client connects to the specified port on an IP address belonging to the filter, the filter causes it to instead connect to the specified target IP/port. This feature can be used to, for example, forward RDP connections to an internal server.

  1. Filter IP specifies the IP address of the filter on which the port forward is active. Only connections to the specified IP are considered for forwarding. If the filter is configured as a DHCP client, a special DHCP — eth# option will appear which ensures that the rule applies to whatever IP is assigned to the specified interface at connection time.
  2. Protocol specifies which network protocol the port forward applies to. Only the TCP and UDP protocols actually use port numbers; selecting another protocol will forward all traffic of that type to the destination.
    1. The special All protocol option activates a 1-to-1 NAT between the Source IP and the Target IP. In addition to standard port forwarding (all traffic to the Source IP will be directed to the Target IP), all outbound traffic from the Target IP will also appear to come from the Filter IP.
  3. Filter Port(s) specifies the port number(s) on the filter side to which the forward should apply. As mentioned, this field is only applicable with the TCP and UDP protocols. Any combination of single ports and colon-delimited port ranges may be supplied, separated by commas; for example, 123,456,789:799 specifies the single ports 123 and 456 , and the range of ports between 789 and 799 (inclusive). Up to 15 distinct port references can be used per rule. The keyword all can also be used to specify that all TCP/UDP traffic is to be forwarded.
  4. Source Type specifies how sources (clients) will be identified. Subnet is a traditional IP-based forward (which only applies to connections from the specified IP or subnet), but rules can also be applied on the basis of Group, Network Object, and Interface. There is also an Anywhere type, which is effectively the same as Subnet with a value of 0.0.0.0/0 .
  5. Source is the value used to identify sources (clients) which corresponds to the selected Source Type. For example, if the Subnet type is selected, the source IP or subnet is entered here. Only clients matching this type/value will be considered for forwarding.
  6. Target IP specifies the IP address which serves as the destination of the forwarded traffic. It is typically a private IP on the filter's local network.
  7. Target Port(s) specifies the port number(s) on the target (destination) side to which traffic should be forwarded. It works similarly to Filter Port(s).
  8. Log controls connection logging for the rule. When enabled, traffic forwarded by the rule is logged (when the connection is established) and can be inspected via Web Reports under Forensics. Please note that logging port forwards can be resource-intensive; the feature is intended to be used sparingly.
Warning: Forwarding TCP port 443 or 22 on your router's only outside IP will make the Cipafilter's Web interface or remote management system (respectively) unreachable. If forwarding of these ports is required, attempt to obtain a second IP for your router. If this is not feasible, be sure that there is at least a second private IP address on the router, so you can manage the Cipafilter yourself.

    • Related Articles

    • Manual

      This article provides links to the individual sections of the Cipafilter product manual.  A PDF of the Cipafilter product manual is attached to this article. Introduction Interface Conventions Installation Status Management Users Hot Spare ...
    • Manual - Firewall

      The Firewall feature provides a stateful firewall which tracks the state of connections routed through the filter, allowing one to easily and precisely restrict traffic. The default policy of a firewall determines whether it drops or accepts ...
    • Manual - Network Diagnostics

      The Network Diagnostics page serves as a basic front-end for common network troubleshooting utilities such as ping and traceroute.  These utilities can be used to confirm the filter's Internet connectivity and network configuration: The automatic ...
    • Manual - Network Objects

      Sets of IP ranges can be consolidated into named collections called Network Objects, and then employed elsewhere in the filter configuration. Currently, Network Objects can only be used in the configuration of the Firewall and Port Forwarding ...
    • Manual - Web Filtering

      The first thing to decide with regard to Web filtering is whether to run individual subnets in transparent or non-transparent (proxy server) mode. Transparent mode  — no client configuration is required, the Cipafilter simply intercepts all traffic ...