set nat

Purpose

Used to set or display Network Address Translation (NAT) and port/protocol forwarding settings.

Note that at this time, the only IP protocols for which protocol forwarding is supported are:

Port forwarding is supported for the TCP and UDP protocols.

You can forward a single port or a range of ports. To forward a range of ports, specify the number of ports in the range using pocount option in the port forwarding entry.

Required permissions

For Digi products with two or more users, to use this command, permissions must be set to “set permissions s‑router=read” to display settings, and set permissions s‑router=rw to display and configure settings. See set permissions for details on setting user permissions for commands.

Syntax

Set NAT and port/protocol forwarding settings

set nat 
  instance=1-8 (required for devices supporting more than one NAT instance)
  [ifname=public network interface name]
  [enabled={on|off}] 
  [maxentries=64-1024]]
  [dmzenabled={on|off}
  [dmzip=ip address]
  [prenabled[1-4]={on|off}] 
  [prnumber[1-4]={gre|esp}] 
  [prtype[1-4]=type] 
  [prip[1-4]=ipaddress] 
  [poenabled[1-64]={on|off}] 
  [poproto[1-64]={tcp|udp|ftp}] 
  [pocount=[1-64]=number of ports in range, minimum 1]
   Note: must be 1 for "poproto=ftp"
  [poexternal[1-64]=number of ports in range, minimum 1] 
  [pointernal[1-64]=number of ports in range, minimum 1] 
  [poip[1-64]=ipaddress]

Display NAT and port/protocol forwarding settings

set nat

Options

instance=1-8

For Digi devices that support multiple NAT instances for different network interfaces, the NAT instance to which the set nat command applies. Required for devices supporting more than one NAT instance; that includes nearly all Digi products that support NAT.

ifname=public network interface name

The name of the network interface for which NAT performs address and port translations. The list of interfaces available for NAT configuration varies according to the capabilities of your Digi device server model. For this device, valid interface names are:

mobile0, vpn0, vpn1, vpn2, vpn3, vpn4, eth0.

enabled={on|off}

Enables or disables NAT. Note that IP forwarding must be enabled by the set forwarding command for NAT to work.

on

Enable NAT.

off

Disable NAT.

dmzenabled={on|off}

Enables or disables DMZ forwarding to the IP address specified by the dmzip=ip address option.

DMZ forwarding allows specifying a single host, known as a DMZ server, on the private (internal) network that is available to anyone with access to the NAT public interface IP address, for any TCP- and UDP-based services that have not been configured. Services enabled directly on the Digi device server take precedence over, and are not overridden by, DMZ forwarding. Similarly, TCP and UDP port forwarding rules take precedence over DMZ forwarding. DMZ forwarding is effectively a lowest-priority default port forwarding rule that does not permit the same remapping of port numbers between the public and private networks, as is possible when using explicit port forwarding rules.

If enabled, the DMZ forwarding rule is used for incoming TCP and UDP packets from the public (external) network, for which there is no other rule. These other rules include explicit port forwarding rules or existing dynamic rules that were created for previous communications, be those outbound (private to public) or inbound (public to private). Also, the DMZ Forwarding rule is not used if there is a local port on the Digi device server to which the packet may be delivered. This includes TCP service listener ports as well as UDP ports that are open for various services and clients. DMZ forwarding does not interfere with established TCP or UDP connections, either to local ports or through configured or dynamic NAT rules. Outbound communications (private to public) from the DMZ server are handled in the same manner as the outbound communications from other hosts on that same private network.

WARNING! Security Warning: DMZ forwarding presents security risks for the DMZ server. Configure the DMZ forwarding option only if you understand and are willing to accept the risks associated with providing open access to this server and your private network.

dmzip=ip address

The IP address used for DMZ Forwarding.

maxentries=64-1024

The maximum number of concurrent NAT table entries that the device supports. This setting effectively limits the number of concurrent NAT rules and sessions that are permitted before disallowing them for resource constraint purposes. The maximum entries can range from 64 through 1024. The default is 256.

prenabled[1-4]={on|off}

Enables one of the four protocol-forwarding entries.

on

Enable this protocol-forwarding entry.

off

Disable this protocol-forwarding entry.

prnumber[1-4]={gre|esp}

The IP protocol whose packets will be forwarded for this entry.

gre

Indicates that the Generic Routing Encapsulation (GRE) protocol will be forwarded.

esp

Indicates that the Encapsulating Security Payload (ESP) protocol will be forwarded.

At this time, GRE and ESP (tunnel mode only) are the only protocols supported by the protocol-forwarding feature.

prtype[1-4]=type

This option is deprecated and unused by the device.

prip[1-4]=ipaddress

The IP address to which GRE packets will be forwarded.

poenabled[1-64]={on|off}
poproto[1-64]={tcp|udp|ftp}
pocount=[1-64]=number of ports in range, minimum 1
poexternal[1-64]=number of ports in range, minimum 1
pointernal[1-64]=number of ports in range, minimum 1
poip[1-64]=ipaddress

These poxxx options are grouped for each N in the [1-64] range to specify a single port forwarding rule. That is, the first port forwarding rule is defined by the values of: poenabled1, poproto1, pocount1, poexternal1, pointernal1, and poip1. The end of each option name specifies the index for the entry (1-64), for example, poenabled1=on or poproto1=tcp.

poenabled[1-64]={on|off}

Used to enable or disable one of the 64 port forwarding entries.

on

Enable this port forwarding entry.

off

Disable this port forwarding entry.

poproto[1-64]={tcp|udp|ftp}

The IP protocol associated with this port forwarding entry.

tcp

A TCP port is forwarded.

udp

A UDP port is forwarded.

ftp

The port forwarding rule is for an FTP server on the private side of the NAT. This keyword allows use of TCP ports other than TCP port 21 for private-side (or “inner”) FTP servers.

pocount=[1-64]=number of ports in range, minimum 1

The number of consecutive ports in a port-forwarding range. This option allows you to forward more than one port in a single port-forwarding entry. When a range is configured, the first port in the range is specified, and the full range is indicated in the displayed entry information. The default is 1. If the IP protocol for the port forwarding entry is FTP (poproto[1-64]=ftp), the value for this option can only be 1.

poexternal[1-64]=number of ports in range, minimum 1

The external (or public) port that will be forwarded for this entry.

pointernal[1-64]=number of ports in range, minimum 1

The internal (or private) port to which packets will be forwarded for this entry. This value is a port number on the host whose IP address is specified by the poip option value for this entry.

poip[1-64]=ipaddress

The IP address of the host to which packets will be forwarded for this entry.

Examples

Enable NAT and specify settings for port forwarding entry 1

These example commands will enable NAT for the mobile0 (cellular) interface as instance 1, with a maximum of 128 NAT entries (static or dynamic rules) permitted. A port forwarding rule is added to that NAT instance to enable the forwarding of TCP packets received at port 4009 of the public (mobile) interface of the device server, to TCP port 7008 of the host whose IP address is 143.191.1.228 on the Ethernet side of the device server.

#> set nat instance=1 ifname=mobile0 enabled=on maxentries=128
#> set nat instance=1 poenabled1=on poproto1=tcp poexternal1=4009          pointernal1=7008 poip1=143.191.1.228

In these examples, the pocount1=1 option is not specified. The default is 1, unless otherwise specified or previously specified for the port forwarding rule entry in the indicated index slot.

Note that the forwarding to 143.191.1.228 through the Ethernet interface will occur only if the IP routing table (forwarding) of the device server is such that access to 143.191.1.228 is through that Ethernet interface. A typical NAT configuration has a public IP address on the WAN side and a private IP address and subnet on the LAN side. Sometimes, if the destination address for port forwarding isn't on the LAN subnet, then a static route is added to the IP routing table to make that forward as desired. The set forwarding command provides the means by which static routes can be configured.

Additional port forwarding rules can be configured for this enabled NAT instance=1 at any time, and they will be immediately made active in the device. Each rule should specify a different index as the last part of the poxxx options.

Display NAT and port/protocol forwarding settings

#> set nat

See also