IP forwarding settings

When a Digi device acts as a router and communicates on both a private and public network with different interfaces, it is sometimes necessary to forward certain connections to other devices. This is also known as Network Address Translation (NAT) or Port Forwarding.

When an incoming connection is made to the device on the private network, the IP port is searched for in the table of port forwarding entries. If the IP port is found, that connection is forwarded to another specific device on the public network. The options and features described in this section are only supported on some products and some firmware versions.

Port Forwarding/NAT is useful when external devices cannot communicate directly to devices on the public network of the Digi device. For example, this may occur because the device is behind a firewall. By using port forwarding, the connections can pass through the networks transparently. Also, Port Forwarding/NAT allows multiple devices on the private network to communicate to devices on the public network by using a shared private IP address that is controlled by Port Forwarding/NAT.

Use port forwarding to connect from a Digi device to a RealPort device. For this type of connection to occur, your mobile wireless provider must be mobile-terminated.

IP Forwarding settings include:

• Enable IP Routing: Enables or disables IP forwarding.
• Apply the following static routes to the IP routing table: You can configure the Digi device with permanent static routes. These routes are added to the IP routing table when this device boots, or afterward when network interfaces become active or changes are made to this list of static routes. Use static routes to route IP datagrams to a network that is not a local network or accessible through the default route.
• Network Address Translation (NAT) Settings: A list of instances of NAT settings appears. For each instance, the settings are:
  • Enable Network Address Translation (NAT): Permit the translation and routing of IP packets between private (internal) and public (external) networks. Refer to NAT configuration options below. Some Digi device models permit the configuration of NAT instances for more than one network interface.
  • NAT Public Interface: The name of the network interface for which NAT will perform address and port translations. The list of interfaces available for NAT configuration varies according to the capabilities of your Digi device model.
  • NAT Table Size Maximum: The maximum number of entries that you can add to the NAT table. These entries include the configured port and protocol forwarding rules (see Forward TCP/UDP/FTP Connections and Forward Protocol Connections below), the DMZ Forwarding rule (see Enable DMZ Forwarding to this IP address below), as well as dynamic rules for connections that are created and removed during the normal operation of NAT. You can configure the NAT table size maximum value for any value in the range 64 through 1024, with the default value of 256 entries. Note that this setting does not control the maximum number of port or protocol forwarding rules that you can configure in their respective settings.

  • Enable DMZ Forwarding to this IP address: DMZ Forwarding allows you to specify a single host (DMZ Server) on the private (internal) network that is available to anyone with access to the NAT Public Interface IP address, for any TCP- and UDP-based services that haven't been configured. Services enabled directly on the Digi device take precedence over (are not overridden by) DMZ Forwarding. Similarly, TCP and UDP port forwarding rules take precedence over DMZ Forwarding (please see Forward TCP/UDP/FTP Connections below). DMZ Forwarding is effectively a lowest priority default port forwarding rule that doesn't permit the same remapping of port numbers between the public and private networks, as is possible if you use explicit port forwarding rules.

    If enabled, the incoming TCP and UDP packets from the public (external) network uses the DMZ Forwarding rule, for which there is no other rule. These other rules include explicit port forwarding rules or existing dynamic rules that were created for previous communications, be those outbound (private to public) or inbound (public to private). Also, the DMZ Forwarding rule is not used if there is a local port on the Digi device to which the packet may be delivered. This includes TCP service listener ports as well as UDP ports that are open for various services and clients. DMZ forwarding does not interfere with established TCP or UDP connections, either to local ports or through configured or dynamic NAT rules. Outbound communications (private to public) from the DMZ Server are handled in the same manner as the outbound communications from other hosts on that same private network.

    WARNING! DMZ Forwarding presents security risks for the DMZ Server. Configure the DMZ Forwarding option only if you understand and are willing to accept the risks associated with providing open access to this server and your private network.

• Forward protocol connections from external networks to the following internal devices: Enables protocol forwarding to the specified internal devices. Currently, the only IP protocols for which protocol forwarding is supported are:

  • Generic Routing Encapsulation (GRE, IP protocol 47).
  • Encapsulating Security Payload (ESP, IP protocol 50, tunnel mode only).

  These are routing protocols that route (tunnel) various types of information between networks. If your network needs to use the GRE or ESP protocol between the public and private networks, enable this feature accordingly.

• Forward TCP/UDP/FTP connections from external networks to the following internal devices: Specifies a list of connections based on a specific IP port and where those connections should be forwarded to. Typically the connecting devices come from the public side of the network and are redirected to a device on the private side of the network.

  You can forward a single port or a range of ports. To forward a range of ports, specify the number of ports in the range, in the Range Port Count field for the port forwarding entry. When a range is configured, the first port in the range is specified, and the full range is indicated in the displayed entry information.

  Note that FTP connections require special handling by NAT. This is because the FTP commands and replies are character-based, and some of them contain port numbers in this message text. Those embedded port numbers potentially need to be translated by NAT as messages pass between the private and public sides of the network. For this reason, you should select FTP as the protocol type when configuring a rule for FTP connection forwarding to an FTP server on the private network side. If you use TCP, FTP communications may not work correctly. Note also that TCP port 21 is the standard port number for FTP. Finally, using port ranges for FTP forwarding is not supported; a port count of 1 is required.