Typically all computers connected to a router are protected by the router’s firewall. To allow a computer on the Internet to connect through the router to a specific computer it is necessary to either manually forward the required ports (directions below), or to place the device/computer into the Cradlepoint’s Demilitarized Zone (DMZ). For more information about adding a device to the DMZ, refer to this article.
Before getting started, you will want to ensure that the IP address you are getting from your ISP is publicly routable. For more information on verifying whether your WAN IP address is publicly routable, refer to:How can I tell if my IP address is publicly routable?
Before forwarding any ports from the Internet, you will also want to make sure that you are able to access your server from a local IP address. For example, if you have a local web server running on IP 192.168.0.100 listening on port 8888, you will want to make sure that another locally connected computer (like a laptop on 192.168.0.111) is able to access the web server at http://192.168.0.100:8888. Once you know that the server is working locally, adding a port forward to that device will allow users connecting from the Internet to access that server using the WAN IP address.
You will also want to be sure that the device/computer being forwarded to is always assigned the same IP address from the Cradlepoint router. To ensure that the device/computer is always assigned the same IP address from the Cradlepoint router via DHCP Reservation, refer to this article.
Configuration Difficulty: Beginner
Step 1: Log into the router's Setup Page. For help with logging in please click here.
Step 2: Click on Security, drop down Zone Firewall, and select Port Forward/Proxy.
Step 3: Click Add to create a new Port Forwarding Rule.
Step 4: Give your rule a unique Name.
Step 5: End the Internet Port(s) and Local Port(s).
- Note: These are dependent on the port the client device is using for communication. Check with the manufacturer if you are unsure of what ports need to be forwarded.
Step 6: Enter the Local Computer's IP address.
Step 7: Click Submit.
You will now see your Port Forwarding Rule listed under Port Forwarding Rules. After making this change, this will forward traffic that reaches the Cradlepoint’s WAN interface on that port to the internal client device.
Note: Many ISPs block some or all ports from the Internet. You may want to check with your ISP to determine whether any ports may be blocked. You may also want to configure your port forwarding rule to use a different unblocked port for the Internet than it uses locally. For example, if your ISP blocks incoming connections from the Internet on port 80 and your web server at 192.168.0.112:80 cannot be changed to listen on another port, you could set up a rule to forward traffic from an unblocked Internet port (like 8088) to local port 80 on the web server.
Restricting Remote Access
This use case describes how to limit remote access to a server to just a single remote IP.
Local server IP: 192.168.0.100
Local port: 80
Internet port: 20080
Remote worker's public IP: 22.214.171.124
Step 1: Navigate to Security>Zone Firewall>Filter Policies.
Step 2: Click Add at the top of the page.
Step 3: Give this policy a Name and verify that the filter action is set to Deny.
Step 4: Click Add within the Rules section.
Step 5: Give this Rule (policy exception) a Name.
Step 6: Change the action to Allow.
Step 7: Click the [+] icon in the Host section.
Step 8: Enter the remote worker's IP address, and hit the enter key to save the entry.
Step 9: Navigate to the Destination tab.
Step 10: Click the [+] icon in the Port section.
Step 11: Enter in the internet port that was specified during the port forwarding configuration, then hit the enter key to save this entry.
Step 12: Navigate to the Protocols tab.
Step 13: In the Protocols section, click the [X] icons to remove both entries.
Step 14: Click Save within the Rule Editor.
Step 15: Click Add within the Rules section to define one more rule.
Step 16: Name the rule, and verify the action is set to Deny.
Step 17: Navigate to the Protocols tab, and delete both entries.
Step 18: Click Save within the Rule Editor.
Step 19: Click Save within the Policy Editor.
Step 20: Navigate to the Security>Zone Firewall>Zone Forwarding tab.
Step 21: Select the forwarding sourced from the WAN Zone and going to the Primary LAN Zone, then click Edit.
Step 22: Click the drop-down arrow in the Filter Policy box to expand it.
Step 23: Select the policy that was created earlier in Step 19.
Step 24: Click Save, then click OK in the confirmation dialog.
That's it! Now, when someone tries to access our server 192.168.0.100 from the Internet, they will be blocked, unless they are specifically coming from IP address 126.96.36.199 and using port 20080.