Knowledge Base

 
Reset Search
 

 

Article

NCOS: Configure Port Forwarding on a Cradlepoint router

« Go Back

Information

 
Content

NCOS: Configure Port Forwarding on a Cradlepoint router

Products Supported: AER2100, MBR1400v2, MBR1200B, CBA750B, IBR6x0, IBR11x0. Click here to identify your router.

NCOS Version: 6.0.0 - for information on upgrading NCOS, click here.


Quick Links

Summary

Configuration

Use Cases

Related Articles


Summary

Typically all computers connected to a router are protected by the router’s firewall. To allow a computer on the Internet to connect through the router to a specific computer it is necessary to either manually forward the required ports (directions below), or to place the device/computer into the Cradlepoint’s Demilitarized Zone (DMZ). For more information about adding a device to the DMZ, refer to this article.

Before getting started, you will want to ensure that the IP address you are getting from your ISP is publicly routable. For more information on verifying whether your WAN IP address is publicly routable, refer to:How can I tell if my IP address is publicly routable?

Before forwarding any ports from the Internet, you will also want to make sure that you are able to access your server from a local IP address. For example, if you have a local web server running on IP 192.168.0.100 listening on port 8888, you will want to make sure that another locally connected computer (like a laptop on 192.168.0.111) is able to access the web server at http://192.168.0.100:8888. Once you know that the server is working locally, adding a port forward to that device will allow users connecting from the Internet to access that server using the WAN IP address.

You will also want to be sure that the device/computer being forwarded to is always assigned the same IP address from the Cradlepoint router. To ensure that the device/computer is always assigned the same IP address from the Cradlepoint router via DHCP Reservation, refer to this article.


Configuration

Configuration Difficulty: Beginner
  • Step 1: Log into the router's Setup Page. For help with logging in please click here.
  • Step 2: Click on Security, drop down Zone Firewall, and select Port Forward/Proxy.

User-added image

  • Step 3: Click Add to create a new Port Forwarding Rule.

User-added image

  • Step 4: Give your rule a unique Name.
  • Step 5: End the Internet Port(s) and Local Port(s).

    - Note: These are dependent on the port the client device is using for communication. Check with the manufacturer if you are unsure of what ports need to be forwarded.

  • Step 6: Enter the Local Computer's IP address.

  • Step 7: Click Submit.

User-added image

You will now see your Port Forwarding Rule listed under Port Forwarding Rules. After making this change, this will forward traffic that reaches the Cradlepoint’s WAN interface on that port to the internal client device.

User-added image

Note: Many ISPs block some or all ports from the Internet. You may want to check with your ISP to determine whether any ports may be blocked. You may also want to configure your port forwarding rule to use a different unblocked port for the Internet than it uses locally. For example, if your ISP blocks incoming connections from the Internet on port 80 and your web server at 192.168.0.112:80 cannot be changed to listen on another port, you could set up a rule to forward traffic from an unblocked Internet port (like 8088) to local port 80 on the web server.


Use Cases

Restricting Remote Access

This use case describes how to limit remote access to a server to just a single remote IP.

The setup:

  • Local server IP: 192.168.0.100
  • Local port: 80
  • Internet port: 20080
  • Remote worker's public IP: 166.100.100.2

Configuration:

  • Step 1: Navigate to Security>Zone Firewall>Filter Policies.
  • Step 2: Click Add at the top of the page.

User-added image

  • Step 3: Give this policy a Name and verify that the filter action is set to Deny.
  • Step 4: Click Add within the Rules section.

User-added image

  • Step 5: Give this Rule (policy exception) a Name.
  • Step 6: Change the action to Allow.
  • Step 7: Click the [+] icon in the Host section.

User-added image

  • Step 8: Enter the remote worker's IP address, and hit the enter key to save the entry.

User-added image

  • Step 9: Click on the Destination tab.
  • Step 10: Click the [+] icon in the Port section.
  • Step 11: Enter the LAN port that was specified during the port forwarding configuration, then hit the enter key to save this entry.

Enter the LAN destination port number into the filter policy rule.

  • Step 12: Click Save within the Rule Editor.
  • Step 13: Click Add within the Rules section to define one more rule.
  • Step 14: Name the rule, and verify the action is set to Deny.
  • Step 15: Navigate to the Protocols tab, and delete both entries.
  • Step 16: Click Save within the Rule Editor.

User-added image

  • Step 17: Click Save within the Policy Editor.

User-added image

  • Step 18: Navigate to the Security>Zone Firewall>Zone Forwarding tab.
  • Step 19: Select the forwarding sourced from the WAN Zone and going to the Primary LAN Zone, then click Edit.

User-added image

  • Step 20: Click the drop-down arrow in the Filter Policy box to expand it.
  • Step 21: Select the policy that was created earlier in Step 19.
  • Step 22: Click Save, then click OK in the confirmation dialog.

User-added image

That's it! Now, when someone tries to access our server 192.168.0.100 from the Internet, they will be blocked, unless they are specifically coming from IP address 166.100.100.2 and using port 20080.


Related Articles/Links


Published Date: 07/13/2017

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255