Nexapp - Port Fordwarding

Port Forward

By default, NexappOS blocks unsolicited connections coming from public networks toward private networks.
For example, if a web server is running inside your LAN, only LAN clients can reach it directly. Any request arriving from the internet is denied unless an explicit rule allows it.

A Port Forward (also called port redirect or port forwarding) lets you publish an internal service to external users by redirecting traffic from a public interface/port to a private host and port.

Typical examples: - Web server: TCP 80 (HTTP) and 443 (HTTPS) - Remote management: TCP 22 (SSH) or custom ports - Application gateways and on-prem services

Create a Port Forward Rule

Open Firewall → Port Forward and click Add port forward.
You will be asked to define these parameters:

  • Name
    A meaningful label for quick identification later.
    Example: Web_Server_HTTPS, RDP_BranchOffice, PBX_SIP

  • Source port
    The public port on which NexappOS will listen.
    Note: Not all protocols use ports (e.g., GRE).

  • Destination port
    The port used by the internal service.
    It can be the same as the source port or different.

  • Protocol
    Select one protocol (or leave empty for any):
    TCP, UDP, UDPLITE, ICMP, ESP, AH, SCTP, GRE, etc.

    Leaving this empty forwards all protocols, which may expose unintended services. Use with caution.

  • Destination address
    The internal host receiving the forwarded traffic. Options:

    • a specific IP address
    • a firewall object representing a host (such as a DHCP reservation, DNS record, VPN user with reserved IP, or a compatible host set)
    • empty → traffic is redirected to the NexappOS unit itself

Default behavior
Port forwards are reachable only from WAN networks.
To allow internal users to access a service using the public IP, enable Hairpin NAT (see below).

Additional Options Per Rule

Each port forward can also include:

  • Bind to a specific public IP
    If the unit has multiple WAN/public IPs, use WAN IP to bind the rule to a chosen public address.
    This ensures traffic to that public IP maps to the correct internal host.

  • Restrict access
    Limit incoming connections using Restrict access to.
    Accepts:

    • IP address
    • CIDR network
    • compatible firewall object

  • Enable logging
    Turn on Log to record matching inbound connections.
    Logging is rate-limited to 1 entry per second by default.

Hairpin NAT (NAT Loopback)

Hairpin NAT allows internal clients to access an internal service using the unit’s public IP or public DNS name.

Without hairpin NAT, this fails because the packet would try to go out to the internet and come back in, which is blocked or misrouted.

When enabled: - LAN clients can use the public hostname/IP - NexappOS “reflects” the traffic internally - service remains accessible using the same URL both inside and outside

Enable Hairpin NAT

Inside the port forward rule: 1. Enable Hairpin NAT 2. Select one or more zones where loopback should apply
(example: lan, guest, dmz)

Hairpin NAT for VPN Zones

If you want hairpin NAT to work for VPN-connected users (for example site-to-site or road-warrior clients), NexappOS must know which subnet belongs to each VPN zone.

This must be configured from the command line.

Supported VPN zones include: - ipsec — IPsec tunnels
- openvpn — OpenVPN site-to-site tunnels
- rwopenvpn — OpenVPN road-warrior users

If multiple VPN networks exist, all of them must be declared.

Declare a Subnet for a VPN Zone (Example)

Example: enable hairpin NAT for an OpenVPN road-warrior subnet 10.88.88.0/24.

  1. Find the internal reference for the VPN zone:
uci show firewall | grep ".name='rwopenvpn'"

Example output:

firewall.ns_49d9f400.name='rwopenvpn'
  1. Add the subnet to that zone:
uci add_list firewall.ns_49d9f400.subnet=10.88.88.0/24
  1. Commit and restart firewall:
uci commit firewall
/etc/init.d/firewall restart
  1. Verify:
uci show firewall | grep subnet

Example:

firewall.ns_49d9f400.subnet='10.88.88.0/24'

Add or Remove Multiple VPN Subnets

Add another subnet (example 10.33.33.0/24):

uci add_list firewall.ns_49d9f400.subnet=10.33.33.0/24
uci commit firewall
/etc/init.d/firewall restart

Remove a subnet:

uci del_list firewall.ns_49d9f400.subnet=10.33.33.0/24
uci commit firewall
/etc/init.d/firewall restart

Always commit and restart after changes.

Discard
Save
Draft
This page has been updated since your last edit. Your draft may contain outdated content. Load Latest Version

Previous Page

Left

Next Page

Right

On this page

Review Changes ← Back to Content
Message Status Space Raised By Last update on