Just got an UCG Ultra and overall happy with it. I have set up a tunnel where all ports are open and i want to forward one of those ports onto a client on the internal network. However in the port forward form i can only pick WAN, WAN2 and Both. Why can i not choose a tunnel interface? Am i missing something or is this basic functionality missing from Unifi OS?
I tried looking for DNAT as an alternative to port forward but thats also missing?
Hello! Thanks for posting on r/Ubiquiti!
This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can.
Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit.
If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it!
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.
If by tunnel, you mean that you have set up a VPN server like Wireguard, you would use Firewall rules to route that traffic to the destination subnet or IPGroup.
I think that port forward only applies to open ports from the WAN interfaces through the firewall.
Not Unofi specific, but port forwarding is typically used in a NAT situation where you’re taking a public IP address and forwarding just specific TCP ports to a client. If the VPN tunnel is up, there shouldn’t be any NAT and should just be Layer 3 routing. You probably would still need to create the appropriate ACL, or Policy statement to permit the traffic.
I have the VPN setup as a client working with a VPN provider. I want to policy route some devices on my lan thru the tunnel to get linux isos. Since i am working with torrents here, i also want to expose some ports on those torrent clients thru the tunnel.
Hence, i am unable to just use static routes as this would be internet traffic just for a few selected devices.
You should be able to do this in the “advanced” firewall rules/policies, either by device or network. I have a similar set up to this, where I have a VLAN where all traffic from said VLAN is routed to the VPN client interface, and then I have rules to drop all traffic from that VLAN to the main WAN interface. Think of it as a “kill switch” or something for if the VPN client interface goes down.
Edit: For clarification, you will used “Policy Based Routing” to get traffic from specific devices or VLAN to the VPN client interface. Then use “Traffic and Firewall Rules” to manage the kill switch I mentioned or any other specific traffic rules.
To my knowledge, port forwarding won’t work in a scenario because although you’ve got a different public IP on your VPN client interface, that ip is of the tunnel you’re connected to as a client, so you can’t forward to that WAN as it would need to be done server side.
I think you are missunderstanding my issue. I have no problem routing traffic from my local client out on the tunnel interface. That is easily done with policy based routing. However, i am unable to find a solution to route traffic comming IN on the tunnel interface on one or multiple ports to a local client.
If the traffic is not already established/related the gateway has no way to know where to route traffic comming in on the VPN interface without a port forward or DNAT functionality.
I see what you’re saying now. You would have to use a VPN provider that allows port forwarding on their end, as the rules actually need to be in place server side. With you being a client on the vpn commotion, that forwarding has to happen from the actual WAN of the VPN server to your local client IP on the server, not your router’s WAN and local IP network.
Fully aware of this. All traffic comming in to the tunnel is being routed to my client, hence all ports are exposed on the tunnel. Problem with the Unifi GW is that it wont know what to do with the incomming traffic if its a state where its not already established/related.
Here is my currently working setup with an LXC container. As you can see i have forwarded port 34123 from my tunnel client onto another device on the local lan (192.168.192.223)
root@main-tunnel:~# iptables -L -v
Chain INPUT (policy ACCEPT 209M packets, 140G bytes)
pkts bytes target prot opt in out source destination
764 36284 DROP tcp – tun0 any anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy ACCEPT 319M packets, 153G bytes)
pkts bytes target prot opt in out source destination
327 19996 DROP all – eth1 eth0 anywhere anywhere
0 0 DROP all – eth1 eth0 anywhere anywhere
0 0 DROP all – eth1 eth0 anywhere anywhere
0 0 DROP all – eth1 eth0 anywhere anywhere
36M 2489M ACCEPT tcp – any any anywhere 192.168.192.223 tcp dpt:34123 state NEW,RELATED,ESTABLISHED
0 0 DROP all – eth1 eth0 anywhere anywhere
0 0 DROP all – eth1 eth0 anywhere anywhere
However, with my new shiny new unifi hardware i would like to have all tunnels etc be part of the Unifi Gateway and not a standalone LXC container on my network.
Did you figure this out? I am in a similar situation where I got a shiny new unifi gateway and would like to have my p2p traffic tunneled on it. Got that part setup but just can’t figure out how to forward a port from wireguard interface to p2p vlan.
I currently have my torrent client behind a openwrt lxc (basically double nat) with tun setup on that and manually port forward with natpmpc on openwrt console to request a TCP and UDP public port to use with my openvpn config. I use that given specified port in qbit.
Wanting to just eliminate the openwrt router from my network and route all traffic through my new Unifi Gateway. Policy based routing let me set my p2p vlan to route all traffic through wireguard client and verified by checking public ip while on that vlan. Just need a way to port forward for my qbit lxc to properly seed and leech linux distros.
Unfortuantly there was nothing to figure out, as Unifi as it stands at the moment does not support neither DNAT or Port Forward for an tunnel interface. I hope they implement this in the future. I mean even my Edgerouter supported DNAT just fine so hopefully its more of a thing to get it inside the GUI rather than building the actual support for it.
In fact, i deploy a similar configuration as yourself - an LXC container acting as a VPN Client and then i DNAT the traffic on a few ports towards the torrent client.
Just like you i would like to eliminate that LXC and have the Unifi Gateway handle my tunneled traffic as well.
Damn. That is a shame indeed. I’ll keep an eye out for it on future updates. Thanks for the heads up!
I was also trying to set up a similar solution, till i’ve found this thread and realized that it’s not supported… what a shame…
I chose gluetun as an alternative, it supports port forwarding and wireguard, it’s pretty easy to set up.
