Skip to main content

Add, edit or delete Port forwards rules

Updated
This article applies only to On-Premise Appliance, not to our Cloud products.

If you use Smoothwall as your Firewall, you can grant external access to your LAN to make locally hosted services available to remote users. For example, you run a self-hosted website and allow requests from outside the network (from the Internet) into the network to access that web server. 

  • You can use Port forwards rules to perform Destination Network Address Translation (DNAT), with the option to perform Port Address Translation (PAT).
  • You can turn on IPS scanning for added security.  

Before you begin

Port forwards rules allow unknown external hosts to access an internal host, so you should carefully consider the services you are making available to keep your network secure. Your Port forwards rules should:

  • Limit access of Client IP addresses to ensure only approved clients can access your network, rather than the whole internet. If you can’t do this using Port forwards rules, consider limiting access to your country using Geoblocking.
  • Direct traffic to hosts in isolated network zones that don’t contain confidential or security-sensitive network information. Check your Firewall rules to ensure the target host is in a suitably isolated network.

Traffic that doesn’t match a rule

We recommend that you don’t notify the sender when traffic doesn’t match a Port forwards rule and is logged as 'bad external traffic'.

  1. Go to Network > Settings > Advanced.
  2. Ensure the Bad external traffic field is set to Drop.
  3. Select Save changes.

Add a Port forwards rule

  Tip

When building your rule, for the Client IP addresses, Services and Target IP addresses fields:

  • Use Search to narrow your list of items.
  • Leave the fields blank to set the rule to apply to Any (all).

To add a Port forwards rule:

  1. Go to Network > Configuration > Port forwards.
  2. Add a new rule:
    • Hover over a rule, select Add, then select Rule above or Rule below.
    • Select Add port forward
  3. Ensure the Enabled checkbox is selected.
  4. Use Client IP addresses to manage traffic coming from specific IP addresses, subnets, or IP ranges:
    • Select the checkbox next to one or more Address objects, then select Add.
    • Select the minus icon (-) next to an item to remove it from the list.
    • Select Create to add a new Address object or Address object group.
  5. For Local IP, select the interface where the traffic will arrive. This is the external IP address on the Smoothwall Appliance that users will access, either directly or via a publicly resolvable hostname.

      Note

    This setting is ignored if you have specified Client IP addresses.

  6. Use Services to manage traffic on specific TCP and UDP ports:
    • Select the checkbox next to one or more Service objects, then select Add.
    • Select the minus icon (-) next to an item to remove it from the list.
    • Select Create to add a new Service object or Service object group.
  7. Use Target IP addresses to forward traffic to the hosting server's IP addresses.

      Note

    If multiple IP addresses are selected, traffic is load-balanced across them.

    • Select the checkbox next to one or more Address objects, then select Add.
    • Select the minus icon (-) next to an item to remove it from the list.
    • Select Create to add a new Address object or Address object group.
  8. (Optional) Target port
    • For Port Address Translation (PAT), enter the port number to forward traffic.

        Note

      If multiple service ports are selected, this setting is ignored. If multiple services need PAT, create additional rules.

    • Leave blank to use the destination port(s) specified in the incoming packet. The table will say ‘Preserve’.
  9. To log traffic to your Firewall logs, select the Log connections checkbox.

      Important

    Generating these logs can impact the performance of your Smoothwall Appliance.

  10. Select the Intrusion Prevention System (IPS) checkbox to have IPS policies prevent unwanted activity for this Port forwards rule. 
  11. (Optional) Enter a Comment.
  12. Select Save changes.

Edit a Port forwards rule

Smoothwall applies rules in order of priority, from top to bottom. To reorder rules:

  1. Drag a rule to a new position.
  2. Select Save.

To edit a rule:

  1. Hover over the rule.
  2. Select Edit.
  3. Change any fields as needed.
  4. Select Save changes.

Delete a Port forwards rule

To remove a Port forwards rule:

  1. Hover over the rule.
  2. Select Delete.
  3. Select Delete again.

Alternatively, to keep an item in the list but have Smoothwall ignore it:

  1. Hover over the rule.
  2. Select Edit.
  3. Clear the Enabled checkbox.
  4. Select Save changes.