ANSWERED Port Forward In Unifi

[Mytob 1]

Has anyone got any experince with setting up port forwarding in Unifi? I have just ditched my Untangle box and replaced with a UDM SE. Everything is setup and working fine with the VPN except the port forwarding for Qbittorrent which I never got to work under Untangle either 😃

This is what I have done so far...

Port forwarded 23546 in the client area.

Port forward rule created in Unifi which looks like this...

Interface - WAN
From - Any
Port - 23546
Forward IP 10.0.0.20
Forward Port - 23546
Protocol - Both

Any idea what I am missing? Do i need to create a firewall rule to allow the traffic to pass?

Any input would be very much appreciated!

[P.Bear 2]

Did you find out ?

I get the same problem with the UDM SE. It was working well with my pfsense, before I replaced it with the UDM.

But with pfSense I had to configure the port forward on the VPN interface. With the UDM we cannot choose the VPN interface, the only choice is the WAN. So I suspect that it is the problem and it simply can't be achieved with the UDM. 🙁

Edited ... by P.Bear

[Mytob 1]

Still not found a solution. Have put a couple of posts on the ubiquity forums but have had no response to them. You may wish to bump them

I did find a post which hinted toward it being something to do with firewall rules as the vpn was effectively part of the local network but no clue beyond that unfortunately.

I never got it to work under untangle either and that was a lot more flexible in what you could do in terms of routing.

[Flx 76]

On 7/15/2023 at 10:14 AM, Mytob said:

Any input would be very much appreciated!

Take the UDM SE outside. Make a fire and burn it. If it's Internet nightmares that you want keep it.
Good Luck! :) 

[Mytob 1]

47 minutes ago, Flx said:

Take the UDM SE outside. Make a fire and burn it. If it's Internet nightmares that you want keep it.
Good Luck!

What would you suggest I use instead? Been happy with the access points over the years.

[Flx 76]

3 hours ago, Mytob said:

What would you suggest I use instead?

I will let someone else do the suggest.
Some tried to achieve it(port forward/config)
https://airvpn.org/forums/topic/5883-whats-the-best-firewall/?tab=comments#comment-5936 
Only @Staff or @OpenSourcerer may be able to help with this...AirVPN related.
See if any of the below links will help:
https://di-marco.net/blog/it/2022-02-02-wireguad_and_split_vpn_on_unifi_dream_machine_pro_se/
https://community.ui.com/questions/OpenVPN-client-on-UDM-Pro-SE/eda49b3b-3f06-488a-9438-324b0863b547

[OpenSourcerer 1363]

13 hours ago, Flx said:

Only @Staff or @OpenSourcerer may be able to help with this...AirVPN related.

Sorry, I cannot. I do not run VPNs on such hardware. :)

[P.Bear 2]

I've opened a ticket at the Ubiquiti support. I'll keep you posted

[Mytob 1]

Ok thanks

[P.Bear 2]

They answered but the answer was totally out of whack with the question (they explained to me how to setup a VPN connection...). I answered to them and explained again what I'm looking for, I'm waiting the next reply.

But in the meantime I just tried by myself. The UDM is a linux and it's the well-known iptables that is used behind the scenes. So I first identified the VPN interface (= tunovpnc4). Then I configured a port forward on this interface to my internal server (actually a qBt docker container with the ip 10.0.4.25).
 

root@UDM-SE-Home-FR:~# iptables -t nat -A PREROUTING -i tunovpnc4 -p tcp --dport 60559 -j DNAT --to-destination 10.0.4.25

Now when I test it says it is open:


🥳
Please try and let me know.

@OpenSourcerer I did the same with udp but the system does not tell me if it's open or not. Is it normal ? Maybe it is simply because my qBt does not listen on udp port ? I'm not sure, it should says "close", shouldn't it ?

KR, 

Edited ... by P.Bear

[OpenSourcerer 1363]

5 hours ago, P.Bear said:

I did the same with udp but the system does not tell me if it's open or not. Is it normal ? Maybe it is simply because my qBt does not listen on udp port ?

Probably correct that qB is listening on TCP only. Check the settings for that; the other option is TCP and uTP (which is Micro Transport Protocol and not exactly UDP).
 

5 hours ago, P.Bear said:

I'm not sure, it should says "close", shouldn't it ?

Timeout is fine in this situation as well.

[Mytob 1]

Ok so it can be done then just maybe not through the UI for some reason. Does this survive reboots?

[OpenSourcerer 1363]

9 hours ago, Mytob said:

Ok so it can be done then just maybe not through the UI for some reason. Does this survive reboots?

No. Use iptables-save for this, and iptables-restore on boot.

[Mytob 1]

Did you get a reply from Ubiquity on this?

[P.Bear 2]

Yeah:
"please share the port numbers that are not accessible so that we can check their entries from the IP tables in the background? 
Also, please share the screenshot of the traffic rules you have created if any.
Additionally, share a port forward rule you have created in order to verify the settings.
Please download a fresh support"

Many people say on reddit that ubiquiti (with a I 😉 ) is crap. It's totally true.
I'll answer to them this evening.

But another thing: Do you also have all your posts delayed on this forum ? "Your content will need to be approved by a moderator" ?
Above all that, I sometimes post at 8h am and the post is validated at 4h pm.. (And don't talk to me about time zone issues).

It no longer makes me want to participate, actually.

Edited ... by P.Bear

[Mytob 1]

Top quality support! May as well ask you to turn it off and on again lol. I did get the moderator message for the first few posts but not any more. I suspect it is to stop spam bots.

[OpenSourcerer 1363]

On 7/26/2023 at 7:22 PM, P.Bear said:

But another thing: Do you also have all your posts delayed on this forum ? "Your content will need to be approved by a moderator" ?
Above all that, I sometimes post at 8h am and the post is validated at 4h pm.. (And don't talk to me about time zone issues).

It no longer makes me want to participate, actually.

You're free from the modqueue after a small number of approved posts. You're almost out of it, please bear with us.
 

On 7/26/2023 at 11:35 PM, Mytob said:

I did get the moderator message for the first few posts but not any more. I suspect it is to stop spam bots.

Suspicion confirmed.

[Mytob 1]

On 7/22/2023 at 10:11 AM, P.Bear said:

They answered but the answer was totally out of whack with the question (they explained to me how to setup a VPN connection...). I answered to them and explained again what I'm looking for, I'm waiting the next reply.

But in the meantime I just tried by myself. The UDM is a linux and it's the well-known iptables that is used behind the scenes. So I first identified the VPN interface (= tunovpnc4). Then I configured a port forward on this interface to my internal server (actually a qBt docker container with the ip 10.0.4.25).
 

root@UDM-SE-Home-FR:~# iptables -t nat -A PREROUTING -i tunovpnc4 -p tcp --dport 60559 -j DNAT --to-destination 10.0.4.25

Now when I test it says it is open:


🥳
Please try and let me know.

@OpenSourcerer I did the same with udp but the system does not tell me if it's open or not. Is it normal ? Maybe it is simply because my qBt does not listen on udp port ? I'm not sure, it should says "close", shouldn't it ?

KR, 

Just tried pasting a modified version of this into the terminal and cant get it to work. I just changed the vpn tunnel name and the ip address to reflect my setup. Am i missing something?

[P.Bear 2]

On 8/7/2023 at 1:36 PM, OpenSourcerer said:

You're free from the modqueue after a small number of approved posts. You're almost out of it, please bear with us.
 
Suspicion confirmed.

I know this is to avoid spam. But this technique only makes sense when implemented correctly. On this forum, this is not the case. As I said in my previous post, sometimes you have to wait 7 hours for a post to be validated, in the middle of the day! It obviously lacks moderators. (not your fault)
And this is my 5th post and I still have the same message. Even though I complained. So you obviously don’t have the ability to check me off as not a bot to stop this limit. That’s ridiculous. Hopefully airVPN has better VPN servers admins than their web developers 😅

@Mytob I will try to help you with pleasure, but it will be too complicated here clearly. @PBear06 on telegram for example, if you want. Edited ... by P.Bear

[Staff 9767]

13 hours ago, P.Bear said:

I know this is to avoid spam. But this technique only makes sense when implemented correctly. On this forum, this is not the case. As I said in my previous post, sometimes you have to wait 7 hours for a post to be validated, in the middle of the day! It obviously lacks moderators. (not your fault)
And this is my 5th post and I still have the same message. Even though I complained. So you obviously don’t have the ability to check me off as not a bot to stop this limit. That’s ridiculous. Hopefully airVPN has better VPN servers admins than their web developers 😅

@Mytob I will try to help you with pleasure, but it will be too complicated here clearly. @PBear06 on telegram for example, if you want.

Hi,
the limit is exactly 5 messages, from now on your messages will not be subjected to moderator's approval. This community forum is by the community for the community as a gift from AirVPN, open to everyone, not restricted to AirVPN customers. If you don't like a gift, just refuse it and live happy, or become part of the community and help make this forum an even better place. It must be said anyway that in 13 years only 3-4 people complained about the messages approval time and the massive usage of this forum shows that it is appreciated by most people and even by non AirVPN customers, so after all this gift is fine and the community is able to manage properly the whole thing.

Kind regards
 

[OpenSourcerer 1363]

14 hours ago, P.Bear said:

@Mytob I will try to help you with pleasure, but it will be too complicated here clearly. @PBear06 on telegram for example, if you want.

As long as the solution for OP's issue is reported here afterwards, it's not a problem.

[zapoteknico 8]

do you guys still have this working after the latest update?
I used to have the same problem and the reason was (as per Unifi support) that the Port Forward didn't work on VPM but only on LAN (this is why the linux string instead worked) however, since the latest updated VPN Client doesn't work anymore at a ll and I cannot connect to AIRVPN using the VPN Client on the UDM.
Are you experiencing the same issue?
 

[P.Bear 2]

@zapoteknico Hello, I've rejoined the boat (my NordVPN subscription ends soon). I just set it up with WG now that ubiquiti eventually supports it (but not yet ipv6 pfff), and it still works. The check says that the port is open.

[Mytob 1]

1 hour ago, P.Bear said:

@zapoteknico Hello, I've rejoined the boat (my NordVPN subscription ends soon). I just set it up with WG now that ubiquiti eventually supports it (but not yet ipv6 pfff), and it still works. The check says that the port is open.

Did you have to input anything else before the rule? I tried it and nothing happens with my own ip /  port combination but it didn’t do anything. 

[P.Bear 2]

@Mytob do you use the wireguard protocol or the OpenVPN ?

So let's say your qBt server IP is 10.0.12.9, the port you want to forward is 4321 and the interface of the Wireguard client that you created is the wgclt3

1) You have to forward the port with a rule in the chain PREROUTING of the table nat:

iptables -t nat -I PREROUTING -i wgclt3 -p tcp --dport 4321 -j DNAT --to-destination 10.0.12.9
iptables -t nat -I PREROUTING -i wgclt3 -p udp --dport 4321 -j DNAT --to-destination 10.0.12.9

With WG I noticed that I had to add a rule in the forward chain to let the packets go through. (I don't know why, maybe it is the same with the OpenVPN because of something changed in the recent releases of the unifi OS).
2) So you add the following rule:

iptables -I FORWARD -i wgclt3 -p tcp --dport 4321 -d 10.0.12.9 -j ACCEPT
iptables -I FORWARD -i wgclt3 -p udp --dport 4321 -d 10.0.12.9 -j ACCEPT

Rmq:
a) I use INSERT to add my rules so I'm sure it's it placed at the top of the chains and proceed before everything elese.
b) I also noticed UDP packets coming from the airvpn server. It comes from the port used to connect on it (1637) and those are DROP by the firewall. The host's resolution changes from time to time. So I'm not sure how to deal with this problem. I'm considering opening a ticket to verify if this is a normal behavior, as I wonder why I get such UDP requests.
I could add a rule like:
iptables -I INPUT -i eth8 -p udp --sport 1637 -j ACCEPT
But it's too permissive. 🤔