Setting Up Port Forwarding Rules

The primary reason you choose to use EPN is the added layer of isolation and security it affords.   Not only does there have to a be public gateway into the private network, the rules controlling this connectivity--by default--do not allow any traffic to pass between the two. We must, therefore, configure how we want traffic between the two to be forwarded.   Typically, we do this by opening ports and allowing traffic to pass from network to network across these ports.  It is useful to understand a little about ports before you set up forwarding rules.

Each IP address is comprised of a variety of different protocols.  The two of interest to us here are TCP (Transport Control Protocol) and UDP (User Datagram Protocol).  Each of these protocols have different properties and capabilities, and provide different functionality.  Each protocol has 65,355 assignable ports.  Many of the ports are already associated with specific functionality or services.  Here is a very short list of ports and the service that uses them:

  • TCP 21 --> FTP (File Transfer Protocol)
  • TCP 22 --> SSH (Secure Shell--remote access for Linux systems)
  • TCP 80 --> HTTP (HyperText Tranfer Protocol)
  • TCP 443 --> HTTPS (Secure HyperText Tranfer Protocol)
  • TCP 3389 --> RDP (Remote Desktop Protocol --remote access for Windows systems)

Note:  Within each virtual network, you can only have one rule per port. If you need to open the same port to multiple machines, you need to setup load balancing instead.

For more information about load balancing, go HERE

Your applications may require some or all of these, and others as well, so it is important to understand how your application works in order to properly set port forwarding.  At a minimum, you will need to allow yourself access to your own systems for configuration and management.  Typically, that would mean the port 22 (SSH) or 3389 (RDP) would need to be forwarded.  To set up port forwarding rules, click on the address you were allocated for your virtual network.  This will popup the following screen:


Click on the "Add Port Forwarding Rule" button to proceed.  If you have not set up any port forwarding rules for this network, you will see the following:

Port Forwarding 2

If you have already created a rule or two, this popup will show you what you now have assigned.  You could have many different rules once you are finished.  You could also have different rules for different virtual machines, depending on your unique requirements.  

To create a new port forwarding rule, click on the "Add Port Forwarding Rule" button.  The following screen will appear:


Note: To select a different virtual machine for which to create a rule, click on the up/down arrow to show all of the machines included in the virtual network and select the one you need.

Here are some of the general rules of what you can and cannot add:

  • You can add rules for individual ports, one at a time, from 1 to 65535, for both TCP and UDP
  • You can add rules for entire ranges of ports.  Eg., to enable all ports in the range of 5000 to 10000, enter "5000" in the "From:" box and "10000" in the "To:" box.
  • Port rules are inclusive.  If you map a range of ports, every port in that range will be exposed.  There is no way to exclude a port from a range that has been defined.  If you need to exclude specific ports, craft to your ranges so that they do not include those.
  • You can have only one rule apply to each port.  Eg., if you have port 80 mapped already, adding another rule with a range including port 80 would be illegal because the range overlaps the previous rule.  If you need to access the same port for multiple machines, you will need to chose different public ports for each.  
  • Public ports do not have to match private ports.  Eg., you can map "Public Port" 80 to "Private Port" 8080.
  • You must have an equivalent number of public and private ports.  Eg., you can map "Public Port(s)" 5000-5010 to "Private Port(s)" 5000-5010 or 50000-50010 but not to 5000-5200.
  • You can have as many rules as you have ports.
  • If you need to open the same port for multiple machines, you need to set up load balancing.  

Note: The following ports are essential for the VPN component of EPN and are, therefore, reserved and cannot be remapped:

  • UDP 500 (IKE)
  • UDP 1701 (L2TP)
  • UDP 4500 (NAT-T)

Port forwarding rules can be modified and applied at any time. Once added or removed, they are in effect immediately.