Firewall rules on a per-wan-ip basis

I need two 443 ports on two different IP’s on the SAME WAN port allowed through to two different local LAN IP single address and ports on a vlan. How can accomplish this?

Add the additional WAN IPs to the WAN port config:

Then you can select which IP a port forwarding rule is applied to when you create a new rule:

Thank you for your answer. My question pertains to the firewall rules, not port forwarding.

I already configured the port forwarding, but when I configure the firewall, it looks like my choices are limited.

What exactly are you trying to do, lock down where traffic can come from toward the two WAN IPs you have ports forwarded for?

That is quite simple - on the firewall rule for inbound traffic set the interface to the correct WAN link and then match the destination IP / port as the desired WAN IP / port combo and then set the source to filter where you want to allow traffic in from whether that is a specific IP, netblock or network group.

That’s what I had thought as well, so I set my source IP and port as the actual wan IP I want to be the one to have the firewall opened up on, but that didn’t work.

I have three IP addresses on wan 1.

IP 1 - no inbound traffic.

Ip2- forward tcp port 443 to 192.168.xx.5 (Ip address of vlan id2 range)

Ip3- forward tcp port 443 to 192.168.xx.10

How can I configure this in firewall, it doesn’t present the same up address selection interface as the port forwarding page.

So did you follow the instructions from Martin as that describes exactly what you should do and would achieve your desired goal?

Once you create the port forwarding rules assuming you have not changed anything in the firewall rules (which will permit any source to any destination inbound by default) it should work just fine.

One further step you may want to consider is setting an outbound NAT mapping for your two servers so that their return traffic and any other outbound traffic is sourced from the same public IP you are using for the inbound NAT - given you are forwarding 443 I assume this is for HTTPS traffic so this would be a good idea to consider.

You only really need to change the firewall configuration if you wanted to restrict the source IPs - i.e. where traffic is coming from on the internet to be locked down to a specific address or range of addresses.

Perhaps you could share some screenshots of your WAN configuration and how you have the port forwarding configured and any firewall rules you have created?

Also what hardware and software are you using, the inbound port forwarding setup is a little bit different in some models.

On a 310X for instance you need to define the servers first under “inbound access > servers” and you can then setup the port forwards for them under “inbound access > services > add service”.

If you followed Martins instructions as above you should have extra WAN IPs to select from in the box on the 3rd screenshot.

I dont have inbound service, just port forwarding. I changed the default inbound firewall to not allow any incoming traffic at all whatsoever when I first configured my routers, I have no services running on my network that need to be accessed from outside. I have a new tenant in my building who needs remote access for his employees. So I added the following rules to the firewall.

Also, I really appreciate the time you are taking to seek the details necessary to resolve this. Thank you for looking at my firewall configuration.

Ok, I understand now.

So I would make 2 rules in the inbound firewall settings to allow the traffic in, select your incoming interface, the “source” here is the IP of the remote users so if you do not know what that is or do not want to be restrictive leave that set to any. Likewise source ports are often randomised so again leave that set to any.

The destination should be the WAN IP you want to allow access to, in my example this is the and address.

I have also enabled logging so you could see the incoming connections in your system logs - I would disable this probably once everything is working as it may generate a lot of log entries you do not care about.

PS - You still need the inbound forwarding rules but it sounds like you have that bit done already.

PPS - You probably want to do the outbound NAT bit too so the server1/2 traffic going OUT from your network is mapped to the correct WAN IPs.


this is exactly the answer I was looking for! and i also understand why I couldn’t figure it out. let me explain.

If i am configuring “inbound” rules, wouldn’t source be the “wan” side, and destination the “lan” side? how is it that by specifying the wan ip/port as the destination, I am essentially allowing traffic on that port to flow exclusively through that ip going in?

And thank you very much for answering the question, and in such easy to follow detail. Really.

It can be a bit confusing, but you have to visualise it from the packet / interface perspective.

The “inbound” rules you are building here are for traffic arriving at a given interface, in this case a WAN interface.

The packets sent by the remote client will have a source address of whatever IP they are coming from, combined with either the randomised source port selected by the remote client which may possibly be further changed because they are behind a device doing PAT (imagine a typical remote user connecting from their home behind an ISP supplied CPE router).

The packet is being sent to you, so its destination field will be your public IP address, and the destination port will be that of the server they are trying to connect to, in this example 443.

Indeed, the port forwarding rules will open the port up, but as you have sensibly changed the inbound rule to an implicit deny from the default implicit permit you need some rules to permit the traffic in.

Fair enough. Thank you!