Site Tools


Port Forwarding - Basic

NAT (Network Address Translation) is a router feature that allows multiple LAN clients with private (not Internet-routable) IP addresses to connect with the Internet via a single public IP address. NAT re-addresses outgoing packets to the Internet from private LAN clients with Tomato's public (WAN) address. Conversely, NAT also re-addresses incoming packets coming from the Internet with the private IP address of the appropriate LAN client. This is transparent-the hosts on the LAN and the Internet never know it's happening. To put it another way, NAT takes traffic from network 1 and makes it appear on network 2 as if it's coming from the router IP address on network 2. The cache of adddress mappings and open/closed connections is called the NAT Table.

Connections initiated on the Internet will not reach a LAN IP address, as the PAT table doesn't contain any reference to those connection attempts. Coincidently, this acts as somewhat of a security feature.

There are several types of NAT. The most common and relevant for Tomato is PAT (Port Address Translation). PAT is what Tomato does by default. With PAT, translation happens not only between private and public IP addresses, but also between ports. For example, a request for an Internet connection from to will create a NAT mapping to allow the return packets to be sent to the correct LAN device on the correct port. Again, all this happens transparently. There are, however, cases where you want to have one port on the WAN mapped/redirected always to a single LAN client.

NOTE: There's a legacy setting on older Tomato versions under Advanced/Routing/Miscellaneous that suggests Tomato can operate in Gateway (default) mode or Router mode. Ignore this setting, and leave it to Gateway, regardless of your network configuration.

When traffic is initiated from the Internet towards Tomato's public (WAN) IP on a specific port, it is either answered by Tomato (if any service is enabled for that port) or dropped. However, in some situations, you'll want WAN port traffic always redirected to a specific LAN IP address (and port). This is helpful for certain applications such as hosting an internal web/mail server, gaming, VoIP or certain VPN tunnelling protocols. The Basic Port Forwarding page allows you to do just this.

On: This enables or disables the settings in that row of the table. (Deafult: Off).

Protocol: UDP/TCP/Both. This selects which transport layer protocols are forwarded. (Default: UDP)

Src Address: (Optional). Source Address. This will restrict the rule to be applied only from specific source addresses. Contrary to the name, you can also use DNS hostnames and FQDN names here. Leaving this empty will set port forwarding to be “from anywhere”.

Ext Port: External port. This is the port the Internet connection is expecting to use. This defines the mapping itself. This can be an single port or a range, with syntax: “FromPort-ToPort”

Int Port: (Optional). Internal Port. This allows you to use a different port on the target LAN IP address. Leaving this empty will use the same port as per Ext Port (Default: empty).

Int Address: Internal Address. This specifies to which port on the LAN the trafffic should be redirected.

Description: Here, you can enter free text to help you remember the reason for the mapping. Most people specify the Application name, or the protocol being used. For example, “RDP” or “Mail Server”.

basic.txt · Last modified: 2021/01/10 19:14 by hogwild