When traffic is initiated from the Internet to FreshTomato's WAN IP on a specific port, it is either answered by FreshTomato (if a service is enabled for the port) or dropped.

However, in some situations, you'll want WAN port traffic redirected to a specific LAN IP address/port. This can be helpful for applications such an internal web/mail server, gaming, VoIP or certain VPN protocols. The Basic Port Forwarding menu allows you to do this.

Network Address Translation allows multiple LAN clients with private (non-routable) IP addresses to connect to the Internet via a single public IP address.

NAT re-addresses outgoing packets to the Internet from private LAN clients with FreshTomato's public (WAN) address. Conversely, NAT re-addresses incoming packets from the Internet with the private IP address of the correct LAN client. All this is transparent. The hosts on the LAN and the Internet aren't aware it's happening.

NAT takes traffic from network 1 and makes it appear on network 2 as if it's coming from the router IP address on network 2. The store of address mappings and open/closed connections is called the NAT Table.

Connections initiated via the Internet won't reach a LAN IP address, as the PAT (Port Address Translation) table doesn't contain references to those connection attempts. As a side effect, this minimally increases security.

There are several types of NAT. The most common/relevant type for FreshTomato is Port Address Translation, FreshTomato's default. With PAT, translation happens not only between private and public IP addresses, but also between ports. For example, a request for an Internet connection from 192.168.0.100 to google.com will create a NAT mapping to allow the return packets to be sent to the correct LAN device on the correct port. However, in some cases, you may want to have one port on the WAN always mapped/redirected to a single LAN client.

Note that there's an obsolete setting in the Miscellaneous menu of some old versions that suggests FreshTomato can operate in Gateway mode or Router mode. Ignore it, and leave it set to “Gateway”, regardless of your configuration.

On: checking this enables the settings in that row of the table. (Default: Off).

Protocol: here, select which transport layer protocols are forwarded. (Default: UDP)

• UDP - only UDP connections are forwarded
• TCP - only TCP connections are forwarded
• Both - both UDP and TCP connections are forwarded

Src Address: this option restricts the rule so it's applied only from certain source addresses.

DNS hostnames, FQDN names and IP addresses are valid here. Leaving this empty configures port forwarding “from any address”.

Ext Port: defines a mapping to the (external) port the Internet connection is expecting.

This can be a single port/range, with syntax: “FromPort-ToPort”.

Int Port: this lets you specify a different (internal) port for the target LAN IP address.

Leaving this empty uses the same port as the Ext Port setting (Default: empty).

Int Address: specifies the internal address to which the port on the LAN the traffic should be redirected.

Description: here, enter any text to remind you of the reason for the mapping.

Most users enter the application name or protocol used. For example: “RDP” or “Mail Server”.

Only one given socket (port/protocol combination) can be forwarded at a given time. For example, if port 80 is already redirected to 192.168.1.10, this port is now “taken” from the router's pool and all inbound connections will be redirected to the mapped LAN IP address. However, there are two ways to allow you to multiplex connectivity on the same port.

To do its job, a proxy must speak the protocol used by the application. For example, an HTTP proxy cannot serve SMTP. If you need to redirect, say, HTTP to multiple internal hosts from the same external port, a reverse proxy is a good solution. According to HTTP v1.1, the target hostname must be included in the HTTP client request. This allows a proxy to fetch such information, and redirect it to to the requested domain. Nginx is able to perform this reverse-proxy for HTTP(S).

If the source IP and/or FQDN is well-known, you can create multiple port mapping references on the same port:protocol combination, as long as the source is defined differently. For example, the following settings would work fine:

The above settings would cause traffic from the IP addresses of “source.example.com” towards ports 80 and 443 on the router, to be redirected to the LAN address in that rule. They would also cause traffic on such ports that was not from “source.example.com” to be redirected to a different LAN IP address. As a guideline, “Src. Address” empty means “Any”, where “Int Port” empty means “same port as External”.

Note that the “Src. Address” may contain only one reference. To define multiple sources (say, clients with DDNS defined), you must dedicate one line in the table for each Source/WAN-client. For example: