Troubleshooting Port Forwards

20th April 2023

A customer with a Unifi Dream Machine is having trouble making an Inbound Port Forward. Here are some tests to narrow down the problem.

Double NAT:
look at the IP address on the Internet Interface (usually 8 or 9 on a Dream Machine)
if it is in the range 10.x.x.x or 192.168.x.x or 172.x.x.x then it is a PRIVATE IP address and the internet will not “Start a conversation” with it.
It’s like a one-way valve.
The usual way to fix this is to put your ISP supplied modem into “Bridge Mode” just makes it act more like a switch than a router.

ISP Filtering:
Create a Port Forward to a website you can verify works internally. For my test I installed Windows Admin Center which uses TCP port 6516 by default. We need to test from an internal PC that ISN’T the PC that the Port Forward points to. In a browser type https://ReplaceWithMyPublicIp:6516 If you can get to that address from an internal PC, we know the port-forward is working correctly. If we can’t get there from an external PC, then there is a REALLLY good chance the ISP is filtering your inbound connections, usually because they don’t want you using a consumer internet for business purposes.

All the usual fixes apply
Test with the Windows Firewall OFF
If you have an AntiVirus product installed, verify it doesn’t include a yet another Firewall (yes i’m looking at you Symantec)
Update the firmware on your Firewall
Use ping to see if the IP is reachable
Use the IP first to rule out a problem with DNS lookup
Use the DNS name in a separate test to make double sure
Verify your internal subnet masks don’t cause overlapping networks. Use a subnet calculator to find the begin/end of the range.

I read in one post that Unifi Dream machine can’t handle Port Forwards on the Failover WAN interface but I didn’t find that was the problem.