Skip to content
Network as Code

Port Forwarding Rules Configuration

Dashboard Location: Security and SD-WAN > Configure > Firewall > Forwarding rules

External Port Access Management

Port forwarding rules configuration in Meraki appliances enables the redirection of external traffic from specific public ports to internal hosts and services, providing controlled external access to internal resources without requiring dedicated public IP addresses. This functionality allows organizations to efficiently expose internal services such as web servers, databases, and applications to external clients while maintaining network security through source IP restrictions and protocol controls. Port forwarding is essential for cost-effective service deployment, supporting legacy applications that require specific port access, and enabling remote access to internal systems while conserving public IP address resources.

Diagram

Diagram

Classes

firewall (meraki.domains.organizations.networks.appliance)

NameTypeConstraintMandatoryDefault Value
port_forwarding_rulesList[port_forwarding_rules]No

port_forwarding_rules (meraki.domains.organizations.networks.appliance.firewall)

NameTypeConstraintMandatoryDefault Value
nameStringmin: 1, max: 127No
lan_ipIPYes
uplinkChoiceboth, internet1, internet2, internet3No
public_portAnyInteger[min: 1, max: 65535] or String[matches: `(?:[1-9][0-9]3[1-5][0-9]46[0-4][0-9]3
local_portAnyInteger[min: 1, max: 65535] or String[matches: `(?:[1-9][0-9]3[1-5][0-9]46[0-4][0-9]3
allowed_ipsListAny[IP or String[matches: [Aa]ny]]Yes
protocolChoicetcp, udpYes

Examples

Example-1: The example below demonstrates port forwarding rules configuration using tested YAML configuration from pipeline fixtures.

meraki:
  domains:
    - name: "!env domain"
      administrator:
        name: "!env org_admin"
      organizations:
        - name: "!env org"
          networks:
            - name: "!env network_name"
              product_types:
                - appliance
                - switch
                - wireless
                - camera
                - sensor
                - cellularGateway
              appliance:
                firewall:
                  port_forwarding_rules:
                    - name: "Port Forwarding Rule 1"
                      lan_ip: "192.168.128.10"
                      uplink: both
                      public_port: 8080
                      local_port: 80
                      allowed_ips:
                        - "192.168.1.1"
                      protocol: tcp
                    - name: "Port Forwarding Rule 2"
                      lan_ip: "192.168.128.20"
                      uplink: both
                      public_port: 8081
                      local_port: 80
                      allowed_ips:
                        - "192.168.1.1"
                        - "any"
                      protocol: tcp
                    - name: "SSH Remote Access"
                      lan_ip: "!env server_management_ip"
                      uplink: "both"
                      public_port: "2222"
                      local_port: "22"
                      allowed_ips:
                        - "!env admin_networks"
                      protocol: tcp

Configuration Parameters

ParameterTypeRequiredDescription
firewall_port_forwardingObjectYesPort forwarding configuration container
rulesArrayYesList of port forwarding rule definitions
rules[n].nameStringYesDescriptive name for the forwarding rule
rules[n].lan_ipStringYesInternal destination IP address
rules[n].uplinkStringYesUplink interface: “internet1”, “internet2”, “both”, “cellular”
rules[n].public_portStringYesExternal port number for incoming traffic
rules[n].local_portStringYesInternal destination port number
rules[n].allowed_ipsArrayYesList of allowed source IPs: “any” or specific IPs/networks
rules[n].protocolStringYesProtocol: “tcp”, “udp”

Port Forwarding Strategies

StrategyPublic PortLocal PortUse CaseSecurity Considerations
Direct MappingSame as localSame as publicStandard servicesMedium security
Port TranslationDifferent from localDifferent from publicSecurity by obscurityHigher security
High Port Mapping>1024Standard portReduce automated attacksGood security
Multiple MappingsVariousSame serviceLoad distributionComplex management

Common Service Mappings

ServiceStandard PortAlternative PortProtocolSecurity Level
HTTP808080, 8000TCPMedium
HTTPS4438443, 9443TCPHigh
SSH222222, 2200TCPHigh
RDP338933389, 3390TCPHigh
SMTP252525, 587TCPMedium
IMAP143, 9931143, 9930TCPMedium
POP3110, 9951100, 9950TCPMedium
DNS535353UDPLow
VPN1194, 50011194, 4500UDPMedium
Database3306, 543233060, 54320TCPVery High
Uplink SettingBehaviorUse CasesAvailability Considerations
internet1Primary uplink onlyCost optimizationSingle point of failure
internet2Secondary uplink onlyLoad distributionBackup connectivity
bothActive on both uplinksHigh availabilityRequires both uplinks
cellularCellular uplink onlyMobile/remote sitesData cost implications

Access Control Levels

Access LevelAllowed IPsSecurity ImpactManagement OverheadScalability
Public”any”Low securityLowHigh
Network-BasedSpecific networksHigh securityMediumMedium
Host-BasedIndividual IPsMaximum securityHighLow
HybridMixed approachBalanced securityMedium-HighMedium

Service Planning Matrix

Service TypePublic AccessRecommended PortAccess ControlMonitoring Level
Web ServicesYesStandard/AlternativeSource filteringMedium
DatabaseNoNon-standardStrict restrictionsHigh
Remote AccessLimitedNon-standardAdmin networks onlyHigh
Mail ServicesYesStandardProtocol-specificMedium
VPN ServicesYesStandard/AlternativeCertificate-basedMedium
ManagementNoNon-standardAdmin access onlyHigh