Description:

In certain circumstances it may not be possible to implement port forwarding to a location where a network resource is to be reached, for example where no public IPv4 address is available (e.g. with dual-stack lite).

In a case like this, port forwarding can be realized via a VPN tunnel if the location has a VPN connection to another site that does have a public IPv4 address.

This document describes how to implement port forwarding through a VPN tunnel.

Please note that when using port forwarding, anyone can read unencrypted information as cleartext. LANCOM Systems recommends using an encrypted VPN connection when transferring important information.


Requirements:


Scenario:

  • The headquarters has an Internet connection with a fixed IPv4 address
  • The branch office has an Internet connection with a non-public IPv4 address (e.g. dual-stack lite)
  • The headquarters and the branch office are connected by VPN
  • Field staff require access to a server at the branch office by means of port forwarding

An image showing a technical configuration interface with terms like DualStackLiteIPv, public IP address, VPN connection, and LAN Office highlighted, indicating network settings for an office headquarters. 


Procedure:

1) Configuring port forwarding on the router at the headquarters:

1.1) Open the configuration of the router at the headquarters and switch to the menu item IP router → Masq. → Port forwarding table.

Screenshot of a technical configuration interface showing various network settings options including UDP, ICMP, IPsec, routing protocols, firewall settings, and more.

1.2) Create a new entry and enter the following information:

  • First port: Enter port 443
  • Last port: Enter port 443
  • Remote site: From the drop-down menu, set the remote site to INTERNET, so that port forwarding applies to this connection only
  • Intranet address: Enter the IP address of the server in the branch-office network (192.168.0.100)
  • Map port: Leave Map port as 0, as no remapping is required
  • Protocol: Set the protocol to TCP, as HTTPS is transmitted via TCP

Image displaying a partial view of a technical user interface with unclear text and protocol configurations.

Further information about port forwarding is available in this Knowledge Base document.

1.3) Write the configuration back to the router. This concludes the configuration at the headquarters.



2) Configuring the VPN route on the router at the branch office:

Since communications are required with a party on the Internet, a default route must be created for the VPN connection.

2.1) Open the configuration of the router at the branch office and switch to the menu item IP router → Routing → IPv4 routing table.

Screenshot of a LANCOM device configuration interface showing tables for network routing settings, time-dependent controls, firewall configurations, and other network management tools.

2.2) Mark the default route for the Internet connection and click Copy.

Screenshot of a technical interface displaying the Pvdroutingtable with coordinates x and y.

2.3) Modify the following parameters:

  • Routing tag: Enter a routing tag not equal to 0, which has not yet been assigned elsewhere.
  • Router: From the drop-down menu, select the VPN remote for the headquarters.
  • IP masquerading: Set the radio button to IP masquerading switched off

The routing tag must not match any interface tag already stored under IPv4 → General → IP networks; otherwise the entire communication of this network takes will be routed through the VPN tunnel.

Screenshot of a network router configuration menu showing options for route propagation via RIP, route disabling, and IP masquerading settings for different network zones.

2.4) Write the configuration back to the router.


 


All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2025 LANCOM Systems GmbH