IX. NAT Related Features

How to apply Firewall Rules to Port Forwarding

Vigor 2620Ln
Vigor 2760
Vigor 2762
Vigor 2765
Show all

IP Filter
NAT Rule
Show all

DrayTek Vigor routers from the 3.8.4 firmware release can limit access to ports forwarded in the [NAT] section with either [Port Redirection] or [Open Ports] rules with the Source IP setting; a quick way to limit access to port forwards on the router to:

  • Single IP Address
  • Range of IP Addresses - to for instance
  • Subnet Address - i.e. which equates to (Network address) to (Broadcast address) as a range of IP addresses

This is a new feature in 3.8.4 and later firmware versions; it is possible to do this using the Firewall with all previous DrayTek routers or earlier firmware versions, as demonstrated in this guide: Firewall - Limit access to Port Forwarding with Firewall Rules

When the Source IP is configured in a NAT rule, the router will only allow the IP address(es) specified to access that port forwarding, other IP addresses are blocked by the router's firewall.

IP Objects

The Source IP is configured with an IP Object, which are the IP address(es) on the Internet that would be allowed access to the forwarded port.

Go to [Object Settings] > [IP Object] and click on the first available index number:

In the IP Object, there are three Address Type settings:

Single Address - This sets a single IP address for the IP object.

Range Address - This sets a range of IP addresses in the IP object, such as this example

Subnet Address - This sets the IP range according to a subnet, the Start IP Address is the Network Address of the subnet and the Subnet Mask defines how large the subnet is.

In this example, the address is the network address, is the subnet mask and this results in an IP range from to

Click OK to save the IP Object once configured and it will show in the list of IP Objects:


Port Forwarding

To configure a port forward on the router, there are two methods:

Types of Port Forwarding

Port Redirection

This method is used to open a single TCP or UDP port to the Internet and direct it to a LAN (Private) IP address on the Private Port specified.This can be used to open a port externally (Public Port) and direct it to the same port internally, or a different port number.

This can be useful to open the same Private port on multiple local devices to different External port numbers. For instance Remote Desktop Protocol (TCP 3389) could be opened for many PCs with each having a unique Public Port number, i.e. maps to 33890 externally and maps to 33891 externally.

Open Ports

This method opens a range of ports to the specified LAN (Private) IP address, with up to 10 TCP or UDP port ranges per Open Ports entry.

This can be used to open all required ports to a server in a single NAT - Open Ports rule.

Port Redirection

To configure a Port Redirection NAT rule on the router, go to [NAT] > [Port Redirection] and click on the first available Index number:

In the Port Redirection entry, configure these settings:

Mode Set this to Single to open a single port when forwarding one port.
Seting this to Range opens that range of ports i.e. 100-110 to a similar range of internal IPs such as to to the Privite Port specified
Service Name This is used for display purposes to identify the NAT rule
Protocol This can be set to TCP, UDP or TCP/UDP to open both types of port
WAN Interface The Internet connection that the port will be opened to
Public Port This is the external port. In this example, the port forwarded is the same externally as internally
Source IP The Source IP can be left as "Any" to open the port to the Internet, or set to the specified IP Object to limit access to only that Single IP / Range of IPs / Subnet of IPs
Private IP This is the LAN IP of the server that will respond
Private Port This is the port number for the service that the router will send to the LAN IP

Setting a Source IP will display the IP Objects available on the router; when configured, the port forward rule will allow only that IP address to go through the router's firewall to the forwarded port / service:

Click OK to save the rule and the router will forward requests received on that port to the internal server if the IP address matches the Source IP:

How do you rate this article?

1 1 1 1 1 1 1 1 1 1