1. When setting up port forwarding, it is necessary to have a public IP-address on the router's WAN-interface through which the connection to the Internet is performed. If the router's WAN interface uses an IP address from a private subnet, port forwarding will not work.
2. To check whether port forwarding is working, you need to access the router's WAN interface from the Internet. Port forwarding will not work when accessing from the local network.
3. The service or application to which port forwarding is performed must be started so that the port can be seen as 'open' during the check. For example, if the FTP-server is not started and there is a NAT rule for port forwarding, the port status will be 'closed' during the check.
Below are the typical reasons that can lead to inoperability of port forwarding, despite the correct configuration of the rule.
1. In the port forwarding rule, the incoming interface is not correctly selected. In the 'Input' field, select the interface through which Keenetic accesses the Internet and through which you plan to remotely access your home network device.
In most cases, you should select the 'Provider' interface. If you have an Internet connection via PPPoE, PPTP or L2TP, you should select the appropriate connection. When connecting to the Internet via a 3G/4G USB modem, you should specify this connection, and when connecting via WISP, select the connection with the name of the network to which Keenetic is connected.
2. Your computer uses a firewall or special software to protect the Internet. Temporarily disable this application and check that port forwarding is working properly.
3. Some ISPs on their network use 'hidden NAT'. You need to make sure that you are accessing the Internet with the IP address that your ISP gave you and that is used on the Keenetic WAN interface. Sometimes there are situations when the ISP provides the client with a public IP address, but in fact, it goes to the Internet with a different IP address. Refer to myip.net. If your IP address is different from that used on Keenetic WAN interface, then port forwarding will not work.
4. Some ISPs filter inbound user traffic by standard protocols and ports. For example, they can filter by 21/FTP, 80/HTTP, 25/POP3, 1723/PPTP and other ports). In this connection it is necessary to know exactly whether the provider blocks traffic on some ports.
If there is such a possibility, you need to change the port number and manually set another number, which will not be blocked by the provider (for example, when blocking port 21 on the FTP-server you can use port 2121).
If there is no possibility to change the port number of the service, you can use port mapping in the rule of port forwarding in Keenetic. You can find more information in the article 'Port forwarding'.
5. In the network settings of the host, to which the ports are forwarded, it is necessary that the IP-address of the default gateway is equal to the local IP-address of the Keenetic router (by default 192.168.1.1). This is the case if you manually specify the network connection settings on the host. If the host is a DHCP client, i.e. it automatically receives an IP address, subnet mask, default gateway and DNS addresses, then the default gateway will be equal to the local IP address of the Keenetic router.
6. Some features of port forwarding for Xbox and PS4 game consoles are presented in the article: 'Using Xbox and PS4 when connecting via Keenetic'.
7. In KeeneticOS operating system NAT logic is implemented in accordance with RFC 4787 'Network Address Translation (NAT) Behavioral Requirements for Unicast UDP'. In particular, by default, the source UDP port changes to any other port than the original one when NAT is being passed. This can cause problems with UDP traffic passing through the NAT for some ISPs that are not aware of this RFC. In this case, try running commands in the router's command line interface (CLI):
ip nat udp-port-preserve
system configuration save
8. If the recommendations above do not help, and for some reason port forwarding will still not work, you can contact our technical support team and attach a self-test file. Information on how to do this can be found in the article 'Saving the self-test file'.
TIP: Tip: Keenetic routers have an ability to organize access to the router even with a private IP address on the router's external WAN interface. KeenDNS is a useful domain name service for remote access. With the help of this service you can solve 2 tasks:
— Remote access to the Keenetic's web interface. You can find the information in the article 'KeenDNS service';
— Remote access to resources (services) of the home network or on Keenetic. For example, access to a device with web interface - network drive, webcam, server, or Download Station torrent client interface running in the router. This option is described in the article 'An example of remote access to home network resources with KeenDNS'.