Overview

By default, RobustOS Pro gateways restrict incoming traffic from the WAN (external network) to the device itself for security. This prevents unauthorized access to services like the web interface or SSH. However, you may need to open a specific port to allow remote management or access to a service running on the gateway.

This guide will walk you through adding a custom iptables firewall rule to open a specific port (using TCP 443 for HTTPS web access as an example) on the gateway's INPUT chain.

What You'll Need

Hardware List:

• 1 x Robustel Gateway running RobustOS Pro (e.g., EG5120, EG5200)

Software/Firmware:

• RobustOS Pro V2.3.1 or higher

Other:

• Log in to the Router's web interface. The default IP address is typically http://192.168.0.1.
• Knowledge of the gateway's WAN IP address for testing. (Note: Your gateway's WAN connection can be an Ethernet port , Wi-Fi client, or a Cellular connection. You can search for other guides on how to configure your specific WAN link.).
• Warning: Do not use third-party firewall tools like ufw. This can cause conflicts and prevent your rules from being applied correctly.

Step-by-Step Configuration Guide

Add a Custom Firewall Rule

1. Log in to the gateway's web interface. From the left-hand menu, navigate to Network -> Firewall.
2. Click on the Custom Rules tab.
3. In the Custom Iptables Rules section, click the + (Add) icon to create a new rule.
4. A pop-up window will appear.Configure the following fields:

• Name: Enter a descriptive name for your rule (e.g., Allow-WAN-HTTPS).
• Family: Select IPv4 (as we are opening an IPv4 port in this example).
• Rule: Enter the specific iptables rule. To open TCP port 443 for the web interface, type: -I INPUT -p tcp --dport 443 -j ACCEPT.This rule means:
  
• -I INPUT: Inserts this rule at the beginning of the INPUT chain.
  

• -p tcp: Matches packets using the TCP protocol.
• -dport 443: Specifies the destination port 443 (HTTPS).
• -j ACCEPT: The target action is to ACCEPT the packet.

5. Click the Submit button to save the new rule.
6. Click the Save & Apply icon in the top-right corner of the page to make your changes take effect.
   

Verification & Testing

You can verify the rule is active and then test the port access from the WAN.

Step 1: Verify the Rule is Active

1. Navigate back to Network -> Firewall and click the Status tab.
2. In the IPv4 Filter section, find the Chain INPUT list.
3. You should now see your new rule listed, showing that traffic to tcp dpt:443 (port 443) will be ACCEPTed.

Step 2: Test the Port Access

1. Connect your computer to the gateway's WAN network (e.g., plug your computer into the WAN port or ensure you are on the same network as the gateway's cellular WAN IP).
2. Find your gateway's WAN IP address. You can find this on the System Status -> Overview -> Internet Status widge.

3. Open a web browser on your computer.
4. In the address bar, type https:// followed by your gateway's WAN IP address (e.g., https://192.168.1.14).
5. If the configuration is successful, the gateway's login page will load.

Troubleshooting / FAQ

• Q: I added the rule, but I still can't access the port. What should I check?

• A: Please check the following steps from internal to external:

1. Is the service running and listening on the port? The firewall can open a port, but if no application is listening on that port, the connection will fail. Make sure the open port is listening. After logging into the device via SSH, use the netstat command to check. For example, to check TCP ports, use netstat -tln. For UDP ports, use netstat -uln. Ensure the port you need to access is in the output list (e.g., tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN).
2. Is the firewall rule active? Go to Network -> Firewall -> Status to confirm your ACCEPT rule is listed in the Chain INPUT. If it's missing, make sure you clicked Save & Apply after adding the rule.
3. Are you using the correct WAN IP and is it reachable? Verify the gateway's Internet Status on the main System Status page.

• If your WAN is Ethernet: Ensure you are testing from outside that network and that the IP is correct.
• If your WAN is Cellular: Check if the IP address is a public IP or a private IP (e.g., starting with 10.x, 100.x, 172.16-31.x). Private IPs are not reachable from the public internet.

4. Is the port blocked by an upstream provider? If your WAN is cellular, the mobile carrier might block incoming ports. If your WAN is an Ethernet connection in an office, an upstream firewall (beyond the gateway's control) might be blocking the port.

Revision History