Article History: This article is expanded from Port Forwarding not Working after Firmware Upgrade to 3.2.0.7. The original article is contributed by @smith6612. This expanded view is contributed by @Cang_Household .
This article details some advanced configurations. The official support may not cover the setups detailed here. As usual, (the lawyers would argue that) you are responsible for all the configuration changes made on your devices. This article does not provide warranties of any kind. By following the steps detailed in the article, you agree to hold both the article authors and Verizon harmless.
Background on Port Forwarding
Port Forwarding, or PF for short, is a long standing feature found in Verizon routers, and likely other consumer or small business routers. Port Forwarding is a by-product of Network Address Translation (NAT) feature, which relies on the Stateful Connection Tracking (Conn Track, or ct, not Computed Tomography) feature of a traditional firewall.
Port Forwarding essentially opens a hole on the firewall. It instructs the NetFilter framework of the router to blindly forward all traffic received on X port of the router to the Y port of a host behind the router.
(More Interesting Information)
Verizon routers are essentially Linux boxes, which use the NetFilter framework for providing stateful Firewall, NAT, and PAT features. The userspace executables used by the routers are iptables backended to nftables.
Port Forwarding is on the Pre-Routing hook, meaning that the address and port number translations occur before forwarding decisions are made.
Prior to Firmware 3.2.0.x
Before firmware 3.2.0.x on G3100, CR1000A/B, the port forwarding settings are extremely granular on Verizon routers. I had trouble learning how to do port forwarding correctly. The current remnants of this old port forwarding settings can only be found on G1100.
In Firmware 3.2.0.7/11, the port forwarding settings page is re-done, and vastly simplified the user interface at the expense of eliminating Protocol Forwarding (ESP, AH, GRE, and even IP-IP I believe) capabilities.
In subsequent firmwares, select Protocol Forwarding capabilities (ESP, AH, and GRE) are restored.
Forwarding to IP 127.0.0.1
Generally, you should never port forward to IP 127.0.0.1. From the perspective of the router, the entire 127.0.0.0/8 block refers to the loopback address of the router.
The only exception to this rule is when you were to enable Allow Incoming WAN Access to Web-Management.
Warning: enabling incoming WAN access to Web-Management is a potential security vulnerability. When you enable this feature, the 127.0.0.1:443 entry appears, which indicates the router is accepting inbound connections on TCP port 443, which is HTTPS.
If I were Arcadyan engineers, I would not include any loopback entries in the port forwarding table. These loopback entries are not installed in the Pre-Routing NAT table of the NetFilter, but instead in the Input Filtering table of the NetFilter, but I digress.
TCP and UDP Port Forwarding
Port Forwarding is technically Static Port Address Translation (PAT). The use case for port forwarding is allowing an inbound packet from the Internet hitting a specific port of the router to be forwarded to a specific port of a host behind the router.
When port forwarding is configured, the router blindly forwards certain packets to the host without additional inspection. This has security ramifications, so always secure the host getting the forwarded packets.
A host behind the NAT device (or router, for all intents and purposes) would listen on a specific TCP or UDP port. This port is the Fwd to Port. The Original Port is referring to which port on the router should the inbound traffic hit, in order to be forwarded to the host behind the router.
For example, you got a host with internal IP 192.168.1.100, a listening service on TCP port 21000. You would like to access this listening service from the Internet by typing https://[Your Public WAN IP address ]:22000. You would configure 21000 to be the Fwd to Port, and 22000 to be the Original Port.
Please note that the ToS prohibits a residential account hosting commercial services. For example, you cannot host a publicly accessible file share. In my opinion, it is reasonably acceptable to host services for your own usage. But I am not Verizon Legal. Further questions on the ToS should be directed to Verizon Legal through written correspondences.
-----The following portion of the article falls apart....
Here is an image of the message "Error: The IP address specified is invalid" that happens when I click "Add to List":
I tried restarting the router and restoring it to factory default. I tried turning it off and on again. Also tried using other browsers. Didn't work. Anybody know any workarounds?
Answer
127.0.0.1 technically forwards it to the router's loopback interface, which would be invalid since the router itself is not behind a NAT. The router itself would only be applicable to the firewall rules.
What if you give your PC a DHCP Reserved IP address, and fill that in? The router should be expecting a 192.168.x.x type of address.
Solution provided by smith6612.