> For the complete documentation index, see [llms.txt](https://learn.netmaker.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://learn.netmaker.io/getting-started/server-and-client-management/client-installation/netclient-installation/stabilize-netclient-connections-behind-nat.md).
# Stabilize Netclient Connections Behind NAT
For sites behind NAT routers, you can stabilize the connection to the netclient by setting up port forwarding, and setting a static port for the Netclient.
## Port Forwarding
Set up port forwarding rules to forward traffic from the WAN to the machine with Netclient installed. Use custom ports such as 55555.
Here is an example of setting up port forwarding to a generic Linux machine that uses an iptables firewall.
{% stepper %}
{% step %}
### Enable IP forwarding at the kernel level
By default, most systems have forwarding turned off. To turn port forwarding on permanently, edit the /etc/sysctl.conf file with sudo privileges:
{% code title="/etc/sysctl.conf" %}
```
```
{% endcode %}
```
sudo nano /etc/sysctl.conf
```
Inside the file, add this line at the bottom:
```
```
```
net.ipv4.ip_forward=1
```
Save and close the file.
{% endstep %}
{% step %}
### Apply sysctl settings
Apply the settings you added:
```
```
```bash
sudo sysctl -p
```
Then load the system-wide settings:
```
```
```bash
sudo sysctl --system
```
{% endstep %}
{% step %}
### Identify WAN and LAN interfaces
Find the WAN and LAN interfaces on the machine using:
```
```
```bash
ip a
```
{% endstep %}
{% step %}
### Add DNAT rule to forward incoming traffic
Use the -j DNAT target of the PREROUTING chain in the nat table to forward incoming packets to the internal IP and port. Replace {PUBLIC\_IP} and {INTERNAL\_IP} with your values:
```
```
```bash
iptables -t nat -A PREROUTING -i eth0 -p udp -d {PUBLIC_IP} --dport 55555 -j DNAT --to {INTERNAL_IP}:55555
```
{% endstep %}
{% step %}
### Configure IP masquerading (SNAT)
Allow LAN nodes with private IP addresses to communicate with external public networks by masquerading outbound traffic on the external interface (e.g., eth0):
```
```
```bash
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
```
{% endstep %}
{% step %}
### Result
Now the port forwarding rule for UDP port 55555 is set on the Linux machine and can be used for WireGuard/Netclient connections.
{% endstep %}
{% endstepper %}
## Assign Static Port
To stabilize connections for sites behind NAT routers, set each Netclient host port to "static" and specify the custom port from above (for example, 55555). You can configure this in the Netmaker web UI by going to "Hosts" and then "Edit Host" on the specific netclient hosts.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://learn.netmaker.io/getting-started/server-and-client-management/client-installation/netclient-installation/stabilize-netclient-connections-behind-nat.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.