# Stabilize Netclient Connections Behind NAT For sites behind NAT routers, you can stabilize the connection to the netclient by setting up port forwarding, and setting a static port for the Netclient. ## Port Forwarding Set up port forwarding rules to forward traffic from the WAN to the machine with Netclient installed. Use custom ports such as 55555. Here is an example of setting up port forwarding to a generic Linux machine that uses an iptables firewall. {% stepper %} {% step %} ### Enable IP forwarding at the kernel level By default, most systems have forwarding turned off. To turn port forwarding on permanently, edit the /etc/sysctl.conf file with sudo privileges: {% code title="/etc/sysctl.conf" %} ``` ``` {% endcode %} ``` sudo nano /etc/sysctl.conf ``` Inside the file, add this line at the bottom: ``` ``` ``` net.ipv4.ip_forward=1 ``` Save and close the file. {% endstep %} {% step %} ### Apply sysctl settings Apply the settings you added: ``` ``` ```bash sudo sysctl -p ``` Then load the system-wide settings: ``` ``` ```bash sudo sysctl --system ``` {% endstep %} {% step %} ### Identify WAN and LAN interfaces Find the WAN and LAN interfaces on the machine using: ``` ``` ```bash ip a ``` (Example image) {% endstep %} {% step %} ### Add DNAT rule to forward incoming traffic Use the -j DNAT target of the PREROUTING chain in the nat table to forward incoming packets to the internal IP and port. Replace {PUBLIC\_IP} and {INTERNAL\_IP} with your values: ``` ``` ```bash iptables -t nat -A PREROUTING -i eth0 -p udp -d {PUBLIC_IP} --dport 55555 -j DNAT --to {INTERNAL_IP}:55555 ``` {% endstep %} {% step %} ### Configure IP masquerading (SNAT) Allow LAN nodes with private IP addresses to communicate with external public networks by masquerading outbound traffic on the external interface (e.g., eth0): ``` ``` ```bash iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ``` {% endstep %} {% step %} ### Result Now the port forwarding rule for UDP port 55555 is set on the Linux machine and can be used for WireGuard/Netclient connections. {% endstep %} {% endstepper %}
## Assign Static Port To stabilize connections for sites behind NAT routers, set each Netclient host port to "static" and specify the custom port from above (for example, 55555). You can configure this in the Netmaker web UI by going to "Hosts" and then "Edit Host" on the specific netclient hosts. ![](/files/DJ2aDxlzCdTed9WNrZql) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://learn.netmaker.io/how-to-guides/stabilize-netclient-connections-behind-nat.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.