Port forward and Traffic Rule equivalence, or how can there be a Traffic Rule for a host other than the router itself?

Do the settings below, a Port Forward on the left and a Traffic Rule on the right, accomplish the same thing insofar as they expose host port 12000 to TCP traffic from the Internet?

Please excuse me if I seem clueless. I am just coming from "regular routers." From those, I am somewhat used to the idea of port forwarding. I believe the left panel forwards TCP traffic from WAN 12000 to The right panel is my idea of "directly exposing" to the Internet using a Traffic Rule.

Here are my specific questions.

  1. Is the left panel the right way to forward WAN 12000 to (If not, how do I fix it?)

  2. Is the right panel the right way to expose to the Internet directly? (If not, how do I fix it?)

  3. Am I right to think that the two panels achieve the same practical aim of exposure?

  4. What are the pros and cons on either side?

  5. Which panel represents the standard practice?

  6. Isn't the right panel strange? A "Traffic Rule" would have made more sense to me if "Destination Zone" and "Destination Address" did not exist, i.e. were limited to the OpenWrt router itself. (Is that called "Device (input)"?) Then I would have thought a Traffic Rule was a means by which the router decides to open or close itself (its LAN) to the Internet (by protocol, port, etc.). But according to my understanding of the right panel, the router is making a decision for host What if also wanted to expose its port 12000 to the Internet? (I suppose I would create a Traffic Rule that looks like the right panel, except with a new host.) If incoming traffic for 12000 hits the WAN, how would the router know which host ( or should receive it?

I am afraid this question 6 is exposing the degree of my cluelessness. I am working through the Documentation and doing a great deal of Googling. Please help.


Putting question 6 in concrete terms, if the source is WAN it would seem to me that a Traffic Rule could only send the connection to the router itself, for example, as per this bottom panel:


I believe I was hopelessly confused in this post. I would delete it if somebody had not taken the trouble to comment. Please see my later post. Thanks.

The target action is different. The port forward is a DNAT, the traffic rule is an ordinary ACCEPT.

The difference is if it is not DNAT, the request and the reply would be directly to the server's internal IP address. That which is a private IP which cannot route through the ISP. So it will not work.

For DNATs, there can be only one rule and destination IP for an external port. Traffic to different servers would have to have different external port numbers.

The destination is not the router, but the host behind it.
In this case, you need to use the port forwarding to reach the destination.

The traffic rule requires to own a block of public IPs and distribute it downstream.
This typically works with IPv6 PD and at least a prefix of /64.