Port forwarding help

[Guest]

[xlancealotx]

I did read the previous  which did work, but I did try the same with no luck.  I have a static IP on the external (eth3) and static on the internal (eth2).  I am running 2.3, but also a bit confused on the dashboard home, under Network Interfaces, by default I have the following;
checked br0
not checked eth2
checked eth3
I do see in/out traffic on eth2 but I am not sure if that is part of the issue.  But I have a local 10.10.5.219 address running an app I need to get to from the outside, I followed but still no luck.  I have the following config under Firewall add new NAT;

Access From: Type: Zone/VPN/Uplink
Interface: Uplink main
Target: Zone/VPN/Uplink
Interface: Uplink main - IP: publicip here
Filter: Allow
Service: Any/TCP/0:65535 (as the app tries to connect from any port to the local 6164)
Translate to: IP
DNAT: NAT
Insert IP: 10.10.5.219
Port Range: 6164

Note I am using 1.1.1.1. as the 'public' IP of the endian, and

By doing that and applying, a remote attempt using network connect reveals;
root@ws1:~# nc 1.1.1.1 6164
(UNKNOWN) [1.1.1.1] 6164 (?) : Connection refused

I read other posts which said you need a system access policy so I added that;
Source address: 1.1.1.1
Source interface: 6164 (tried from both that and the full range 0:65535) but left the rest connect from ANY.  Once I retried the same netconnect (nc) string, I didn't get the refused, saw the following in the endian live logs;

PORTFWACCESS:ACCEPT:1 TCP (eth3) 2.2.2.2:54391 -> 10.10.5.219:6164 (br0)

but never a confirmation on the client terminal.  A local connect instantly gives me data, and the server doesn't see the connect.  I am looking at the log entry, and the -> 10.10.5.219:6164 looks like it's passing it on, but I don't get the connect, also why the (br0) and not the eth2 address?

This is important I get this going (as all posts are) and looking foward to using the device more, so the basic port forwarding is critical.  Thanks.

[Steve]

Access From: Type: Zone/VPN/Uplink
Interface: Uplink main
Target: Zone/VPN/Uplink
Interface: Uplink main - IP: publicip here
Filter: Allow
Service: Any/TCP/0:65535 (as the app tries to connect from any port to the local 6164)
Translate to: IP
DNAT: NAT
Insert IP: 10.10.5.219
Port Range: 6164

The way I read this is:
The rule above states ALL connections to ANY port (0-65535) to your Uplink main interface (1.1.1.1) from the outside will be sent to IP address  10.10.5.219 port 6164
Which is almost a DMZ type rule.
You should just direct traffic designated to a few ports (or even just port 6164) to your internal Ip address.


When you say "as the app tries to connect from any port to the local 6164" you are talking about the Source, not the Destination.
The Service: Any/TCP/0:65535 should be Service: Any/TCP/6164 as this entry is for the Destination port, not the Source port.

Also, your external (eth3) is 1.1.1.1
Is this what you fixed it to or is this the value shown because you are running your Red interface as PPPoE and your modem is in Bridge mode.

I hope it helps to enlighten things a bit.

[xlancealotx]

Steve, thanks for the reply.  I did misunderstand that was the target port, so I did update that so to only be the 6164 port.

As for the external, I am not so worried about attacks, but just didn't publish the public (old paranoid days), but it is a fixed static IP from our ISP, it's not (or should not) be setup as PPOE.

I will recheck shortly as I don't have remote mgmt turned on so need to creatively get on a local machine there to admin the endian.  I don't see that 1st part as not allowing the traffic through, but regardless I will update that and test.

Thanks