Welcome, Guest. Please login or register.
Did you miss your activation email?
Thursday 05 December 2024, 08:58:12 pm

Login with username, password and session length

Get the new Updates directly from Endian  HERE
14261 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  Port forwarding help
0 Members and 0 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Port forwarding help  (Read 9257 times)
xlancealotx
Full Member
***
Offline Offline

Posts: 16


« on: Wednesday 07 April 2010, 07:14:27 am »

I did read the previous  which did work, but I did try the same with no luck.  I have a static IP on the external (eth3) and static on the internal (eth2).  I am running 2.3, but also a bit confused on the dashboard home, under Network Interfaces, by default I have the following;
checked br0
not checked eth2
checked eth3
I do see in/out traffic on eth2 but I am not sure if that is part of the issue.  But I have a local 10.10.5.219 address running an app I need to get to from the outside, I followed but still no luck.  I have the following config under Firewall add new NAT;

Access From: Type: Zone/VPN/Uplink
Interface: Uplink main
Target: Zone/VPN/Uplink
Interface: Uplink main - IP: publicip here
Filter: Allow
Service: Any/TCP/0:65535 (as the app tries to connect from any port to the local 6164)
Translate to: IP
DNAT: NAT
Insert IP: 10.10.5.219
Port Range: 6164

Note I am using 1.1.1.1. as the 'public' IP of the endian, and

By doing that and applying, a remote attempt using network connect reveals;
root@ws1:~# nc 1.1.1.1 6164
(UNKNOWN) [1.1.1.1] 6164 (?) : Connection refused

I read other posts which said you need a system access policy so I added that;
Source address: 1.1.1.1
Source interface: 6164 (tried from both that and the full range 0:65535) but left the rest connect from ANY.  Once I retried the same netconnect (nc) string, I didn't get the refused, saw the following in the endian live logs;

PORTFWACCESS:ACCEPT:1 TCP (eth3) 2.2.2.2:54391 -> 10.10.5.219:6164 (br0)

but never a confirmation on the client terminal.  A local connect instantly gives me data, and the server doesn't see the connect.  I am looking at the log entry, and the -> 10.10.5.219:6164 looks like it's passing it on, but I don't get the connect, also why the (br0) and not the eth2 address?

This is important I get this going (as all posts are) and looking foward to using the device more, so the basic port forwarding is critical.  Thanks.
Logged
Steve
Sr. Member
****
Offline Offline

Posts: 108



WWW
« Reply #1 on: Wednesday 07 April 2010, 08:45:29 am »

Quote
Access From: Type: Zone/VPN/Uplink
Interface: Uplink main
Target: Zone/VPN/Uplink
Interface: Uplink main - IP: publicip here
Filter: Allow
Service: Any/TCP/0:65535 (as the app tries to connect from any port to the local 6164)
Translate to: IP
DNAT: NAT
Insert IP: 10.10.5.219
Port Range: 6164


The way I read this is:
The rule above states ALL connections to ANY port (0-65535) to your Uplink main interface (1.1.1.1) from the outside will be sent to IP address  10.10.5.219 port 6164
Which is almost a DMZ type rule.
You should just direct traffic designated to a few ports (or even just port 6164) to your internal Ip address.


When you say "as the app tries to connect from any port to the local 6164" you are talking about the Source, not the Destination.
The Service: Any/TCP/0:65535 should be Service: Any/TCP/6164 as this entry is for the Destination port, not the Source port.

Also, your external (eth3) is 1.1.1.1
Is this what you fixed it to or is this the value shown because you are running your Red interface as PPPoE and your modem is in Bridge mode.

I hope it helps to enlighten things a bit.
Logged

                          
xlancealotx
Full Member
***
Offline Offline

Posts: 16


« Reply #2 on: Wednesday 07 April 2010, 11:21:58 am »

Steve, thanks for the reply.  I did misunderstand that was the target port, so I did update that so to only be the 6164 port.

As for the external, I am not so worried about attacks, but just didn't publish the public (old paranoid days), but it is a fixed static IP from our ISP, it's not (or should not) be setup as PPOE.

I will recheck shortly as I don't have remote mgmt turned on so need to creatively get on a local machine there to admin the endian.  I don't see that 1st part as not allowing the traffic through, but regardless I will update that and test.

Thanks
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.094 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com