Welcome, Guest. Please login or register.
Did you miss your activation email?
Thursday 14 November 2024, 03:34:00 pm

Login with username, password and session length

The Latest Endian Firewall is now available for download HERE
14255 Posts in 4377 Topics by 6515 Members
Latest Member: hulteends
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  Installation Support
| | |-+  Need help with portforwarding multiple RED ip's and SNAT
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Need help with portforwarding multiple RED ip's and SNAT  (Read 18061 times)
Enkhuizen
Jr. Member
*
Offline Offline

Posts: 4


« on: Tuesday 12 January 2010, 08:47:31 am »

Hi,

I have this setup

red:
123.123.123.1/24
123.123.123.2/24
123.123.123.3/24
123.123.123.4/24
123.123.123.5/24

Green:
192.168.1.1

Servers on green:
192.168.1.11 < webserver 1
192.168.1.12 < webserver 2
192.168.1.13 < mailserver 1
192.168.1.14 < mailserver 2
192.168.1.15 < ssh host

Target solution
123.123.123.1:80 > 192.168.1.11:80
123.123.123.1:443 > 192.168.1.11:443
123.123.123.2:80 > 192.168.1.12:80
123.123.123.2:443 > 192.168.1.23:443
123.123.123.3:25 > 192.168.1.13:25
123.123.123.4:25 > 192.168.1.14:25
123.123.123.5:22 > 192.168.1.15:22

If the mailservers communicate with the outside world, they need to have their own ip as source:
mailserver 1: 123.123.123.3
mailserver 2: 123.123.123.4

Now for the big question:

How to configure this in EFW2.3?

I've tried this:
Destination NAT >
Add a new destination NAT rule >
Access from: < ANY >
Target: Type: Zone/VPN/Uplink: Uplink Main (Main Uplink) - IP: 123.123.123.1
Filter policy: ALLOW with IPS (ids is off so shouldn't interfere)
Service: HTTP, Protocol TCP, Port 80
Translate to: IP, Policy NAT
Insert IP: 192.168.1.1 Port/Range: 80
Enabled + Log, Remark: HTTP from 123.1 to 1.1
Create rule
Apply

Testing:
opening http:123.123.123.1
timeout

log: PORTFWACCESS:ALLOW:1 eth1 KEY_TCP 123.123.123.11:52655   ff:ff:08:00:0c:00 192.168.1.1: 80

But no website.....


Logged
Enkhuizen
Jr. Member
*
Offline Offline

Posts: 4


« Reply #1 on: Tuesday 12 January 2010, 08:48:15 am »

so what am I doing wrong?

Logged
hacevedo
Jr. Member
*
Offline Offline

Posts: 8


« Reply #2 on: Thursday 14 January 2010, 12:49:09 pm »

Based on your target solution section above you shouldn't translate to IP 192.168.1.1 as that points to the IP for the GREEN zone interface. The rule should point to 192.168.1.11. It may be just a typo but I saw you wrote it multiple times so I figured I point it out.

It makes sense that the request times out because the GREEN interface is not listening on port 80.

Hope that helps.  Smiley

Logged
mzainal
Full Member
***
Offline Offline

Posts: 16


« Reply #3 on: Saturday 13 March 2010, 05:22:27 am »

Do you add multiple ip red on interface menu?
Logged
Steve
Sr. Member
****
Offline Offline

Posts: 108



WWW
« Reply #4 on: Saturday 13 March 2010, 09:21:39 am »

...
Target: Type: Zone/VPN/Uplink: Uplink Main (Main Uplink) - IP: 123.123.123.1
...

Try:
Target: Type: Network/IP/Range - 123.123.123.1

Logged

                          
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.063 seconds with 18 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com