EFW Support

Hi,

i forwarded port 80 from my red interface to port 80 on my internal web serwer.
(http://img341.imageshack.us/img341/3562/blaa.png)
Everything works fine when i get access from the internet(www.niezapomnij.com),
but when i try get access from inside lan its not work. Any idea how to fix it?

Best regards

Same problem as me - related to Nat Loopback not working - see other posts... lots of posts on this issue but no resolution yet :( whats happening with it!

NAT loopback is usually disabled to avoid potential security problems of attackers sending packets in that 'appear' to be coming from inside the LAN.

The way to fix it is to use a DNS server inside your network. If you don't feel like configuring one, use the hosts file to redirect your computer to the proper box.

C:\Windows\System32\etc\drivers\hosts (Windows)

/etc/hosts (Linux -- depending on distro).

Hi,

For me, a hosts file or DNS was undesirable, due to the number of entries I would have needed to make.  The solution is to make a SNAT rule effectively matching the DNAT rule so that the replies keep going "outside" and back in via the firewall.

It appears to be that Endian won't create a SNAT rule using the external interfaces. I believe this is a bug. Additionally, the SNAT rules it DOES make can't be configured (as far as I can tell) to be POSTROUTING rules. Long story short, this is how you do it. Change the line below to match the PORT/SERVICE you want to Loopback AND the public IP address you want it to reply from:

Run this from the command line, and it will take effect real time. It's likely to get overwritten next time you make changes to the firewall, I'd love for someone else to chime in on how to make this rule addition permanent:

iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 192.168.1.104 -p tcp --dport XX -j SNAT --to-source XX...

where:
 - 192.168.1.0/24 is my private NAT network
 - 192.168.1.104 is the "destination" address of the original DNAT server rule (eg: the Real Server internal IP)
 - --dport XX = the service you want to loopback
 - XX... is the public IP you are using to access the service (ie: where replies should come from)

Also add that line to /etc/firewall/snat/iptablessnat. Perhaps in that file it will survive a reboot, but I'm certain the next time I add any firewall ports this will get overwritten.

Someone please tell me how to make this change permanent.

Thanks,
James

www.cloud5nines.com

Thanks this works perfectly!! I was considering rolling back to plain old ipcop but this fix works well although not permanent its way better than hosts/dns!

try this

Access from: ANY
Target: Zone/VPN/Uplink - <ANY Uplink>
Filter policy: ALLOW
Service: User defined
Protocol:TCP
Target port/range (one per line, e.g. 80, 137:139): 80
Translate to *:
Type : IP
DNAT Policy:NAT
Insert IP: 192.168.1.10 -> your web server LAN address
Port/Range (e.g. 80, 80:88):80
Enabled: Checked

This should be let you access from local or external network.

Johnny,

I tried the solution you kindly gave with the following and was still unable to go out and back in to access my web server:

Access from: ANY
Target: Zone/VPN/Uplink - <ANY Uplink>
Filter policy: ALLOW
Service: User defined
Protocol:TCP
Target port/range (one per line, e.g. 80, 137:139): 8002 (listening port)
Translate to *:
Type : IP
DNAT Policy:NAT
Insert IP: 192.168.1.30 -> your web server LAN address
Port/Range (e.g. 80, 80:88):8002 --> listening port
Enabled: Checked

Any other ideas on what may be wrong? Thanks in advance for the help.

Cheers,
Vin.

Hi Vin,

Your outgoing traffic should open for the port 8002. Possible is you blocking this outgoing port. This setting is working for my server.