Welcome, Guest. Please login or register.
Did you miss your activation email?
Monday 16 December 2024, 12:28:45 am

Login with username, password and session length

Get the new Updates directly from Endian  HERE
14261 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  Port forwarding - cant get access from LAN
0 Members and 5 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Port forwarding - cant get access from LAN  (Read 25996 times)
yarns
Jr. Member
*
Offline Offline

Posts: 3


« on: Friday 11 December 2009, 06:31:33 pm »

Hi,

i forwarded port 80 from my red interface to port 80 on my internal web serwer.

Everything works fine when i get access from the internet(www.niezapomnij.com),
but when i try get access from inside lan its not work. Any idea how to fix it?

Best regards
Logged
person
Jr. Member
*
Offline Offline

Posts: 3


« Reply #1 on: Saturday 12 December 2009, 08:27:42 pm »

Same problem as me - related to Nat Loopback not working - see other posts... lots of posts on this issue but no resolution yet Sad whats happening with it!
Logged
DrDamnit
Jr. Member
*
Offline Offline

Posts: 2


« Reply #2 on: Monday 14 December 2009, 11:07:46 am »

NAT loopback is usually disabled to avoid potential security problems of attackers sending packets in that 'appear' to be coming from inside the LAN.

The way to fix it is to use a DNS server inside your network. If you don't feel like configuring one, use the hosts file to redirect your computer to the proper box.

C:\Windows\System32\etc\drivers\hosts (Windows)

/etc/hosts (Linux -- depending on distro).
Logged

DrDamnit
EFW Community version 2.3
Running on a Dell Optiplex 280 P4, 512MB RAM
emediasa
Jr. Member
*
Offline Offline

Posts: 3


« Reply #3 on: Wednesday 23 December 2009, 07:44:40 pm »

Hi,

For me, a hosts file or DNS was undesirable, due to the number of entries I would have needed to make.  The solution is to make a SNAT rule effectively matching the DNAT rule so that the replies keep going "outside" and back in via the firewall.

It appears to be that Endian won't create a SNAT rule using the external interfaces. I believe this is a bug. Additionally, the SNAT rules it DOES make can't be configured (as far as I can tell) to be POSTROUTING rules. Long story short, this is how you do it. Change the line below to match the PORT/SERVICE you want to Loopback AND the public IP address you want it to reply from:

Run this from the command line, and it will take effect real time. It's likely to get overwritten next time you make changes to the firewall, I'd love for someone else to chime in on how to make this rule addition permanent:

iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 192.168.1.104 -p tcp --dport XX -j SNAT --to-source XX...

where:
 - 192.168.1.0/24 is my private NAT network
 - 192.168.1.104 is the "destination" address of the original DNAT server rule (eg: the Real Server internal IP)
 - --dport XX = the service you want to loopback
 - XX... is the public IP you are using to access the service (ie: where replies should come from)

Also add that line to /etc/firewall/snat/iptablessnat. Perhaps in that file it will survive a reboot, but I'm certain the next time I add any firewall ports this will get overwritten.

Someone please tell me how to make this change permanent.

Thanks,
James

www.cloud5nines.com
Logged
person
Jr. Member
*
Offline Offline

Posts: 3


« Reply #4 on: Thursday 24 December 2009, 12:57:45 am »

Hi,

For me, a hosts file or DNS was undesirable, due to the number of entries I would have needed to make.  The solution is to make a SNAT rule effectively matching the DNAT rule so that the replies keep going "outside" and back in via the firewall.

It appears to be that Endian won't create a SNAT rule using the external interfaces. I believe this is a bug. Additionally, the SNAT rules it DOES make can't be configured (as far as I can tell) to be POSTROUTING rules. Long story short, this is how you do it. Change the line below to match the PORT/SERVICE you want to Loopback AND the public IP address you want it to reply from:

Run this from the command line, and it will take effect real time. It's likely to get overwritten next time you make changes to the firewall, I'd love for someone else to chime in on how to make this rule addition permanent:

iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 192.168.1.104 -p tcp --dport XX -j SNAT --to-source XX...

where:
 - 192.168.1.0/24 is my private NAT network
 - 192.168.1.104 is the "destination" address of the original DNAT server rule (eg: the Real Server internal IP)
 - --dport XX = the service you want to loopback
 - XX... is the public IP you are using to access the service (ie: where replies should come from)

Also add that line to /etc/firewall/snat/iptablessnat. Perhaps in that file it will survive a reboot, but I'm certain the next time I add any firewall ports this will get overwritten.

Someone please tell me how to make this change permanent.

Thanks,
James

www.cloud5nines.com


Thanks this works perfectly!! I was considering rolling back to plain old ipcop but this fix works well although not permanent its way better than hosts/dns!
Logged
Johnny Chin
Full Member
***
Offline Offline

Gender: Male
Posts: 15



« Reply #5 on: Thursday 07 January 2010, 08:26:26 pm »

try this

Access from: ANY
Target: Zone/VPN/Uplink - <ANY Uplink>
Filter policy: ALLOW
Service: User defined
Protocol:TCP
Target port/range (one per line, e.g. 80, 137:139): 80
Translate to *:
Type : IP
DNAT Policy:NAT
Insert IP: 192.168.1.10 -> your web server LAN address
Port/Range (e.g. 80, 80:88):80
Enabled: Checked

This should be let you access from local or external network.
Logged
Vinbob
Full Member
***
Offline Offline

Posts: 20


« Reply #6 on: Wednesday 13 January 2010, 11:54:27 am »

Johnny,

I tried the solution you kindly gave with the following and was still unable to go out and back in to access my web server:

Access from: ANY
Target: Zone/VPN/Uplink - <ANY Uplink>
Filter policy: ALLOW
Service: User defined
Protocol:TCP
Target port/range (one per line, e.g. 80, 137:139): 8002 (listening port)
Translate to *:
Type : IP
DNAT Policy:NAT
Insert IP: 192.168.1.30 -> your web server LAN address
Port/Range (e.g. 80, 80:88):8002 --> listening port
Enabled: Checked

Any other ideas on what may be wrong? Thanks in advance for the help.

Cheers,
Vin.
Logged
Johnny Chin
Full Member
***
Offline Offline

Gender: Male
Posts: 15



« Reply #7 on: Wednesday 13 January 2010, 12:42:47 pm »

Hi Vin,

Your outgoing traffic should open for the port 8002. Possible is you blocking this outgoing port. This setting is working for my server.
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.125 seconds with 21 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com