2.3 - Port forwarding how??

[Guest]

[UK Bloke]

Hi
I have been using EFW for years and just downloaded and setup 2.3 only to find the simple to use 'Port Forwarding' page has gone and been replace with 3 tabs.
'Dest NAT', 'Source NAT' and 'Incoming routed traffic'

I want to setup a port forward for RED traffic coming in on port 8082 to an internal green IP of 172.28.0.11 port 80, I have tried this and cannot get it working.
Which TAB should I be doing this on and any other help/suggestions please?

[bayross]

You have to create a rule under Destination NAT and also create a System Access rule.
Garrett

[bayross]

Try this... just alter the ports, etc as necessary.

In Firewall, configure a Destination NAT rule as follows:
Access: ANY Uplink
Target: ANY Uplink
Service HTTP
Protocol: TCP
Target: 80
Translate to: TYPE IP
DNAT Policy: NAT
IP: {WEBSERVER IP on GREEN INTERFACE}
Port Range: 80

Save and apply rule

Then go to Firewall, configure System Access rule as follows:
Source Address: {leave blank}
Source Interface: RED
Service HTTP
Protocol: TCP
Target: 80
Policy: ACTION "ALLOW"

Save and apply and you should be good to go. You will now be able to access the specified server externally (Red zone to green zone)

Garrett

[gdPAC]

Hi
I have been using EFW for years and just downloaded and setup 2.3 only to find the simple to use 'Port Forwarding' page has gone and been replace with 3 tabs.
'Dest NAT', 'Source NAT' and 'Incoming routed traffic'

I want to setup a port forward for RED traffic coming in on port 8082 to an internal green IP of 172.28.0.11 port 80, I have tried this and cannot get it working.
Which TAB should I be doing this on and any other help/suggestions please?

I spent 5 hours wrestling with this last night doing my own upgrade, and I think I finally got it.

Create a new Destination NAT Rule.  You control the destination in this scenario.

"Access From" is where the traffic is originating, widest to narrowest specification, top to bottom in the dropdown list.  Sounds like "Zone/VPN/Uplink - uplink main Red" fits your need.

"Target" is where traffic in "Access From" is hitting the EFW -- If you have a specific IP that will be used, select it (or CTRL click to select multiple) or just use "All known."

Filter policy: ALLOW (I haven't dared try IPS yet but will test Snort after hours sometime)

"Service/Port" is the port/range the "Target" traffic is coming in on.  In your case, TCP 8082.

"Translate to" is where you want the "Target" traffic to go.  All my rules so far have been of Type IP and DNAT Policy NAT.  "Insert IP" would be 172.28.0.11 in your case and "port" 80.

Leave it enabled, check log if you want to read log entries, give it a meaningful "Remark" name and optionally choose a position.

Click Create Rule, then APPLY and test.

Once you get the concept down, it gets fairly easy after that.

Good luck!

Glen

[kevsworld]

Yes I also struggled with the new port forwarding screen in 2.3  I think its the Access from and Target bit that are confussing.  Anyway just wanted to confirm that gdPAC has it right.

For the record, bayross is wrong to say that you need to system access rule up.  You only need a system access rule for traffic that you actually want to end on the endian itself - ie. open port 10443 if you want to be able to remotely browse to the web interface using the WAN IP address.

[Vinbob]

Just wanted to thank you all for your feedback as this post has helped me provide access from the outside world to my web/ftp server. However, what is odd, is that I don't seem to be able to access the server internally using the HTTP URL access (to port 8002) as I would be able to if I was accessing from the outside. Is there something which I have not configured correctly somewhere as I did not have this problem when I used my LinkSys router?

Many thanks in advance for any help/advice...

Cheers,
Vin.

[Johnny Chin]

Access from: ANY
Target: Zone/VPN/Uplink - <ANY Uplink>
Filter policy: ALLOW
Service: User defined
Protocol:TCP
Target port/range (one per line, e.g. 80, 137:139): 8082
Translate to *:
Type : IP
DNAT Policy:NAT
Insert IP: 172.28.0.11
Port/Range (e.g. 80, 80:88):80
Enabled: Checked

This should be let you access from local or external network.

[Vinbob]

Thanks Johnny. Just have some questions before I proceed:

What is the port 8082 used for as you mention below?
What is the IP 72.28.0.11 for?

Appreciate the help.
Vin.

Access from: ANY
Target: Zone/VPN/Uplink - <ANY Uplink>
Filter policy: ALLOW
Service: User defined
Protocol:TCP
Target port/range (one per line, e.g. 80, 137:139): 8082
Translate to *:
Type : IP
DNAT Policy:NAT
Insert IP: 172.28.0.11
Port/Range (e.g. 80, 80:88):80
Enabled: Checked

[Johnny Chin]

Hi Vin,

Port 8082 is external port that you need to open for outside/internal user access to your web server through the EFW.  IP 72.28.0.11 is the IP address (Local LAN) of your web server. 
   
Access from: ANY (Any connection)
Target: Zone/VPN/Uplink - <ANY Uplink> (Any interface connection)
Filter policy: ALLOW
Service: User defined
Protocol:TCP
Target port/range (one per line, e.g. 80, 137:139): 8082 (port open for the firewall - you can change to port that you are using )
Translate to *:
Type : IP
DNAT Policy:NAT
Insert IP: 172.28.0.11 (LAN IP Address for the web server)
Port/Range (e.g. 80, 80:88):80 (Port open to accces web server - web server hosting port)

You may need to add outgoing firewall rule for the local LAN access 8082.

[Vinbob]

Hi Johnny,

Thanks for the reply - sorry for getting back late but have been away. So just to confirm,  I should use 8082 and not 8002 which is the port my web server is listening on? Also, the 72.28.0.11 is not an IP I am familiar with. Should it not be the 192.168.1.x internal LAN IP on my green network? Sorry to keep circling back but just want to make sure I have the right info here as its difficult enough already! 

Thanks again!
Vin.

[Johnny Chin]

Hi Vin,

For your case follow the settings as below

Access from: ANY (Any connection)
Target: Zone/VPN/Uplink - <ANY Uplink> (Any interface connection)
Filter policy: ALLOW
Service: User defined
Protocol:TCP
Target port/range (one per line, e.g. 80, 137:139): 8002
Translate to *:
Type : IP
DNAT Policy:NAT
Insert IP: 192.168.1.x (LAN IP Address for the web server where your web server LAN IP is. Possible make a static IP for your web server like 192.168.1.200 then this 192.168.1.x should be replace by 192.168.1.200)
Port/Range (e.g. 80, 80:88):8002


So for visitor to browse your webpage, just type http://www.yourdomain.com:8002

If you want user to browse your webpage just typing http://www.yourdomain.com then you need to modify the Target port/range to 80. Port/Range (e.g. 80, 80:88):8002 remain unless you also need to change your webserver to host your webpage on port 80 then you need to change this to 80 too.

Remember to add outgoing firewall rule for the local LAN access port TCP 8082.

[Vinbob]

Hi Johnny,

Thanks for the help and effort. Unfortunately, I still cannot access my website from my local LAN. I can access if I use 127.0.0.1:8002 but using the domain name will not work. It does work if I access from the outside - something is wrong somewhere. I have configured exactly as you instructed (or at least, I think I have!) but something is still not quite right...

Cheers,
Vin.

[Vinbob]

Just to add - I disabled the Outgoing firewall altogether and it still did not allow me to connect from the inside out to the internet and back into my machine. Just to confirm:

I have Outgoing Firewall Rule of Green --> RED for Protocol TCP with destination port 8002 - Policy Action is ALLOW

I have the following Destination NAT rules:
Target: UPLINK MAIN
Service: TCP/8002
Translate To: 192.168.1.30:8002
Access From: UPLINK MAIN

Target: UPLINK ANY
Service: TCP/8002
Translate To: 192.168.1.30:8002
Access From: UPLINK <ANY>

Incoming Routed Traffic Rule:

Source: <ANY>
Destination: 192.168.1.30
Service TCP&UDP/8002

Hope this helps - I tried to include screen shots but not sure how I am supposed to embed the images! :-/

Vin.

[Vinbob]

OK - I got it to work (FINALLY!!!) using the solution kindly provided by DanoDemano in the NAT Loopback solution - but need help making permanent post. I didn't have to create a specific outgoing rule for port 8002 as it didn't make a difference if I was blocking or not. It looks like the solution is based on having a Source NAT defined.

Thanks again for all the help!

Cheers,
Vin.

[Johnny Chin]

Hi Vin,

You must create a rule in outgoing firewall. If you didn't set it, firewall will be in default setting and not byp.

I managed to post a picture here.

Destination Nat



Outgoing Firewall



This is permanent. You no need to use the NAT Loopback from DanoDemano.