Welcome, Guest. Please login or register.
Did you miss your activation email?
Saturday 21 December 2024, 09:19:33 pm

Login with username, password and session length

CLICK HERE for the The official Endian Roadmap and Issue tracker
14262 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  Port Forwarding / NAT
0 Members and 2 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Port Forwarding / NAT  (Read 12450 times)
Dharma
Jr. Member
*
Offline Offline

Posts: 1


« on: Saturday 07 September 2013, 03:51:31 pm »

1st post and I am at my wits end....

Running Endian Firewall Community 2.3.0

My host passes external requests to my ISP (Skymesh Satellite NBN).

At Skymesh -- I have added 2 port forward IP:port to my profile -- Public IP:port to Private IP:Port (e.g. external port 33443 to internal 443).

At Endian -- My thinking is that I need to create a rule in my Destination NAT to allow for this mapping to my internal IP:port.

Skymesh tell me that the data is being passed from the External IP to the modem but that no port  appears to be listening.

I have tried all manner of combinations. When I telnet [host] [port] I get a timeout which I understand to mean Firewall is blocking.

If you have any advice, I may be able to retain some of my hair.

Thanks 8-)
Dharma

Logged
ashi
Jr. Member
*
Offline Offline

Posts: 2


« Reply #1 on: Monday 09 September 2013, 09:57:42 pm »

So I just started playing with this firewall myself a few days ago. I was hoping it would replace the Asatro free UTM (Now owned by Sophos) however I don't think it will at the end of the day.

With that. I maybe able to answer your question as I too was trying to figure this out and it seems like the threads on these forums tend to favor the google it side of the fence.

For me it was an FTP server with a web gui.

So I needed ports 443, 446 and 21, or so I thought.

I added those ports to the [FIREWALL] -> [PORT FORWARDING / NAT] tab as follows

Uplink ANY TCP+UDP/21 -> 192.168.2.2 : 21 ALLOW from: <ANY> [Note: I'm well aware that UDP is not a required protocal for FTP however it didn't seem to at the end of the day without it]
&
Uplink ANY TCP+UDP/443:446 -> 192.168.2.2 : 443:446 ALLOW from: <ANY>

Now I do not know that it would require two different firewall rules to do what I want or not. I did it this way so I could (A) better troubleshoot and (B) have the ability to turn on or off a given service independently if necessary.

THEN

I added similar rules to the [FIREWALL] -> [SYSTEM ACCESS] tab as follows

192.168.2.2/24 <ANY> TCP+UDP/21
&
192.168.2.2/24 <ANY> TCP+UDP/443:446

I was now able to access the FTP server web gui from an external connection! However; I was not able to access FTP. So I started reading what I believe is every thread on this forum that appears to deal with this issue with zero luck. Over the course of the next few days I read everything I could google and nothing seemed to address the problem. Nothing of any benefit could be found in the logs.

It then hit me. It's not the firewall port 21 that is the problem, its the transmitting ports used by the client! I'm using a passive connection to FTP. Which means there are ports associated with using FTP up in the 50000 range that also need to be opened. WHY does this not show up as dropped connections in the Endian firewall log? (No I'm really asking) I wasted a ton of time trying to wrap my  around this issue. Plus the fact it doesn't seem to be answered for anyone anywhere on these forums.

So read up on passive FTP to make sure I had the correct communication ports (50000:53000 by default, but these can be changed)

I then added the following rule to the [FIREWALL] -> [PORT FORWARDING / NAT] tab

Uplink ANY TCP+UDP/50000:53000 192.168.2.2 : 50000:53000 ALLOW from: <ANY> [Note: to shorten this lengthy answer I will not spend time talking about how many hours I wasted on ALLOW vs. ALLOW with IPS - The IPS part of ALLOW with IPS seems to think the connections are attacks]

And the [FIREWALL] -> [SYSTEM ACCESS] tab as follows

192.168.2.2 <ANY> TCP+UDP/50000:53000

Common sense says this should now work. But it was a no go believe it or not.

In my troubleshooting I finally changed the FTP server's FTP port to 51000 which is inside the range of the rules I created on the Endian firewall and for whatever MYSTERY reason it now works. I spent the next few hours trying to get it to work on port 21 and various other ports with zero luck. So I literally cannot explain why it works, but it does appear to.

Hope the amazing amount of time I spent on this issue helps you in some way resolve the issue you're outlining as it seems similar.

-Ashi

1st post and I am at my wits end....

Running Endian Firewall Community 2.3.0

My host passes external requests to my ISP (Skymesh Satellite NBN).

At Skymesh -- I have added 2 port forward IP:port to my profile -- Public IP:port to Private IP:Port (e.g. external port 33443 to internal 443).

At Endian -- My thinking is that I need to create a rule in my Destination NAT to allow for this mapping to my internal IP:port.

Skymesh tell me that the data is being passed from the External IP to the modem but that no port  appears to be listening.

I have tried all manner of combinations. When I telnet [host] [port] I get a timeout which I understand to mean Firewall is blocking.

If you have any advice, I may be able to retain some of my hair.

Thanks 8-)
Dharma


Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.094 seconds with 17 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com