Welcome, Guest. Please login or register.
Did you miss your activation email?
Tuesday 19 November 2024, 05:39:11 pm

Login with username, password and session length

The Latest Endian Firewall is now available for download HERE
14258 Posts in 4377 Topics by 6515 Members
Latest Member: hulteends
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  PLS Help: Destination NAT would't work (SOLVED)
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: PLS Help: Destination NAT would't work (SOLVED)  (Read 15842 times)
mrt
Full Member
***
Offline Offline

Posts: 23


« on: Monday 12 April 2010, 08:41:00 pm »

Hi all,

I'm planning to convert my GW/Firewall from Clarkconnect 5.1 (ClearOS) and install the community version 2.3 and having som problems with reaching my mailserver (and bigger confusing after reading several post here about problems with portforwarding.)
I have read the  manual, tryed to "read" this, read several post here, but some says that that it must be an System access rule, other says no and it must be an Source NAT rule. Regarding to the manual, the System access rule is only to the Endian itself, and some predefined rule is working there. (efwsupport.com/index.php?topic=1065.0). I do not have any other rules that the one's in Destination NAT, all other is "Predefined" from the system.

I have one Exchangeserver running on VMware INSIDE my network and want to forward port 80, 443, 25 and 21 to that server.
My Networks looks like this:

Red uplink = pppoe (public IP, e.g 88.89.123.123)
Green network (eth0=10.0.0.2)
Exchangeserver = 10.0.0.16

My forwarding rules is:             
                             
Access from                                                             Target
Type Zone/VPN/Uplink - <ANY Uplink>                     Type Zone/VPN/Uplink - Zone GREEN - IP 10.0.0.2

Filter policy: Allow

Service/Port
HTTP - TCP - 80

Translate to
IP               DNAT Policy NAT

Insert IP                Port/Range
10.0.0.16             80


And the same for port 443, 25 and 21

Is this the correct way of doing it or, what should I do, is there any other "official" HowTo on this? So, could someone help me out with this?

PS, I have some screenshots if someone need it on PM
PS1: If someone HAVE a working portforwardingrule to an internal Exchangeserver/webserver working, I would very much like to get any feedback from this.

PS2: As I can read on several forums on Endian, there is some problems with portforwarding, could it be a BUG in Endian?, any from the development team who could pls. answer me?, it is some confusion out here also in the answers on what the correct answer is. :-)

#UPDATE - 1#
Just to see if I could reach my Endian from outside, I made an System Access rule for ping, and I can ping my ip, so it's alive.
I can't see anything http "hit" the FW log for incoming. I see the Exchangeserver 10.0.0.16 "contact" some IP outside.

My Proxy is Off

I'm running DynDNS but haven't enable it yet due to that I have to be sure the FW forwarding rule work OK before I tell my Nameserver to point to DynDNS. So for this test I use my public IP to see if I came through to my Exchangeserver and OWA (Outlook Web Access). It should work with just the public IP, I have tested it with my ClearOS FW.

So, now I'm confused and "stucked".


Thanks alote in advance... :-)
With regards from Norway
Logged
lribeyre
Jr. Member
*
Offline Offline

Gender: Male
Posts: 6


WWW
« Reply #1 on: Monday 12 April 2010, 11:40:02 pm »

Hi,

I dont have any trouble regarding port Forwading, but i have a question for you regarding port 443.

Are you able to access the Endian's Administration Page after forwarding port 443 to your exchange? (i think there is an issue between port 443 and port 10443)

For your issue, go to the "firewall tab" -> "port forwading / NAT" -> "destination NAT" tab
On the Target , try to select "zone green : ip ALL known. You others settings seems to be fine

Then, from outside your network, try a "telnet" commande like : telnet my_public_ip 25
You should reach your Exchange and see the version of your current Exchange server.
Logged

System Engineer

Activlan - France
mrt
Full Member
***
Offline Offline

Posts: 23


« Reply #2 on: Tuesday 13 April 2010, 07:38:51 pm »

Hi and thank you for the reply.

I change it as you suggested, and try telnet on port 110, no respons at all, no hit in the realtime firewall logg.

But, I tryed something else, and that work !, but I did't understand why.

I change the Target to <Uplink main IP:all known ip> like this:
My forwarding rules is:             
                             
Access from                                                             Target
Type Zone/VPN/Uplink - <ANY Uplink>                     Type Zone/VPN/Uplink - <Uplink main IP:all known ip>

Everything else the same.

When I then telnet to e.g port 110, my Exchangeserver was ansering that POP3 is ready.

Why is this working?

Logged
lribeyre
Jr. Member
*
Offline Offline

Gender: Male
Posts: 6


WWW
« Reply #3 on: Tuesday 13 April 2010, 10:36:19 pm »

Hello,

Because your request is made to your Uplink Red interface, then, you translate the address to your local IP address (in this case, your Exchange local IP)

I know that, logically, the "target" should be the destination adress (the Green interface), but i use this logic :
Access from : Outside world
Target : To my Box (so the Red interface)

And my box translate the address where i want ...
Logged

System Engineer

Activlan - France
mrt
Full Member
***
Offline Offline

Posts: 23


« Reply #4 on: Wednesday 14 April 2010, 09:34:43 pm »

Thank you for the "logic" explanation. :-)

I could now see why other also have problem with understanding the way "they" was thinking.

I also found some links (bugfix) on the upcomming upgrade 2.3.1, there it says black on white that is difficult to use and understand Destination NAT (Port Forwarding).

Text: htt_://bugs.endian.it/view.php?id=2472
Screenshot: htt_://bugs.endian.it/file_download.php?file_id=354&type=bug

So, now my post is SOLVED. :-)

PS, perhaps we should contribute to make an HowTo with screenshoots on different things to do, for this Endian 2.3 ?

Regards, from Norway
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.078 seconds with 18 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com