EFW Support

Hi
I have been using EFW for years and just downloaded and setup 2.3 only to find the simple to use 'Port Forwarding' page has gone and been replace with 3 tabs.
'Dest NAT', 'Source NAT' and 'Incoming routed traffic'

I want to setup a port forward for RED traffic coming in on port 8082 to an internal green IP of 172.28.0.11 port 80, I have tried this and cannot get it working.
Which TAB should I be doing this on and any other help/suggestions please?

You have to create a rule under Destination NAT and also create a System Access rule.
Garrett

Try this... just alter the ports, etc as necessary.

In Firewall, configure a Destination NAT rule as follows:
Access: ANY Uplink
Target: ANY Uplink
Service HTTP
Protocol: TCP
Target: 80
Translate to: TYPE IP
DNAT Policy: NAT
IP: {WEBSERVER IP on GREEN INTERFACE}
Port Range: 80

Save and apply rule

Then go to Firewall, configure System Access rule as follows:
Source Address: {leave blank}
Source Interface: RED
Service HTTP
Protocol: TCP
Target: 80
Policy: ACTION "ALLOW"

Save and apply and you should be good to go. You will now be able to access the specified server externally (Red zone to green zone)

Garrett

I spent 5 hours wrestling with this last night doing my own upgrade, and I think I finally got it.

Create a new Destination NAT Rule.  You control the destination in this scenario.

"Access From" is where the traffic is originating, widest to narrowest specification, top to bottom in the dropdown list.  Sounds like "Zone/VPN/Uplink - uplink main Red" fits your need.

"Target" is where traffic in "Access From" is hitting the EFW -- If you have a specific IP that will be used, select it (or CTRL click to select multiple) or just use "All known."

Filter policy: ALLOW (I haven't dared try IPS yet but will test Snort after hours sometime)

"Service/Port" is the port/range the "Target" traffic is coming in on.  In your case, TCP 8082.

"Translate to" is where you want the "Target" traffic to go.  All my rules so far have been of Type IP and DNAT Policy NAT.  "Insert IP" would be 172.28.0.11 in your case and "port" 80.

Leave it enabled, check log if you want to read log entries, give it a meaningful "Remark" name and optionally choose a position.

Click Create Rule, then APPLY and test.

Once you get the concept down, it gets fairly easy after that.

Good luck!

Glen

Yes I also struggled with the new port forwarding screen in 2.3  I think its the Access from and Target bit that are confussing.  Anyway just wanted to confirm that gdPAC has it right.

For the record, bayross is wrong to say that you need to system access rule up.  You only need a system access rule for traffic that you actually want to end on the endian itself - ie. open port 10443 if you want to be able to remotely browse to the web interface using the WAN IP address.

Just wanted to thank you all for your feedback as this post has helped me provide access from the outside world to my web/ftp server. However, what is odd, is that I don't seem to be able to access the server internally using the HTTP URL access (to port 8002) as I would be able to if I was accessing from the outside. Is there something which I have not configured correctly somewhere as I did not have this problem when I used my LinkSys router?

Many thanks in advance for any help/advice...

Cheers,
Vin.

Access from: ANY
Target: Zone/VPN/Uplink - <ANY Uplink>
Filter policy: ALLOW
Service: User defined
Protocol:TCP
Target port/range (one per line, e.g. 80, 137:139): 8082
Translate to *:
Type : IP
DNAT Policy:NAT
Insert IP: 172.28.0.11
Port/Range (e.g. 80, 80:88):80
Enabled: Checked

This should be let you access from local or external network.

Thanks Johnny. Just have some questions before I proceed:

What is the port 8082 used for as you mention below?
What is the IP 72.28.0.11 for?

Appreciate the help.
Vin.

Access from: ANY
Target: Zone/VPN/Uplink - <ANY Uplink>
Filter policy: ALLOW
Service: User defined
Protocol:TCP
Target port/range (one per line, e.g. 80, 137:139): 8082
Translate to *:
Type : IP
DNAT Policy:NAT
Insert IP: 172.28.0.11
Port/Range (e.g. 80, 80:88):80
Enabled: Checked

Hi Vin,

Port 8082 is external port that you need to open for outside/internal user access to your web server through the EFW.  IP 72.28.0.11 is the IP address (Local LAN) of your web server. 
   
Access from: ANY (Any connection)
Target: Zone/VPN/Uplink - <ANY Uplink> (Any interface connection)
Filter policy: ALLOW
Service: User defined
Protocol:TCP
Target port/range (one per line, e.g. 80, 137:139): 8082 (port open for the firewall - you can change to port that you are using )
Translate to *:
Type : IP
DNAT Policy:NAT
Insert IP: 172.28.0.11 (LAN IP Address for the web server)
Port/Range (e.g. 80, 80:88):80 (Port open to accces web server - web server hosting port)

You may need to add outgoing firewall rule for the local LAN access 8082.

Hi Johnny,

Thanks for the reply - sorry for getting back late but have been away. So just to confirm,  I should use 8082 and not 8002 which is the port my web server is listening on? Also, the 72.28.0.11 is not an IP I am familiar with. Should it not be the 192.168.1.x internal LAN IP on my green network? Sorry to keep circling back but just want to make sure I have the right info here as its difficult enough already!  ???

Thanks again!
Vin.

Hi Vin,

For your case follow the settings as below

Access from: ANY (Any connection)
Target: Zone/VPN/Uplink - <ANY Uplink> (Any interface connection)
Filter policy: ALLOW
Service: User defined
Protocol:TCP
Target port/range (one per line, e.g. 80, 137:139): 8002
Translate to *:
Type : IP
DNAT Policy:NAT
Insert IP: 192.168.1.x (LAN IP Address for the web server where your web server LAN IP is. Possible make a static IP for your web server like 192.168.1.200 then this 192.168.1.x should be replace by 192.168.1.200)
Port/Range (e.g. 80, 80:88):8002


So for visitor to browse your webpage, just type http://www.yourdomain.com:8002

If you want user to browse your webpage just typing http://www.yourdomain.com then you need to modify the Target port/range to 80. Port/Range (e.g. 80, 80:88):8002 remain unless you also need to change your webserver to host your webpage on port 80 then you need to change this to 80 too.

Remember to add outgoing firewall rule for the local LAN access port TCP 8082.

Hi Johnny,

Thanks for the help and effort. Unfortunately, I still cannot access my website from my local LAN. I can access if I use 127.0.0.1:8002 but using the domain name will not work. It does work if I access from the outside - something is wrong somewhere. I have configured exactly as you instructed (or at least, I think I have!) but something is still not quite right...

Cheers,
Vin.

Just to add - I disabled the Outgoing firewall altogether and it still did not allow me to connect from the inside out to the internet and back into my machine. Just to confirm:

I have Outgoing Firewall Rule of Green --> RED for Protocol TCP with destination port 8002 - Policy Action is ALLOW

I have the following Destination NAT rules:
Target: UPLINK MAIN
Service: TCP/8002
Translate To: 192.168.1.30:8002
Access From: UPLINK MAIN

Target: UPLINK ANY
Service: TCP/8002
Translate To: 192.168.1.30:8002
Access From: UPLINK <ANY>

Incoming Routed Traffic Rule:

Source: <ANY>
Destination: 192.168.1.30
Service TCP&UDP/8002

Hope this helps - I tried to include screen shots but not sure how I am supposed to embed the images! :-/

Vin.

OK - I got it to work (FINALLY!!!) using the solution kindly provided by DanoDemano in the NAT Loopback solution - but need help making permanent post. I didn't have to create a specific outgoing rule for port 8002 as it didn't make a difference if I was blocking or not. It looks like the solution is based on having a Source NAT defined.

Thanks again for all the help!

Cheers,
Vin.

Hi Vin,

You must create a rule in outgoing firewall. If you didn't set it, firewall will be in default setting and not byp.

I managed to post a picture here.

Destination Nat
(http://img51.imageshack.us/img51/6247/destinationnat.jpg)


Outgoing Firewall
(http://img511.imageshack.us/img511/1102/outgoingfw.jpg)


This is permanent. You no need to use the NAT Loopback from DanoDemano.

Johnny,

I don't know what to say other than I created the rules exactly as you say and it doesn't work. If I enable the source NAT, then it does. It doesn't make sense as what you suggested should work. I am at a loss... Another thing to remember from my earlier post, is that even if I turn off the firewall for outbound traffic which basically means everything is open, I still cannot get to the site from internal. So something else must not be configured right if you say it works on your end.

Cheers,
Vincenzo.

em....Only thing can help is need to go through your settings 1st. For my case is I just setup my EFW and direct do the settings as in the picture and it work.

Any how with the source NAT you can work then is great.

hi all!

i was trying to do a port forwarding, but i can't get it working ...
i did like in the pictures, an in the logs i see that the packet are accepted, but they don't come to the target ip address.

what i want to do exactly is, i want to forward all openvpn traffic udp port 1194 to internal address 192.168.1.1:1194, but i don't get a connection.

what am i doing wrong?

please help!

luki

Hi dukeluke,

You no need to do a y port forwarding to the 192.168.1.1:1194 if this is your efw address. What you need to do is open outgoing firewall for 1194 GREEN to RED and in the VPN traffic, add ANY to ANY service ANY.

can anyone tell me to do the rdc port forwarding with 2.3?
thanks in advance
raneesh

Easy, just follow the indtructions:
http://docs.endian.com/firewall.html#port-forwarding-nat

i have the same problem.

i had to connect via rdp from my home to an internal server (192.168.60.1)

i tried to follow the instructions published on the first page but it does not want to work.

from the router (192.168.50.254) i redirected all the incoming traffic (1:65534) to the red interface ip (192.168.50.1), after that i added a rule in the dnat section using the same instructions of the screenshots on the first page of this post.

can somebody help me, please?

Hello,

I'm working with EFW 2.4. I've got port forwarding working using "Incoming IP - Type *" set to "Zone/VPN/Uplink" and "<ANY Uplink>" selected in the Destination NAT rule. What I'd like to do is restrict access to the port forward rule to a specific external IP address. If I select "Type * Network/IP/Range" and enter the verified external IP address in the "Insert network/IPs (one per line)" field, it fails to function.

Any suggestions/direction would be appreciated.

Thanks,
DetailsIT

I’m using Endian 2.3 and trying to forward 192.168.70.0 /24 port 4100 traffic to the internal server which is located on the green network with IP 192.168.40.40 port 7100. To configure this scenario I followed these steps:

1- Port Forwarding/ NAT > Destination NAT
    1-1 Access From: Network IP/Range:  192.168.70.0 /24
    1-2 Target: Zone/VPN/Uplink: ANY Uplink
    1-3 Filter Policy: ALLOW
    1-4 Service: ANY , Protocol: TCP, Target: 4100   
    1-5 Translate to: IP,   DNAT Policy: NAT
    1-6 Insert IP:  192.168.40.40, port: 7100

2- Outgoing Traffic
    2-1 Source: Network/IP , IP: 192.168.40.40
    2-2: Destination: Network/IP, IP: 192.168.70.0 /24
    2-3 Service: ANY, Protocol: TCP, Destination Port: 4100
    2-4 Policy: ALLOW

3- System Access
    3-1 Source address: 192.168.70.0/24    3-2: Source Interface: RED
    3-3 Service: ANY, Protocol: TCP, Destination Port: 7100
    3-4 Policy: ALLOW

Unfortunately, the DNAT rule is not working as planned.
I monitored the connections in the status section of the Endian system and I can see that the DNAT properly directs the packets and I monitored the my server (IP 192.168.40.40) with TCPDUMP and I found that the server receive packets but unfortunately the connection is not been built because the initial SYN packets from my client to my server is being translated by Endian Firewall into ACK packets which is preventing the initial 3 way handshake establishing.

TCPDUMP of  192.168.40.40

IP 192.168.70.92.50924 > 192.168.40.40.7100: S 1705309870:170530     
 9870(0) win 5840 <mss 1460,sackOK,timestamp 1791227116[|tcp]>
        0x0000:  4500 003c 1f9b 4000 3f06 f7d5 c0a8 7723  E..<..@.?.....w#
        0x0010:  c0a8 2bd7 c6ec 0016 65a4 f6ae 0000 0000  ..+.....e.......
        0x0020:  a002 16d0 89de 0000 0204 05b4 0402 080a  ................
        0x0030:  6ac3 f4ec 0000                           j.....

Am I missing something simple here? What should I do to solve this problem??

Hi everyone!

I want to explain how I got port forwarding working, finally!  ;D
As many have pointed out, "System Access" is only for traffic to EFW - nothing else.

The problem is that DNAT isn't enought, because you also need to create an SNAT-rule so an 3-way handshake can be enstablished.
If you see previous post, especially from ddPAC, you will get the DNAT rule running.
Here comes my SNAT-rule (which applies to all DNAT-rules):

Source type: Network/IP
Internet network/IPs: 0.0.0.0/0
Destination Type: Zone/VPN/Uplink
Selected interfaces: GREEN
Service: <ANY>
Protocol: <ANY>
NAT: NAT ... to source address Auto
Enabled: Ticked (ofcorce)

Hope this helps!

I'd like to  confirm my suspicions.  if i'd like to configure a web or FTP server I'd have to configure a DNAT rule , an SNAT rule and an outgoing firewall exception? Is that correct? Three screens to get a simple webserver up?  Someone please correct me if I'm wrong because if not I'lll be looking for another router distro that's not designed by sadists.


On anotther note I read the endian manual port forwarding section, and I still don't understand what the Source and Target options are, they seem a bit redundant and the descriptions are awful.