Re: port forwarding -- nat/ipfw

On Sat, 12 May 2007 19:36:50 -0400, MZ wrote:

<FreeBSD 6.2 box used as router>

I can't get port forwarding to work within or outside the LAN. I want
to be able to type the IP address of my router (192.168.0.1) in a web
browser, specify port 8080, and a directory afterwards. And then have
it forward to a server set up on another machine (192.168.0.20)
listening on 8080.

My natd.conf on my router machine looks like this:

use_sockets yes
same_ports yes
unregistered_only yes
dynamic yes
redirect_port tcp 192.168.0.20:8080 8080

An ipfw show reveals that my firewall is (temporarily) open:

00002 1005298 430722216 allow ip from any to any via vr0 00003 980
356944 allow ip from any to any via lo0 00100 572333 354481284 divert
8668 ip from any to any in via xl0 00101 0 0 check-state
00110 422399 309684521 skipto 500 tcp from any to any out via xl0 setup
keep-state
00120 606831 121482513 skipto 500 udp from any to any out via xl0
keep-state
00130 5525 308848 skipto 500 icmp from any to any out via xl0
keep-state
00400 4368 408903 allow tcp from any to any in via xl0 setup limit
src-addr 1
00410 11198 3153576 allow udp from any to any in keep-state 00420
2673 247293 allow icmp from any to any in keep-state 00450 9765
491896 deny log ip from any to any 00500 486258 80911184 divert 8668
ip from any to any out via xl0 00510 1034755 431475882 allow ip from any
to any 65535 7 675 deny ip from any to any

<vr0 is the pci card facing the LAN, xl0 is the pci card facing the
internet>

Directly typing in http://192.168.0.20:8080/dirname into a web browser
from within the LAN gets me to where I want to go, so I know that the
server listening on 8080 is working fine. Typing
http://192.168.0.1:8080/dirname gives me "unable to connect", so
forwarding is clearly not working.

Any ideas?

As far as I know, port forwarding applies to packets coming in from the
Internet to your external (public) IP and will have no effect on LAN
traffic. So your setup allows Internet traffic to access the Web server
on 192.168.0.20 by accessing your public address on port 8080.

Also, you won't be able to test this forwarding from inside your LAN due
to "double NATing" - you can't go out from your LAN to your public IP and
then back in to a port forwarded machine. You need to use a machine
external to your LAN. So things may be working as you want them to, it's
just that you're testing incorrectly.

-Adrian
.

Relevant Pages

  • RAS - Routingproblem? DNS? Wins?
    ... ging übers Kabelmodem ins Internet und die andere ins LAN. ... Adapter und über diesen nam der Router externe Anrufe unseres Aussenlagers ... anderen PCs ganz normal mit 1 Netzwerkkarte im LAN angehängt ist. ...
    (microsoft.public.de.german.windowsxp.networking)
  • RAS - Routingproblem? DNS? Wins?
    ... ging übers Kabelmodem ins Internet und die andere ins LAN. ... Adapter und über diesen nam der Router externe Anrufe unseres Aussenlagers ... anderen PCs ganz normal mit 1 Netzwerkkarte im LAN angehängt ist. ...
    (microsoft.public.de.german.windowsxp.networking)
  • Re: CEICW Network Error
    ... Normally with a router in the mix, the router gets the public IP ... address on its WAN side and its LAN side is given a private IP ... Please post results of an ipconfig /all for sbs server. ... Users brought in another tech and messed up internet ...
    (microsoft.public.windows.server.sbs)
  • Re: Router install problem
    ... A router is an interface between two networks that otherwise couldn't ... that's the Internet (the Wide Area ... Network or WAN) and your local area network (LAN). ... and 5 buttons on the left (Wizard, Wireless, WAN, LAN, DHCP). ...
    (microsoft.public.windowsxp.network_web)
  • Re: Help! 1 to 1 NAT on Linksys RV082 opens up firewall!
    ... > need to access a few computers over the internet using specific ports. ... Access to machines on the LAN from the Internet will ... the router to the public Internet. ... It's the same thing with me doing Port Forwadring of ports to a LAN IP on ...
    (comp.security.firewalls)