Firewall/NAT

Hi
I've this problem that I cannot resolve. I've a router with a static public IP address configured. Behind this router I've the Monowall with a 10.10.10.x WAN address and a 172.16.xx.xx LAN address spaces. In this subnet (LAN) I've a videocall system that use a lots of ports TCP/UDP. I've made rules to permit traffic from any to any ONLY on this dest IP address but on Firewall logs I see block packets. I've configured the external public IP Address (93.xx.xx.xx) on Server NAT and then INBOUND NAT but seems not works....please, can u help me? Thanks so much in advance.

Think about it.  Is your external IP address on the Mono box?

Think about it.  Is your external IP address on the Mono box?

Hi Mark. I've this config.

Internet --> 93.xx.xx.xx (PUBLIC IP ADDRESS - WAN Router) ---> 10.10.10.1 (LAN Router) --> 10.10.10.6 (WAN m0n0wall) --> 171.16.100.xx (LAN m0n0wall) --> 171.16.100.251 (VideoConf Device)

I've made a LAN Interface Rule to permit access from 171.16.100.251 to * with all TCP/UDP ports and a WAN Interface Rule to permit access from * to 171.16.100.251 on all TCP/UDP ports. I can call everywhere without problems but people cannot call me (pointing to the . I receive packet on 1720 TCP Port (H.323) but nothing happens...Maybe...something related on NAT? Or similar?
Thanks for your help. Best regards

As I mentioned, as your External IP address in held on the WAN (Presumably DSL) router the Monowall box has no knowledge of it, as it's WAN address is in a private range.  Firstly, you will need to configure your WAN router to forward the traffic to the Mono box.  I suggest a DMZ configuration which forwards all traffic to the Mono box.  On the Mono box you will have to make sure that the check box at the bottom of the WAN interface config page "Block private networks" is unchecked.  You will then have to create a NAT entry from WAN interface for the ports you require.  I would suggest that you try to find the specific ports required and add the specific rules.  When you create the NAT rules check the box to automatically create the rule required.

Alternatively, if you must forward all ports, you could dispense with NAT on the mono box (As your WAN router will already be providing it) stick a static route in the WAN router for the LAN subnet and then add the video conference device as the DMZ from your WAN router and pass all traffic in a WAN rule on the mono box.

Thanks for your support.
Which kind of NAT do you mean? A simple Server NAT (INBOUND) with 10.10.10.6 like NAT IP that nat the internal one 172.16.100.251 could be enough? It's clear that I've to specify all involved ports For the outbound NAT rule I've nothing to do 'cause it's automatically NAT all traffic with the 10.10.10.6 Monowall WAN IP, correct?
Thanks in advance

It all depends on how you want to leave your internet connection configured.  Currently, you have NAT on the Monowall and also NAT on the DSL router.

If I was setting it up, my personal preference would be to set the DSL router to forward all traffic to the WAN interface of the Monowall.  Most dsl modem routers have a feature for this, often called a DMZ.  This means that all traffic hitting the external IP address of your DSL router (Your internet IP address) is passed to the external address of the Monowall.  This means that you only have one place to configure and change rules.  The you set up an inbound NAT rule for the port you want.  Specify the interface that it is coming in on. (WAN) and the port it is coming in on and then specify the destination IP address and Port.  At the bottom of the page check the box to automatically create a rule.

When this is done, go into the rules and move the rule that was created to the appropriate place in the list.   By default it sticks them at the bottom of the list, but as the rules are processed in order, you will have to place it in the appropriate position.