Firewall/NAT

Hey all,

I tried not to post here because I have seen similar threads, but I haven't yet found an answer to my problem.  Maybe you gurus can help me out.  I have a m0n0wall configured as so:

WAN (Dynamic) -- m0n0 -- DMZ (192.168.1.1)
                                |
  LAN (192.168.0.1) & LAN2 (bridged to LAN)

So, I'm trying to host a website for a friend.  I have an apache webserver tested and running on a machine in the DMZ (192.168.1.2).  As I understand it, I need 2 things to get my DMZ working as expected: an inbound NAT rule and a WAN firewall rule.  Here's my WAN ruleset:

BLOCK  *     RFC 1918 networks     *     *     *     Block private networks     

ALLOW TCP    *    80 (HTTP)    192.168.1.2    80 (HTTP)    NAT Forward all inbound HTTP trafic to webserver in DMZ

BLOCK  *    *    *    LAN net    *    


Here's my NAT statement:

 WAN      TCP      80 (HTTP)      192.168.1.2      80 (HTTP)      Forward all inbound HTTP trafic to webserver in DMZ


So, what happens is quite strange.  At first, I had the m0n0 webGUI listening on port 80 (default)  and when I tried to access my website from outside, I would get the webGUI!!  I thought that was strange, but my first instinct was to change the webGUI to https and see if that would allow my NAT statement to work.  It doesn't!  In fact, I can't access anything on port 80 and I can still access the webGUI via https from the outside!!

I don't even need remote administration for the webGUI, I only need to access my webserver from the outside, so what have I missed?

First, it sounds like you're testing this from inside your network. That's not going to work. (See FAQ)

Second, your firewall rule has source port 80. source port needs to be any, or 1024-65535 if you want to restrict it, not 80.

Okay, let me see if I have this straight...

From the FAQ:

It is not possible to access NATed services using the public (WAN) IP address from within LAN (or an optional network). Example: you've got a server in your LAN behind m0n0wall and added a NAT/filter rule to allow external access to its HTTP port. While you can access it just fine from the Internet, you cannot access http://your-external-ip/ from within your LAN.

This is due to a limitation in ipfilter/ipnat (which are used in m0n0wall). Read the ipfilter FAQ for details. m0n0wall does not (and probably will not) include a "bounce" utility.

Great, at least I know its not me.     However, I still don't understand the port problem.  Why wouldn't the source port be 80 if that is what the browser is requesting by default?  I should be able to set the destination port to whatever I want as long as my server is listening on that port, but wouldn't I want to set the source port to 80 so that anything that comes in on that port will be redirected to myserver?

Maybe I'm confused...

An incoming connection to your apache server could be sourced from any port, but will be destined to port 80. Follow cmb's advice and try again from the WAN.

db

Source ports of TCP and UDP connections are chosen from the ephemeral port range, between 1024-65535 (some OS's use a smaller subnet of that range, but they all work from that range). When you get reply traffic, the source port is how the originating machine knows what connection the reply is associated with.

Source port will never be the same as the destination port. That's just how TCP and UDP work.

Okay all, I'm still struggling and I've run out of ideas...

  I have followed the tutorials and your advice, and I still can't get to my webserver.  I changed the webGUI port to 17 so that it would not conflict with anything else I might be serving (I'm not planning on serving out 'Qoute of the Day').  I'm like 99% certain everything I have done in the firewall is correct, and I know NAT is spot on.  I have checked my webserver's access logs and don't show any activity reaching it from outside my LAN, so it has to be either something I missed on the router, or my ISP blocks port 80...

How can I check this (I use suddenlink)?

Thanks for everyone's help thus far!

check your firewall logs when you try to access from the outside. anything pertinent there?