Firewall/NAT

Hello all,

I'm having trouble with port forwarding - the firewall rule and NAT rule seem to be set up correctly, but the packets are still being dropped according to the logs.

Network topology is really simple; Mono runs on a two-NIC box. I have a computer behind the firewall running an application that listens on TCP 51234.

I have the following rules set up on the firewall:

Firewall: NAT: Inbound
If         Proto     Ext Port Range     NAT IP                   Int Port Range   
WAN    TCP       51234                192.168.200.195     51234

Firewall: Rules: WAN
Proto     Source     Port     Dest                        Port            Action
TCP         *             *         192.168.200.195   51234         Pass


From what I can tell, these rules are set up correctly. The interesting thing is that in the firewall logs, the traffic is still dropped. I have no other rules set up on the box, other than the default that blocks RFC 1918 inbound on the WAN interface.

Any ideas?

Thanks!

Bump

Perhaps try changing the protocol to ANY to see if that changes anything? What application is it?

Hi there,

I'm having the exact same issue. And worst: on two different installs of m0n0wall. I've set up rules to forward port 8080 on the WAN side to an internal host's port 80, but they simply don't work. I don't know what else to try.

Sorry, I've been away.

I've tried changing to ANY with the same results. The application is Maptool (yes, I'm a true geek - http://www.rptools.net/index.php?page=maptool).

I've verified that I'm running the most current version as well - 1.33 for generic PC with keyboard, monitor, and HDD.

@bkendall and @rafaelmagu: can you please post (or e-mail to mk@neon1.net if you prefer) the output of <http://m0n0wall/status.php>? That would help in debugging this issue.

Status page emailed.

Thanks!

Sent through to email from both of the installs I have.

Alright, my issue is fixed.

I deleted both the NAT and firewall rules and started over. It helped to check the box on the firewall rule to "log packets handled by this rule", which did show in the firewall logs that the traffic was being allowed. Not sure why it was being denied the first time around, but I'll chalk it up to something that I misconfigured.

Secondly, the native firewall on the server was blocking the connection. It was "supposed" to be disabled, but a network capture indicated the remote computer sent three SYNs, received no reply, and then timed out.

Many thanks to those that tried to help, especially Mr. Kasper.

Good to hear. I kept working a little bit on it but I'm still seeing the same issue.

The second m0n0wall install was done on Monday, so all the rules have been created brand new.

I did, however, setup an IPsec trunk now between the two setups which works, except for the fact that the internal subnets are not visible from either side (subnet A is not visible from behind m0n0wall B and vice-versa). I can, however, open both web interfaces when I connect to one of the m0n0walls using PPTP, which means traffic is going through the link, just not being allowed through m0n0wall.

So the issues have finally been fixed. I was also using Captive Portal on both sides, and CP was blocking traffic on the PPTP interface as well, which was unexpected because PPTP doesn't show up in the drop-down for CP configuration.

I had a rule in CP to allow traffic TO a local IP address (RADIUS server I was trying to reach from outside), but the rule actually needed to be FROM, so traffic could come back to me. It's a bit confusing that they use that naming convention instead of WAN/LAN, but I understand now that FROM is when you want traffic to go to a certain IP on a different interface than your own.

Secondly, the NAT rules are processed BEFORE the firewall rules. I had my thinking the other way round. Once Manuel clarified that for me, I was able to switch the rules around and everything works, including CP.