News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  Firewall/NAT
linktree Topic: NAT/SNAT/DNAT - m0n0wall vs. shell
Pages: [1]
Topic: NAT/SNAT/DNAT - m0n0wall vs. shell  (Read 2510 times)
« on: May 29, 2012, 11:10:48 »
11notes *
Posts: 5
I switched from selfmade iptables FW to m0n0wall to make things easier to manage but it seems I'm to stupid to do so.

I have a LAN behind the m0n0wall, and all I wan't to do is port forwarding to a client in that LAN so I tried:

NAT\Inbound\IF: WAN; PROTO: TCP; EXT PORT: 3390; NAT IP: 10.0.0.1; IN PORT: 3389; << redirect all requests on WAN IF on port 3390 to 3389 internal
Rules\WAN\PROTO TCP; SRC : ANY; SRC PORT: ANY; DEST: WAN IP; DEST PORT: 3390 << open port 3390 on FW

normaly I would do that with IP tables prerouting to route all traffic on interface WAN from port 3390 to 3389, but somehow that doesn't work with m0n0wall. The NAT rules in m0n0wall are the prerouting rules so they apply before the firewall rules, right? And yes I don't want to route 3390 from WAN to LAN I need it to route from 3390 to 3389.

The above works perfectly if no port routing applies (so just open 3389 and forward to 3389)
« Last Edit: May 29, 2012, 11:13:01 by 11notes »
« Reply #1 on: May 29, 2012, 15:58:54 »
Fred Grayson *****
Posts: 994
This rule is not correct:

Rules\WAN\PROTO TCP; SRC : ANY; SRC PORT: ANY; DEST: WAN IP; DEST PORT: 3390

It must be:

Rules\WAN\PROTO TCP; SRC : ANY; SRC PORT: ANY; DEST: 10.0.0.1; DEST PORT: 3389
--
Google is your friend and Bob's your uncle.
« Reply #2 on: May 29, 2012, 16:06:34 »
11notes *
Posts: 5
doesn't work, is the problem that I have a current rule of mapping 3389 to 3389 (LAN)?
« Reply #3 on: May 29, 2012, 16:30:37 »
Fred Grayson *****
Posts: 994
You cannot have more than NAT or Rule that has the same destination port on the same destination IP address.
--
Google is your friend and Bob's your uncle.
« Reply #4 on: May 30, 2012, 08:35:26 »
11notes *
Posts: 5
WAN 3389 -> LAN 10.0.0.1:3389
WAN 3390 -> LAN 10.0.0.2:3389

why shouldn't that work?
« Reply #5 on: May 30, 2012, 08:51:50 »
Fred Grayson *****
Posts: 994
My bad, that will work, so long as you have rules that allow it.
--
Google is your friend and Bob's your uncle.
« Reply #6 on: May 30, 2012, 09:17:48 »
11notes *
Posts: 5
but it doesn't :\

Code:
NAT
IF PROTO EXT PORT IP INT PORT
WAN tcp 3389 10.0.0.1 3389
WAN tcp 3390 10.0.0.2 3390

FW
PROTO SRC SRC PORT DEST DEST PORT RULE
tcp any any 10.0.0.1 3389 pass
tcp any any 10.0.0.2 3390 pass

no chance, 10.0.0.1 works, 10.0.0.2 fails, nmap shows also only port 3389 to be up and open
« Reply #7 on: May 30, 2012, 09:40:23 »
Fred Grayson *****
Posts: 994
Something else must be wrong then.
--
Google is your friend and Bob's your uncle.
« Reply #8 on: May 30, 2012, 18:23:10 »
iridris ***
Posts: 145
Based on your use of 3389, I'm guessing this is for Windows Remote Desktop? By default, Windows clients listen on port 3389. Have you set up the 10.0.0.2 computer to listen on 3390 instead of 3389? Is the Windows firewall on that machine set to allow port 3390 through?
« Reply #9 on: May 31, 2012, 08:03:49 »
11notes *
Posts: 5
when I change rdp from 3389 to 3390 on the second IP it works like a charm because no port translation is done
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines