News: No news.
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
October 23, 2014, 00:19:49
Pages: [1]
  Print  
Topic: 1:1 (onetoone) NAT and filtering  (Read 5894 times)
« on: July 12, 2007, 17:37:23 »
tarax *
Posts: 1

Hi,

I'm trying to setup a new SDSL connection, bundled with xx.xx.28.96/29 public IP addresses, on my OPT4 interface.

So far:
   * I have given xx.xx.28.98 to OPT4, the ISP's modem having xx.xx.28.97 (can ping the router)
   * I have configured 2 1:1 NATs with automatic ProxyARP config (can ping the router from the NATed servers)
      - OPT4    xx.xx.28.99/32      xx.xx.1.3/32    1:1 NAT for Public Server in DMZ (behind OPT3)
      - OPT4    xx.xx.28.100/32    xx.xx.3.3/32    1:1 NAT for Asterisk Server in VOIP (behind OPT2)
   * I have setup a static route to my VoIP gateway (working, can ping the gateway through the router)
      - OPT4    xx.xx.78.35/32      xx.xx.28.97    Route to VoIP Gateway at the ISP

The hard times began when I began trying to reach my VoIP & public servers from the outside:
   * SSHed to a host somewhere on the net
   * ping xx.xx.28.97 (ISPs modem) works
   * ping xx.xx.28.100 no answer... oups no rules to allow ICMP Tongue
   * Create rule:
      ICMP   *    *   xx.xx.28.100   *    DEBUG: Ping any to 1:1ed Asterisk server
   * ping xx.xx.28.100 no answer...  Huh
   * check logs:
      blocked    OPT4    xx.xx.xx.xx    xx.xx.3.3, type echo/0    ICMP...  Huh Translation may happen before filtering...
   * Modify rule:
      ICMP    *    *    xx.xx.3.3    *    DEBUG: Ping any to 1:1ed Asterisk server
   * ping xx.xx.28.100 no answer...  Huh
   * check logs:
      blocked    OPT4    xx.xx.xx.xx    xx.xx.3.3, type echo/0    ICMP...

So ATM, with my understanding, NAT is working, but I can't see what I should do make my 1:1 NATed servers be reachable from the outside...

Any help would be GREATLY appreciated

Bests


Logged
« Reply #1 on: July 18, 2007, 07:59:57 »
cmb
Administrator
*****
Posts: 851

What I think you're doing wrong is allowing traffic by public IP on the WAN. NAT happens first, when the traffic hits the firewall rules the destination on the WAN will be the private IP. Use what it'll be translated to, rather than the public IP and everything should work.
Logged
« Reply #2 on: May 06, 2010, 10:13:22 »
mllt *
Posts: 1

No problem. . . . Thank you.
 Sad
Logged

Sale type of service
wow gold
 
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.20 | SMF © 2013, Simple Machines