OK, I give. I cannot figure out what is wrong here.

Just set up my UT device as a VM in VMware workstation. It is configured as a router.

Outbound things seem to work just peachy. But I cannot get port forwarding to work for the life of me.

In particular I have an SMTP server on my network I need to route e-mail to. This was working just find with my Broadband Router so everything on the outside of the network is setup correctly.

I have UT configured as a DNS server, but not DHCP as that is handled on my windows server and it would be a pain to move it over. My LAN hosts are set to first look to the domain controller for DNS, and then the UT box.

My SMTP box is set up like this (static IP):

IP Addr: 192.168.10.201
Mask: 255.255.255.0
Gateway: 192.168.10.1 (the UT internal interface IP addr)
Pri DNS: 192.168.10.201
Sec DNS: 192.168.10.1

I have the following line in the UT NAT for the Internal card:
Addr and Mask: 192.168.10.1/24
Source addr: Auto

The port forwading rule I have looks like this:

Enabled: Checked
Name: SMTP on 25
Dest Port: 25
Protocol: TCP
Source Interface: External
Destined Local

New Destination: 192.168.10.201
New Port: 25

But when I try to telnet to port 25 from outside my network I get a "Connect Failed"

Same is true with my web server on port 80 where I have a port forwarding rule set up identical to the above except on port 80.

What am I missing?

I can send outbound mail both from Outlook via Exchange Server and as well, from a telnet session to my smarthost.

Any help will be greatly appreciated as I would like to get some sleep which I have gone without so far since yesterday trying to resolve this and other issues - this is the only issue I have not fixed.

Thanks in advance.

Mike

I maybe should mention this.

The only head scratcher I have besides getting port forwarding to work is that when I look at my interfaces page for the External Interface (which is set up as dynamic - and yes, I have a DDNS client updating my domain host servers so the internet knows where to find my domain)...

...anyway, when I look at the External Interface the IP address and netmask assigned from my ISP's DHCP Server do not appear on that page. Everything else (Default Gateway, Pri and Sec DNS) does appear.

I worried about this a short while but figured it was a glitch since everything else is working except port forwarding. But maybe this is an indicator of a hidden problem?

By the way, the UT VM is the latest version as I just downloaded it yesterday.

That NAT policy looks wrong to me for some reason. Unless you have more than one External IP address you won't need to play with this. The default rule was correct. 0.0.0.0/0 any

Your port forward rule looks correct. How about your firewall? If it is block all you need to put a rule in there to pass traffic.

Opps... ;)

Does your UT box have a working internet connection?

Yes, I did the whole break/fix thing to force the host machine to route through the UT VM, that works fine. Actually that had me stumped for a long time as the UT box was not working at all until I figured out that I had to break the host adapter from grabbing the DHCP info from the ISP because the Cable 'Modem' box apparently "registers" a limit of one device so my host NIC was getting registered and the UT VM was being ignored. Once I removed TCP/IP from the host external (VMNet0 Bridged) interface on the host and rebooted the 'modem' all was well and I started working on my other long list of things to get going....

I have not even installed the Firewall yet. Playing around with the apps I installed the Spam Blocker and Attack Blocker and left them configured as they came but decided to leave everything else alone until I got this problem resolved.

Is the Firewall a required piece for the port fowarding to work?

That NAT policy looks wrong to me for some reason. Unless you have more than one External IP address you won't need to play with this. The default rule was correct. 0.0.0.0/0 any

Your port forward rule looks correct. How about your firewall? If it is block all you need to put a rule in there to pass traffic.

No it isn't if you dont have the firewall module installed it is just the same as having it "pass all." I'm just trying to eliminate variables.

Because your port forward looks correct, and I operate on the assumption that you used the example rule that was sitting there presetup for SMTP. I have to assume at this point your issue is VM related, as the packets aren't making it to UT to be forwarded.

You can test this, but dropping to a shell on UT

1.) ifconfig
2.) figure out which interface has your Internet IP
3.) tcpdump -i <yourexternaladapter> host <yourwanip> && dst port 25

The external adapter is usually eth0, and if you don't have an adapter with a real public IP according to ifconfig? Something is wrong with your VM.

OK, did the TCPDUMP and got a whole lot of lines after I stopped it most of the lines look like this:

13:50:15.852192 IP 64.86.105.7.51559 > router.mdp.loca.10096: . 4091064:4092512 (1448) ack 1 win 5792 <nop, nop,timestamp 942079090 992058>

and the last three lines are:

2943 packets captured
3937 packets received by filter
989 packets dropped by kernal

there was also a line up there where it appeared that the traffic was going the other way as part of that line is this:

IP router.mdp.local.10096 > 64.86.105.7

Not much of a Linux guy at this point so I am not sure what all this means exactly, but from what I am seeing it does look like traffic is going both ways there.

his tcpdump line should be:

tcpdump -n -i <yourexternaladapter> host <yourwanip> "dst port 25"

(remove the && I think)
also on the inside you could do

tcpdump -n -i <yourinternaladapter> "dst port 25"

I do not have any problems accessing my SMTP server from the Internal adapter side. I simply cannot access it or any other services inside my network from the external side.

I have since removed the UT box from my network and put the LinkSys Cable Router back in place because I need to be able to have e-mail and other things working inbound. But I really would like to get the UT box working correctly as it has far more functionality then I will ever be able to effect with the LinkSys box.

If anyone else has any suggestions about what my problem might be please feel free to contribute them.

Thanks in advance

MDP

I do not have any problems accessing my SMTP server from the Internal adapter side. I simply cannot access it or any other services inside my network from the external side.

Ahh and now the real issue comes to the surface.

Enabled: Checked
Name: SMTP on 25
Dest Port: 25
Protocol: TCP
Source Interface: External
Destined Local

Source Interface: External, means the rule only applies when the communication comes from the External. This rule works from outside the network only. If you want to "test" from inside you need to edit this rule to include Internal, or DMZ, or whatever interface you're testing from!

thank you for your reply. However, you misunderstood my statement.

All traffic on the internal network (LAN Side) functions appropriately and does not, nor does it need to, nor should it, route through the UT box. The statement about things working inside the network is to basically confirm that the Exchange Server and all of its clients inside the network work as expected and as well, as they did before the UT box was installed - thus the previous statement relates to the process of eliminating the Exchange Server or other things on the LAN as possible culprits to the problem I was experiencing.

I am aware that I need to test port forwarding from the external side of the network - which is why I fired up my laptop and connected to the internet via my VerizonWireless Broadband capable cell phone. That puts my laptop on the internet somewhere and all communications to/from it from/to my network therefore would have to route through the external interface on my UT box as it stands in the way between my Cable 'Modem' and the rest of my systems that reside on my LAN.

Thus I am pretty certain that my testing methodology is sound as I have a pretty good conceptual grasp of what a firewall does and how one works from the higher non-hardware/software specific level.

Ultimately I think I am going to go in a different direction here. By using the VMware Workstation method to deploy the UT box I was trying to preserve other functionality on the host (running Windows 2003 Server) as I wanted to setup my small handful of USB external drives as NFS shared devices and I'm still learning Linux so I am not confy with making that box a Linux machine and then installing the UT software on it - not when I intend to trust the UT software to shield me from the internet's worst stuff. The USB external drives currently reside on my workstation (Vista Ultimate) which doesn't support NFS Server natively and besides, I am trying to keep that box as lean and mean as possible and putting lots of Gigabytes of data through it to access the external drives doesn't seem like the way to do that.

But after some research last night I ordered a Linksys NSLU2 which I intend to hack and install Debian on it and mount the NFS shares from that. That way the several terabytes of data that will be sitting on those NFS shares will not be directly connected to my firewall (which really isn't the best idea in the first place from a security perspective I know) and that will free up the box running UT to be a dedicated device and I am betting that once I re-install the UT software in dedicated mode on it that my problem will go away or it will prove that the problem is the nut behind the wheel and that I mis-configured the open SMTP and HTTPd ports on the UT box.

I know I could have simply set up another box to handle the NFS shares but that seemed a waste of juice and a needless contribution to the heat/noise generators in my home office as I'd like to keep the number of boxes running 24/7 from expanding beyond 3 (Server with VMware ESXi hosting 7 VM server class OSes, workstation, UT box) and unfortuantely ESXi does not support USB on the host but it does function as a NFS client which is what started me going in this direction in the first place - that and a desire to eliminate my current e-mail anti-spam/virus protection solution that is costing me $$$ for the annual subscription that is running on my Exchange 2000 system that I very much want to retire and replace with Windows 2008/Exchange 2007 in an effort to get current with the systems I am running here.

MDP