Port forward without NAT on UT

[sherkhan]

Hi All,

I have a UT box in the following setup:

Internet
|
Router
|
Firewall (performs 1:1 NAT and PAT)
|
Untangle (in router mode)
|
Internal network (all private IPs)

I have a host of machines in my internal network, some of which are 1:1 NATed (one Public IP <--> one private IP) and some are "Hiding NATed or PAT Port Address Translation" (multiple private IPs go out to the Internet with one Public IP, which is the firewalls external interface IP). This NAT ing is done by the firewall and not by UT.

I have removed the 0.0.0.0/0 auto NAT policy from the UT Internal interface config.

I would like to know what are the port forward rules which I have to specify for:
1. Two different internal mail servers (with pvt IPs but which are 1:1 NATed at the firewall with individual public IPs?
2. Systems on various internal networks with private IPs which access the Internet through PAT?

Thanks in advance.

[dwasserman]

Reinstall in bridge mode in this layout.

[sherkhan]

Thanks for your quick reply Dwasserman.

Initially my UT was in bridge mode itself, but I had to change it to router mode as I had to set up a site to site VPN using the OpenVPN module of UT (my side as server) with our remote office (there too UT in router mode with OpenVPN module and as client VPN site). I struggled a lot to configure site to site OpenVPN with UT in bridge mode. Posts on this forum strongly advised against bridge mode for VPN with one mentioning that it was a great PITA :-)

Any pointers to get my setup working with above reqmts would be greatly appreciated.

[dmorris]

I don't really understand your layout, but if Untangle isn't doing NAT you shouldn't need any port forwards (on untangle anyway)

You will need them on the NAT device though...

[dwasserman]

I don't really understand your layout, but if Untangle isn't doing NAT you shouldn't need any port forwards (on untangle anyway)

You will need them on the NAT device though...

This is called bridge mode:same network scope in both sides.

[dwasserman]

Thanks for your quick reply Dwasserman.

Initially my UT was in bridge mode itself, but I had to change it to router mode as I had to set up a site to site VPN using the OpenVPN module of UT (my side as server) with our remote office (there too UT in router mode with OpenVPN module and as client VPN site). I struggled a lot to configure site to site OpenVPN with UT in bridge mode. Posts on this forum strongly advised against bridge mode for VPN with one mentioning that it was a great PITA :-)

Any pointers to get my setup working with above reqmts would be greatly appreciated.

I think the advice suggesting "router mode" is about to put the untangle in the edge, replacing the router/firewall.

[sherkhan]

I don't really understand your layout, but if Untangle isn't doing NAT you shouldn't need any port forwards (on untangle anyway)

You will need them on the NAT device though...

The router is Cisco which I use for implementing some access controls like filtering SYN floods, traffic policing, policy based routing etc.

The firewall is checkpoint which does NAT/PAT as I mentioned in my earlier post, which I intend to throw away shortly (due to their abysmal support) and replace with pfsense .

And I have put the UT in router mode to get the OpenVPN module working with a remote UT box (which worked like a charm the first time) unlike the bridge mode which was a nightmare (for VPN connectivity). The post I was referring to is here: Point 4 of gotkimchi's post:
http://forums.untangle.com/openvpn/8...tructions.html and
http://forums.untangle.com/openvpn/1...iest-case.html

Dmorris, thanks for your input. I had mistakenly believed that the UT should port forward whether it does/does't do NAT. I removed all the port forward rules in the NAT policy table and my setup is just fine. Thanks to all of you.