Results 1 to 8 of 8
  1. #1
    Newbie
    Join Date
    Dec 2009
    Posts
    5

    Default Port Forwarding Not Working

    I have a fresh install of Untangle 7.0.1 setup as a router. I can route traffic from inside to outside but I can not get port forwarding to work. Doesn't matter if I setup the firewall to default Pass or default Block and make an explicit rule to match the forward rule.

    From Config -> Networking -> Interfaces -> Ping Test I can ping the server I want to forward traffic to.

    Networking -> Port Forwards the only rule I have configured is to pass FTP traffic to an internal server. The rule is configured as follows:

    Destination Port: 21
    Destined Local
    Source Interface: External
    Protocol: TCP

    New Destination: 192.168.1.6
    New Port: 21

    I then goto an outside server and try to FTP to my untangle server external address which we'll pretend is 70.20.100.120. I get nothing. Watching the default rack I can see the traffic come into the firewall and it says Pass but I don't see any connection.

    If I make the following rule in the firewall

    Action: Block
    Log: Yes

    Traffic TCP & UDP

    Source Interface: External
    Destination Interface: Internal

    Source Address: Any
    Destination Address: Any

    Source Port: Any
    Destination Port: Any

    Then try to reconnect from the outside server I see 3 blocked attempts to connect to 70.20.100.120 port 21 from my outside server. If I then change the same rule to allow, I do not see any traffic in the log.

    Clearly the traffic is getting to my Untangle External interface as I can see it when I explicitly block it, but it is not being forwarded to the internal FTP server.... any thoughts or suggestions?

  2. #2
    Master Untangler richie's Avatar
    Join Date
    Apr 2007
    Posts
    396

    Default

    what kind of ftp server are you using? I think your ftp server responds with it's non-routable address ( private lan ip ). you may need to set it to respond to your router's public ip.

  3. #3
    Newbie
    Join Date
    Dec 2009
    Posts
    5

    Default

    richie,

    Thanks for the quick reply.

    I am using vsftp.

    It doesn't get far enough to even make a handshake with the server, the connections just time out.

    I am having the same issue no matter what service/port i try to forward. HTTP, HTTPS, FTP, RDP, SSH, Telnet, etc...

    If I make an explicit rule to block + log I can see the traffic being blocked. Change the rule to allow + log I can see the traffic in the Default Rack as Pass but nothing shows up in the log and the connection still times out.

  4. #4
    Master Untangler richie's Avatar
    Join Date
    Apr 2007
    Posts
    396

    Default

    i would do packet capture to see what is going on. if you running 7.1, under networking > troubleshooting tab. do a packet test with the following setting -
    any | 21 | external | 30 seconds

    while doing this try to connect to the ftp server from other network coming (from the internet cloud ) and post your captures from the untangle webui

  5. #5
    Newbie
    Join Date
    Dec 2009
    Posts
    5

    Default

    I will download 7.1 Beta now and upgrade.... I will let you know if anything changes.

  6. #6
    Untangle Ninja mrunkel's Avatar
    Join Date
    Jul 2008
    Posts
    3,040

    Default

    If none of your port forward rules work, then something else is wrong.

    Start with a simpler case, like http or port 25.

    Install the untangle box, configure for your network.

    Create port forward setting only the destination port and destination IP, leave everything else alone.

    Does that work? If not, then something else is wrong (is your destination server using untangle as the default gw?).

    There is very good FAQ on the wiki for troubleshooting NAT. I would keep in simple, don't make a bunch of changes at once, and try a simple protocol like http before I messed with ftp.
    m.


    Big Frickin Disclaimer:
    While I'm pretty sure, I can't guarantee that I know what I'm doing. There might be a better way to do this, and this way might actually suck. Make sure you understand the implications of what you're doing before trying to follow these directions.

    It often helps troubleshooting if you have a good network map. Look here if you want my advice on how to draw one.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  7. #7
    Newbie
    Join Date
    Dec 2009
    Posts
    5

    Default

    Upgraded to 7.1 completely default configuration. I can use the Untangle server as the default gateway for machines on the Trust side all features work great. Configure Port Forwarding for HTTP to 192.168.1.151 and I get the same results.

    Port forward is configured with default simple config as follows:
    Enable: Yes
    Description: HTTP Forward to 192.168.1.151

    Protocol: TCP
    Port: HTTP (80)

    Local IP: 192.168.1.151

    Here is the output from two packet tests

    Tue Dec 15 2009 17:13:47 GMT-0700 (Mountain Standard Time)
    tcpdump: WARNING: eth2: no IPv4 address assigned
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes
    17:13:14.916547 IP 10.20.30.40.57561 > 70.20.100.120.80: tcp 0
    17:13:16.629564 IP 10.20.30.40.57527 > 70.20.100.120.80: tcp 0
    17:13:17.836570 IP 10.20.30.40.57561 > 70.20.100.120.80: tcp 0
    17:13:18.138948 IP 10.20.30.40.57680 > 70.20.100.120.80: tcp 0

    4 packets captured
    4 packets received by filter
    0 packets dropped by kernel
    Tue Dec 15 17:13:18 MST 2009 - Test Complete!



    Tue Dec 15 2009 17:18:34 GMT-0700 (Mountain Standard Time)
    tcpdump: WARNING: eth2: no IPv4 address assigned
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes
    17:18:03.199075 IP 10.20.30.40.60619 > 70.20.100.120.80: tcp 0
    17:18:03.596779 IP 10.20.30.40.60539 > 70.20.100.120.80: tcp 0
    17:18:06.211979 IP 10.20.30.40.60619 > 70.20.100.120.80: tcp 0
    17:18:12.247071 IP 10.20.30.40.60619 > 70.20.100.120.80: tcp 0
    17:18:24.217293 IP 10.20.30.40.60888 > 70.20.100.120.80: tcp 0
    17:18:27.234155 IP 10.20.30.40.60888 > 70.20.100.120.80: tcp 0

    6 packets captured
    6 packets received by filter
    0 packets dropped by kernel
    Tue Dec 15 17:18:31 MST 2009 - Test Complete!

    On the 10.20.30.40 machine I get connection timed out.

  8. #8
    Newbie
    Join Date
    Dec 2009
    Posts
    5

    Default

    Thanks for everyone that replied. I just figured it out...... I'm retarded. I was trying to port forward to machines that were not using the Untangle server as their default gateway. We all know what happened from there.

    Thank you again to everyone who has replied, it gives me much confidence in the Untangle community seeing how quickly people replied and how willing they were to help; Even though the problem was clearly a user error.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2