Results 1 to 9 of 9
  1. #1
    Untangler
    Join Date
    Sep 2018
    Posts
    51

    Default Outbound NAT / Inbound PAT not working

    Hi All,

    I've got a /29 public IP range. Untangle (latest version) is my primary firewall/gateway -- let's pretend 1.1.1.170 and 10.1.1.1 internal. I've got a Ubiquiti EdgeRouter in tandem/parallel (1.1.1.171/10.1.1.2) for back up and testing.

    My Untangle's ext interface is configured as 1.1.1.170/29 and that is the default for outbound traffic. I want to set up 1.1.1.172 for a Hyper-V testing server (say 10.1.1.20) so I set up Config/Network/NAT Rules:

    Source is 10.1.1.20
    NAT Type Custom
    New Source 1.1.1.172

    When I do this, the .20 server loses internet. If I create a port forward rule and try inbound, that doesn't work, either. I've recreated the rule, rebooted the server, the Untangle and cable modem. I switched the EdgeRouter's ext to 1.1.1.172 (and the test server's GW to 10.1.1.2) and had no problem, so that means I've missed something in the Untangle config but I can't figure out what?
    Last edited by ntguru; 10-15-2019 at 05:43 PM.

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,712

    Default

    What is the gateway of Hyper-V testing server (say 10.1.1.20) ?
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,514

    Default

    Step 1, put WAN IP address on external interface.
    Step 2, Define port forward for ingress traffic.
    Step 3, *optional* Define NAT rule for egress traffic.

    *Warning* Step 3 has dragons, if you create the rule as you've listed, all traffic transiting Untangle sourced from the selected IP address will be forced to be translated to the specified destination IP address. This includes traffic that might be destined to other internal address ranges, and may very well be terminating DNS resolution, simulating a loss of connectivity.

    To avoid the nightmare specified above, ad an additional flag to your rule, destination interface, and select the interface that owns the IP address you're translating to. That way only traffic sourced from the device in question, and destined to the WAN interface required, will be selected for translation.

    *Note* if the above fixes your issues, back away from the screen and repeat these words: "I hate it when computers do exactly what I tell them to", repeat as often as required for the lesson to stick.

    *Addendum* If the above note upsets you, please repeat the following words: "We've all done it at least once", repeat as often as required for the lesson to stick.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Untangler
    Join Date
    Sep 2018
    Posts
    51

    Default

    Quote Originally Posted by jcoffin View Post
    What is the gateway of Hyper-V testing server (say 10.1.1.20) ?
    Do you mean the GW of the test hyper-V server (ie, the guest)? If so, GW was 10.1.1.1 when using Untangle. When I tested with the EdgeRouter I switched temporarily to 10.1.1.2. To clarify, the testing with the EdgeRouter was to eliminate issues with the test server general set up, or with the ISP/cable modem.

  5. #5
    Untangler
    Join Date
    Sep 2018
    Posts
    51

    Default

    FWIW, I was following the Wiki for 1-1 NAT here:

    https://wiki.untangle.com/index.php/1:1_NAT

    See my original post: on the untangle ext int, I've configured 1.1.1.170/29. Is there something else I need to do beyond that for your step 1?

    Are you saying step 2 (ie, an inbound port forward) is required for the test server to use the 1.1.1.172 on outbound NAT? Right now, I'm just trying to get the server to appear to the world on that .172 IP.

    DNS resolution is working. I can't browse to google.com but I also cannot ping 4.2.2.2. DNS is not the issue.

    Quote Originally Posted by sky-knight View Post
    Step 1, put WAN IP address on external interface.
    Step 2, Define port forward for ingress traffic.
    Step 3, *optional* Define NAT rule for egress traffic.

    *Warning* Step 3 has dragons, if you create the rule as you've listed, all traffic transiting Untangle sourced from the selected IP address will be forced to be translated to the specified destination IP address. This includes traffic that might be destined to other internal address ranges, and may very well be terminating DNS resolution, simulating a loss of connectivity.

    To avoid the nightmare specified above, ad an additional flag to your rule, destination interface, and select the interface that owns the IP address you're translating to. That way only traffic sourced from the device in question, and destined to the WAN interface required, will be selected for translation.

    *Note* if the above fixes your issues, back away from the screen and repeat these words: "I hate it when computers do exactly what I tell them to", repeat as often as required for the lesson to stick.

    *Addendum* If the above note upsets you, please repeat the following words: "We've all done it at least once", repeat as often as required for the lesson to stick.

  6. #6
    Untangler
    Join Date
    Sep 2018
    Posts
    51

    Default

    sky-night's suggestion of adding an additional condition of destination interface Ext appears to have resolved the outbound issue. That also made the inbound port forward work as expected. I'm not sure who owns the Untangle Wiki on 1:1 NAT, but it should be updated. Thanks!

  7. #7
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,712

    Default

    Is 1.1.1.172 an alias on the external interface of the Untangle?
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,514

    Default

    Glad you found it, to be clear I was paraphrasing the wiki.

    Step 1 is getting an IP address on Untangle to NAT to, that's actually a common sticking point because people don't realize that Linux aliases are IP/Mask pairs individually, they aren't a CIDR style range. Which means if you have a large range to toss on Untangle and you want to do this with, you get to stuff them all in... one line at a time...

    Beyond that the NAT rules do exactly what you tell them to, the rule in question on the wiki is valid, however it only works within the context of Untangle only having two interfaces. As soon as you toss in a 3rd, everything comes unraveled. Which is why I learned ages ago, be as specific as possible with your rules. Because over-matching rules are a bugger to sort out.

    For the rest, I suspect you might have some vswitching issues too... Virtualizing a router isn't a trivial task, even if that's what most of us want to do. It's difficult to say from the other side of a forum thread though. At least it's working for now, and you can work from there.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Untangler
    Join Date
    Sep 2018
    Posts
    51

    Default

    Thanks to both of you. Updating this with more info for others who may search it later.

    I had added the IP alias of 1.1.1.172 to the ext interface before, but I think something wasn't right (maybe a leading space from copy and paste?) because re-adding that appears to have been the true fix. That was the only thing I didn't recreate before posting here. I do have more than two interfaces (one being virtual/VLAN tagged) so the more specific NAT rule may have been in play, too.

    My untangle runs on a U25 appliance so Untangle is not virtualized. The virtualization involved was a Hyper-V host behind the Untangle with multiple guest VMs, one of which I was trying to get going with the additional public IP.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2