Results 1 to 7 of 7
  1. #1
    Newbie
    Join Date
    May 2020
    Posts
    5

    Default NAT for incoming port forwards

    Hi,

    I have several internal networks, for example:
    10.10.200.0/24
    10.10.201.0/24
    10.10.202.0/24

    I have one external interface WAN1 which is a PPPoE connection which gets a static internet IP of say 1.2.3.4 from the ISP.

    I have unticked all the NAT options on the interfaces as I was having trouble controlling traffic between internal networks with the firewall, and I understand by unticking all of the NAT options on the interfaces it essentially makes it like a standard firewall.

    I have setup specific firewall rules that allow traffic between certain hosts on each of the internal networks.
    For example allow any TCP traffic from source 10.10.200.4 to destination 10.10.201.101 etc.
    Ive got a blocking rule at the end which is deny source 10.10.0.0/16 to destination 10.10.0.0/16.

    To setup NAT for outgoing internet access I have created a NAT rule for each internal networks similar to the following:
    Source address 10.10.200.0/24 to destination interface WAN1 custom 1.2.3.4 (which is my static IP from the ISP).

    Everything works fine - access between the internal networks is allowed or blocked as per my firewall rules.
    Internet access from all of the internal networks works fine.

    What I am struggling with is a port forward.
    I want to forward port 8090 externally to a host on one of the internal networks.

    I have created a port forward where source address is 1.2.3.4 and source port is 8090. The new destination is 10.10.200.12 port 8090.

    When I had auto nat option ticked on all the interfaces the port forward worked OK.
    I have also unticked all of the firewall rules, which seems to pass traffic freely between all of the internal LANs and incoming port forward still doesn't work.

    I am guessing I need to setup NAT for the port forward somehow, but I can't work out what I would need to do.

    Anybody an expert on NAT can point me in the right direction? Assuming its not something else!

    Kind regards

    Rob

  2. #2
    Newbie
    Join Date
    May 2020
    Posts
    5

    Default

    OK - I've just inadvertently answered my own question.

    It looks like everything in the setup I mentioned above is OK - I have turned off the threat protection and it has started working. So now I need to work out why it thinks its a threat and how to make an exception for it!

    Rob

  3. #3
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,020

    Default

    I hope you still have NAT checked for the external (WAN) interface?

  4. #4
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,020

    Default

    I am going to throw some comments in-line as suggestions with the NGFW architecture; I don't have wide-ranging firewall experience, pls don't take it as 'splaining

    Quote Originally Posted by Rob Hammond View Post
    Hi,

    I have several internal networks, for example:
    10.10.200.0/24
    10.10.201.0/24
    10.10.202.0/24

    I have one external interface WAN1 which is a PPPoE connection which gets a static internet IP of say 1.2.3.4 from the ISP.

    I have unticked all the NAT options on the interfaces as I was having trouble controlling traffic between internal networks with the firewall, and I understand by unticking all of the NAT options on the interfaces it essentially makes it like a standard firewall.
    Yes, except on WAN interface, leave it checked.

    I have setup specific firewall rules that allow traffic between certain hosts on each of the internal networks.
    For example allow any TCP traffic from source 10.10.200.4 to destination 10.10.201.101 etc.
    OK

    Ive got a blocking rule at the end which is deny source 10.10.0.0/16 to destination 10.10.0.0/16.
    1. I wouldn't recommend mixing and matching CIDR ranges anywhere
    2. I wouldn't block by IP address unless I explicitly had to.

    Do the blocking by interface. The pass rules by IP will still be fine above.


    To setup NAT for outgoing internet access I have created a NAT rule for each internal networks similar to the following:
    Source address 10.10.200.0/24 to destination interface WAN1 custom 1.2.3.4 (which is my static IP from the ISP).
    Really, no need, not recommended, just check the NAT box on the WAN, let NGFW take care of it.

    Everything works fine - access between the internal networks is allowed or blocked as per my firewall rules.
    Internet access from all of the internal networks works fine.

    What I am struggling with is a port forward.
    I want to forward port 8090 externally to a host on one of the internal networks.

    I have created a port forward where source address is 1.2.3.4 and source port is 8090. The new destination is 10.10.200.12 port 8090.
    here I can clear up some terminology, for a port forward from external.
    It isn't likely you will know much about the source.
    NGFW itself is the destination. We might use [Destined Local] instead of the external IP address.
    There are examples here:
    https://wiki.untangle.com/index.php/Port_Forward_Rules

    When I had auto nat option ticked on all the interfaces the port forward worked OK.
    I have also unticked all of the firewall rules, which seems to pass traffic freely between all of the internal LANs and incoming port forward still doesn't work.

    I am guessing I need to setup NAT for the port forward somehow, but I can't work out what I would need to do.
    Nope, unless you need 1:1 NAT, and you won't with a single external IP Addr.

    Anybody an expert on NAT can point me in the right direction? Assuming its not something else!

    Kind regards

    Rob
    I hope this helps
    Last edited by Jim.Alles; 05-17-2020 at 12:18 PM.
    If you think I got Grumpy

  5. #5
    Newbie
    Join Date
    May 2020
    Posts
    5

    Default

    Hi Jim,

    That's really useful thank you.

    I do currently have the NAT box on the WAN interface unticked. I guess I can remove my individual NAT Rules for each LAN now and just tick the box on my WAN interface then?

    Point taken about mixing CIDR ranges, I can easily replace blocking 10.10.0.0/16 to 10.10.0.0/16 with some separate rules.
    For example....

    Block 10.10.200.0/24 to 10.10.201.0/24
    Block 10.10.200.0/24 to 10.10.202.0/24
    Block 10.10.200.0/24 to 10.10.203.0/24
    Block 10.10.200.0/24 to 10.10.204.0/24

    Block 10.10.201.0/24 to 10.10.200.0/24
    Block 10.10.201.0/24 to 10.10.202.0/24
    etc........

    Yeah - sorry - I got the port forward terminology wrong. I am matching where destination address is my static IP on the WAN interface, destination port is 8090. I then forward it to an address on the LAN - that seems to be working now, I think it was the threat filter screwing things up.

    Its working at the moment so I think I will leave it be. Ive moved on to setting up AD integration now - I am hoping I can see who is logged into each PC and get relevant usernames recorded in the web logging. I will make those changes tomorrow though to tidy things up a bit.

    Thanks again for your help Jim, really appreciated.

    Rob

  6. #6
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,020

    Default

    Quote Originally Posted by Rob Hammond View Post
    I do currently have the NAT box on the WAN interface unticked. I guess I can remove my individual NAT Rules for each LAN now and just tick the box on my WAN interface then?

    Rob
    Yes

    And you can separate multiple subnets with a comma (logically, this ORs them)
    blocks.png

  7. #7
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,020

    Default

    The problem with blocking the subnets is that if you have a rogue device on one of the networks with 192.168.2.1, it can transmit to those other networks. Granted, there won't be a return route back.

    And to block EVERYTHING between interfaces, including ping, you need to do at least some of the blocking on the [Filter Rule] level.

    Interfaces have checkboxes, I am lazy.
    Last edited by Jim.Alles; 05-17-2020 at 05:16 PM.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2