Results 1 to 4 of 4
  1. #1
    Master Untangler
    Join Date
    Jan 2011
    Posts
    103

    Default Port forwarding internal/external traffic differences

    Hi,

    So, I have an internal DNS server set up to respond to DNS-over-TLS requests on port 853 on 192.168.1.10.

    I have a port forward rule of Destined Local -> True, Protocol -> TCP, -> Destination Port 853 then Forward to 192.168.1.10

    I then set the private DNS setting on my android phone to myname.duckdns.org. (which resolves to Untangles WAN port)

    The phone then sends DNS-over-TLS requests to myname.duckdns.org:853

    When my phone is on the internal network these requests are received by my internal DNS server with the source IP is listed as the Untangle gateway 192.168.1.1 and I can see from looking at the port forward report that all these forwarded entries have been Bypassed (Bypass -> True)

    When I take my phone off the internal WiFi and onto GSM, the DoT requests that are forwarded to my internal server are listed with the actual GSM network IP of my phone listed (and not the Untangle gateway), when I look at these requests, they look exactly the same as the internal ones to me, apart from they have not been bypassed (Bypassed -> False).

    My issue ? Well, I would like to see the private source IP of my phone listed on my internal DNS server when I'm in the house, and not Untangles gateway IP. This may not be possible, but can anyone help me understand the difference between these two instances of port forwarding (by the same rule) and why the internal port forwards are bypassed (so they don't get processed twice ?), and then what would cause the source IP to be listed as the gateway, and not the original private source IP.

    Thanks.

  2. #2
    Master Untangler
    Join Date
    Jan 2011
    Posts
    103

    Default

    OK, half answering my own question here..., I can see that the field 'New Client' is changed to Untangles gateway IP on the port forwards from the internal network, but why ? (My actual gateway IP is 192.168.10.1 and the DNS server (plex) is 192.168.10.35)

    Screenshot from 2021-01-30 16-41-28.png

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,487

    Default

    Ok, so port forward rules vs NAT Policies.

    So, when a client hair pins, that is connecting from a LAN network to the very same LAN network this behavior is how IPTables makes that work. The client won't know what to do with packets in response going directly to it when the connection it made was to a WAN address. It's not expecting a response from a random LAN IP, so the response has to come from the router to maintain the session. Therefore, the session must be translated to an Untangle address.

    Also, all traffic entering and exiting the same Untangle interface, is bypassed.

    Now, if you move the DNS server onto its own IP network, when a client on the 192.168.10.0/24 network goes to access a server on say 192.168.20.0/24, the forwarding redirects it to the new address, but because the response has to be via the gateway address anyway... Linux will send the source IP as you want. That is, unless NAT policy says differently.

    You can change ALL of this behavior via NAT policy, but you can only map traffic to an IP on Untangle.

    But anyway, what you're seeing isn't really Untangle, it's IPTables ensuring that the TCP session remains intact and the ingress and egress packet flow follows the same path.

    So you can have what you want, you just need to move the DNS server into its own VLAN.

    P.S. You have odd timing because I just noticed and investigated this very behavior myself Thursday... I was seeing an internal address in a server log I assumed was being NAT translated. And thanks to the way IPTables works, it was both being translated yet not at the same time. Either way I can confirm that if a client uses a Port Forward rule to transit LANs on Untangle, and the two termination points are on different IP networks by default the server will see the source LAN IP of the client. If NAT Policy is set to auto the server will see its nearside Untangle LAN IP address. If custom NAT policy is set, the server will see whatever is specified.
    Last edited by sky-knight; 01-30-2021 at 10:04 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Master Untangler
    Join Date
    Jan 2011
    Posts
    103

    Default

    Hi Rob,

    Excellent explanation thanks...

    Great suggestion as well, should be no problem to move my server (Raspberry Pi) to its own VLAN.., I've got a couple of spare ports on the new router I built this week, so could also use one of them.

    Best.
    Phil.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2