NAT reflection and port forwards broken in RC1
-
I may not be interpreting your config.xml correctly but it looks to me that you have configured your port forwarding rules incorrectly. For example, the rule for SMTP port forwarding apparently says source port=25 and destination port=25. It is very unlikely that an access attempt to your SMPT server will come from port 25. Sure, it will be headed for destination port 25. I think you should have a source port of Any (* in the web GUI). I didn't look at your other port forwarding rules.
-
Works fine in 1.2.3.And has been all the time.
-
External port must be any. Never does a server connect from his port 25 to 25….
-
Not even if you relay to somewhere else?
External port must be any. Never does a server connect from his port 25 to 25….
-
A connection always comes from a port >1023 to the destination service port like 80 or 25…
-
My ISP provides relay on the test setup on port 25….works like a charm.
-
It looks to me that your port forwarding rule for SMTP will match only packets arriving on the WAN interface if the source port is 25 and destination port is 25.
I think you should look closely at your firewall logs to see how many access attempts to your SMTP server come from port 25.
My SMTP port forwarding rule specifies source port=any destination port=25. My rule works. Your rule is more restrictive than mine and doesn't work.
Repeat above (with appropriate port number changes) for every port forward in which you have specified source port = destination port.
-
I have no issues at all with mail…. :) I do understand what you mean, but it works fine.
-
Wow, that is surprising that 1.2.3 works with that those port forwards. I noticed your RDP ports, and wanted to let you know you can change windows' default RDP port through the registry. Though you're achieving the same affect by using NAT, which is pretty cool :-)
So your ISP is doing NAT for you. Does that mean that when it sees a packet with a destination port 25 (or whatever), it relays/forwards it to you from port 25 making the source 25? That's a bit interesting.
-
I am only forwarding the ports….rules are sourceport range: any. :)
Sorry for my mistake...
-
Well but if you wanna use NAT reflection from a client that client will most certainly establish the connection from a highport to port 25 so you need to have any on your source port…just try that...
-
The WAN rule only lets the packet in, once the packet is in it still has the original source port. So with your port forwards set to have the source port the same as the destination port, normally that wouldn't work. Like others have said when a server/service sends packets out, it is not always, or never, leaving from the same port as your server/service is listening on. I will post later and show firewall logs as an example.
Could you explain a little further by what you mean when you say your ISP is relaying?
Also you said your 1.2.3 has the same settings as your RC1, are they both virtual machines or is your 1.2.3 a physical machine?
-
Both virtual….
My mailserver in the tesat setup is relayed by my ISP. I have to use their mailserver for relay...Everything is broadcasted on port25.
I dont have any issues running 1.2.3 at all. It works fine and have always done exactly that.
-
Seems to be a lot of confusion between firewall rules and Port Forward rules here.
External port must be any. Never does a server connect from his port 25 to 25….
That's clearly wrong. If that were true then you'd port forwarding packets arriving on WAN on ANY port to your internal SMTP server. ::)
The above quote is true for firewall rules though but the posted table is port forwarding.
Steve
Edit: It's correct that the source port won't be 25 but that's not relevant to port forwarding.
-
Looking at your config, your NAT port forwards say Destination: WANIP, but your WAN rules show Destination: 192.168.1.50 (ISA).
Maybe change your portfoward Destination: Any… or to ISA instead of WAN.
So your rules will allow anything with the destination ISA, but your port forward only forwards when they have the destination of WANIP, your rules aren't allowing such packets in.
I don't remember 1.2.3 giving you the option of specifying the Destination IP like 2.0 does for port forwards.
-
Surely packets arriving on WAN are going to have destination WANIP otherwise they wouldn't arrive!?
Does 'destination' in config.xml not correspond to 'IF' in the GUI table?
Edit: Scrub that. Clearly not! :-[Packets hit the port forwarder before the firewall.
Steve
-
Is that true, the packets hit the port forwarder before the rules are applied? Wouldn't that over-work the firewall for the masses of hits we get from china? Well my CPU load is never over 1% so I guess not, but good to know that is how it works.
-
Well China won't kill you because there are no NAT rules in place besides the ones you specify…
-
I just figured it still checks all requests against the port forwards to see if they match, and it would be that checking causing usage. I only have about 10 port forwards, but I figured if somebody had maybe 20 port forwards, maybe 100+ hits a minute to check against 20 rules, that would add up. But like I said I never get over 1% used so I guess not.
I just never knew that it went through port forwards first, very good to know though lol. I can adjust my WAN rule set accordingly.
-
@heavy1metal:
I just never knew that it went through port forwards first, very good to know though.
I had always assumed it was the other way around but was recently informed of my ignorance! :P
When you know this it all makes more sense. :)
Steve
