Port forwarding problems
-
So it's always random?
Short answer yes.
Long answer. It is possible to force the use of a specific port or range but unless you understand the full implications of making such changes it's probable safer to just accept the short answer.I'd like to see your issue resolved so any info you could post would help. There is nothing worse than finding a forum post that resembles your problem and after reading through them all finding it just stops with no resolution.
-
So it's always random?
Short answer yes.
Long answer. It is possible to force the use of a specific port or range but unless you understand the full implications of making such changes it's probable safer to just accept the short answer.I'd like to see your issue resolved so any info you could post would help. There is nothing worse than finding a forum post that resembles your problem and after reading through them all finding it just stops with no resolution.
Ok.
Oh no, it won't stop with no answer. I will post the results of the traceroute in a while. I'm actually not inside the firewall network for a few days now and I just remotely access it which is why I didn't post sooner. I will do this now and post back.
-
I just tried doing a traceroute from 192.168.1.2 and there were no results. I guess because it's setup as a transparent switch? It's actually setup as a "DHCP Forwarder".
-
No a DHCP forwarder is simple a setting to forwarding bootp traffic from a subnet with no DHCP server to a DHCP server in a different subnet. It's required because bootp does not route across subnets.
Are you running the trace from the command line on the switch. My memory of the HP command set is a little rusty as we are a cisco shop these days but it should be something like
ip unreachables enable
ip ttl-expires enable
tracert 91.220.52.1That should trace through to one of our BGP routers.
perhaps as a check before you try the traceroute from the cli run show running config you should then be able to identify the default gateway is correctly set to the pfsense box.
I'm trying to second guess the issue here so I'd also be checking that the DHCP server is giving out the correct default gateway to the other boxes having an problem. -
No a DHCP forwarder is simple a setting to forwarding bootp traffic from a subnet with no DHCP server to a DHCP server in a different subnet. It's required because bootp does not route across subnets.
Are you running the trace from the command line on the switch. My memory of the HP command set is a little rusty as we are a cisco shop these days but it should be something like
ip unreachables enable
ip ttl-expires enable
tracert 91.220.52.1That should trace through to one of our BGP routers.
perhaps as a check before you try the traceroute from the cli run show running config you should then be able to identify the default gateway is correctly set to the pfsense box.
I'm trying to second guess the issue here so I'd also be checking that the DHCP server is giving out the correct default gateway to the other boxes having an problem.Ok. Well, that switch device is running dd-wrt and it is connected to pfsense via its LAN ports. I have another dd-wrt router in another house and I can issue traceroute command in its command line using the syntax "traceroute HOST" and it will return me results because that other router is working really as a router where a modem is connected to its WAN port.
The show running config command is not a valid command for dd-wrt.
-
Here's a screenshot of the main settings of the dd-wrt switch:
I think I know the problem. The gateway and local dns are not specified which is why it cannot respond to outside requests?
But this switch is accessible via the LAN side of pfsense.
-
I specified 192.168.1.1 for both Gateway and Local DNS and IT WORKED! So this NAT entry is solved.
How about the others?
-
lol you want your monies worth ;)
Again I'm going to guess it's a routing issue. What's the OS of the boxes running Sab?
-
lol you want your monies worth ;)
Again I'm going to guess it's a routing issue. What's the OS of the boxes running Sab?
Lol, sorry about that.
Nope, I already solved the SAB problems. I'm pertaining now to entry numbers 3 and 5.
-
Sorry I thought I'd already posted what I thought was wrong with the setup to cause 3 and 5
The packet arriving at the 192.168.103.3 interface has the originating IP address of the request ie the computer on the internet. So it responds back but because it's default route is via wan3 the reply goes back to the sender with a different public IP than the one the request was sent to and the remote PC rejects it because it is not expecting a response from that host.
Can't see a fix for it as the default route for wan3 must be out so all I can suggest is that you move the NAT over to the wan3 IP and come in that way. -
Sorry I thought I'd already posted what I thought was wrong with the setup to cause 3 and 5
The packet arriving at the 192.168.103.3 interface has the originating IP address of the request ie the computer on the internet. So it responds back but because it's default route is via wan3 the reply goes back to the sender with a different public IP than the one the request was sent to and the remote PC rejects it because it is not expecting a response from that host.
Can't see a fix for it as the default route for wan3 must be out so all I can suggest is that you move the NAT over to the wan3 IP and come in that way.Ah. How do you move the NAT over to the wan3 IP?
-
BUMP!
-
Does it have a fixed IP or is it dynamic?
-
Does it have a fixed IP or is it dynamic?
The wan3 router ip or the modem3 ip? Both of them have fixed IP anyway.
-
If it's a fixed public IP then just put the NAT on the public interface and add a rule to allow the traffic through to the internal IP. It's exactly the same as the ones you have already setup just on a different interface.
-
If it's a fixed public IP then just put the NAT on the public interface and add a rule to allow the traffic through to the internal IP. It's exactly the same as the ones you have already setup just on a different interface.
Ok, I'll try that. Thanks :)