Port Forwarding + Routing
-
Hi All,
Got a problem I just can't get my head around. I have drawn a diagram as they say a picture is worth 1000 words.
I have done the below
Set Outbound NAT for 10.253.6.0/24 on the Left Hand side routers.
Disabled NAT for 10.253.6.0/24 on Right Hand side routers
Forwarded TCP Port 443 on External IP X.X.X.69 to 10.253.6.1
Enabled Allow All on Point-to-Point Interface both sides (left & right)
Using FRR OSPF for routing across the P2P LinkInternet access is working perfectly, I can browse the Internet from 10.253.6.1 and I get the correct IP Address.
However when forwarding a port, it is working, but just randomly fails from the outside. Almost like not all of the traffic is getting through.
Must be missing something here ? Any ideas
-
If something is randomly failing you'll probably have to do some diagnostics (looking at states, packet captures, etc) to determine what is different between when it works and when it fails.
You also gave no description regarding what you are forwarding and to where.
-
I should have added that. I am forwarding TCP Port 433 from X.X.X.69 (left side) to 10.253.6.1 (right side)
Also - it is not randomly working. It is simply not working at all. After doing lots and lots of testing today.
I have done packet captures on the External WAN Interface (Left Side), on the Point-to-Point interface both left and right side, and on the LAN Side right side but this does not tell me a lot.
Query - If I was to purchase a Netgate Support Plan to get Support to take a look, would I be able to purchase this for just 1 x Unit, or would I need a support contract for all 4 x Units ?
Cheers, Scott
-
Technically all 4.
Sorry, your port forward description is pretty good. I just missed it.
Packet capture on the interface 10.253.6.1 is connected to. Are the TCP SYNs on port 443 going out? Is there a response (SYN+ACK from 10.253.6.1)?
-
Okay - some great news. I just got this working. I was missing a Firewall Rule on the Point-to-Point link
However was it still not working is NAT reflection.
VLANS on the Right Hand Side (there are multiple) have their default routes assigned via FRR OSPF 0.0.0.0/0 (left hand site) and I then have Outbound NAT rules on the Left Hand Side. Saying for example traffic from one VLAN on the Right (10.253.6.1) go from X.X.X.69. This is working perfectly, and when I do a "what is my IP" from 10.253.6.1 on the right hand side, I get the correct address X.X.X.69
However when trying to access X.X.X.69 TCP Port 443 from another VLAN right hand side (192.168.11.0/24), it does not connect.
I have tried NAT Reflection Mode = Disabled, Pure NAT and Pure NAT + Proxy. All 3 have the same issue. Simply can't connect.
Any ideas on this ?
-
You really want local connections hairpinning across the point-to-point link via NAT reflection?
I would seriously look into split DNS.
-
@Derelict I would agree. However the Point-to-Point is a very low latency (<10ms) 1000Mbps connection. Any settings I should be looking at ?
-
I would use Split DNS there.
