Multi-Wan Working, need help with port forwarding

  • Here is a diagram of my current network setup:

    In addition to that I have the following:

    Server @

    Virtual IP (ProxyARP) for on WAN Interface

    Outbound nat rule mapping -> on WAN:

    The following Port Forwarding Rule:

    And the following firewall rule:

    As of right now all traffic from travels outbound on the proper IP.  The problem is that I can't pass any inbound traffic to the server.  I've flagged all incoming packets by that firewall rule to get caught by the local syslog but nothing shows up so i'm relatively certain it's a problem with the port forwarding.  Does anyone see any blatant problems with the setup?

  • The outbound NAT rule order is wrong. Rules are applied top down. The last entry will never match which makes me wonder why the traffic should go out the correct VIP? However, the portforward will create it's own states for the connections that should not be affected by the outbound nat rule anyway. Only traffic originating from the server itself going out should be affected by the outbound rule.

    My guess is that the Virtual IP is not working correctly for some reason.

  • Okay. My coworker and I have moved those rules around. When we do this, all outbound traffic is blocked from that specific machine.

    Also, what makes you think that the Virtual IP is not working and what can we do to fix it?

  • Can you show us the Virtual IP setup?

  • Sure. Here it is.

  • I should also note that I am trying to get traffic to come in on the address on port 22/tcp

  • Try using CARP Virtual IPs. This should simply work.

  • Okay! Thanks! I'll that first thing Monday morning. Here's hoping…

  • Okay. So that seems to have worked, but only for traffic over port 80. I see a line in the firewall log which shows my external server hitting the machine behind the firewall and passing the traffic through to the internal address on port 80. When I try to hit that machine on port 21 or port 22, I see a block and the external IP address for the machine rather than the internal.

    Why would it be passing traffic only on port 80? I've got the firewall rule set up to allow all traffic from anywhere to the internal address on any port.

    The firewall log looks like this…

    X  Jan 16 11:12:24 WAN2 204.2.XXX.XXX:38789 TCP

    Jan 16 11:10:03 WAN2 204.2.XXX.XXX:38778 TCP

  • Search for ftp helper and portforwarding. This has been discusse a lot in detail. ftp is tricky.

Log in to reply