|
|
Post by Julian on Oct 5, 2016 13:53:23 GMT
Hi all, we want to reach a webserver on a single host in our LAN segment through the WAN interface. We've created firewall rules on the WAN interface to reach the host and are able to see that our packet passes. Nevertheless we are not able to reach the website. It seems that we have problems with the outbound NAT rules. What kind of configuration do we need to perform to get the outbound connection working? We suspect that the ip address is still NATed despite our existing outbound NAT rule. Incoming Firewall Rule: | Proto | Source | Port | Destination | Port | | TCP | 172.17.0.0/22 | *
| 172.16.50.133 | 80 |
Outbound NAT Rule: | Interface | Source | Destination
| Target
| WAN
| 172.16.50.133/32 | 172.17.0.0/22
| 172.16.50.133
|
Kind Regards, Julian |
|
|
|
Post by Lee Sharp on Oct 5, 2016 23:37:50 GMT
I am confused. Are you wanting to NAT or not? I am thinking what you need is an inbound NAT rule and nothing in outbound NAT.
|
|
|
|
Post by Julian on Oct 12, 2016 11:18:20 GMT
Hi all,
it's a bit more complicated:
We have two independent private networks, which are firewalled and NATed with their own firewalls and own public IPs. Now we have to reach exactly one host behind the SmallWall. For the firewall rules to work we don't want to NAT for this connection.
So we told each firewall how to reach the private networks (static routes), opend the respective ports, and disabled the NAT for the outgoing traffic. We can "see" the hit in SmallWalls firewall logs. But the "answering" traffic can nowhere be seen at the other firewall.
We suspect that the SmallWall still NATed this traffic, or took the wrong route.
Kind regards,
Julian
|
|
|
|
Post by Lee Sharp on Oct 12, 2016 12:59:36 GMT
This sometimes NAT can get complex and ugly. How about adding another interface to each router and creating a static route over that network to your other network?
Or, an ipsec VPN between both WAN ports with essentially no encryption to create overhead?
Both will work and be clean and consistent.
|
|
|
|
Post by Julian on Oct 12, 2016 14:03:54 GMT
Thank you for your answer.
Well, we'll try that if everything else fails. We can see on "the other firewall" that the SmallWall NATs the packets. Routing is ok.
How do you configure the following in outbound on the SmallWall:
NAT everything to the Internet
Don't NAT to target 10.17.0.0/24
|
|
|
|
Post by Lee Sharp on Oct 12, 2016 14:25:42 GMT
Remember that "Source" is the local network, and "Destination" is the external IP or network. So your Target is 10.17.0.0/24 because it is "Outbound." Often this is backwards... So it would be something like Source = (LAN Subnet) and Destination = Not 10.17.0.0/24, and create no rule for 10.17.0.0/24 since there is no NAT. But this gets complex fast and it is easy to miss something. Essentially all I use it for is to disable port randomization for older SIP services.
|
|
