Reply
Highlighted
New Member
Posts: 18
Registered: ‎12-07-2018
Accepted Solution

Another Port 80 Forwarding issue.

[ Edited ]

I have been reading through the forums trying to figure out why I cannot get inbound port 80 traffic routed to my web server (Virtual Machine) at 192.168.101.201 on my EdgeRouter ER-8. I have tried adding Port Forwarding rules (with Auto Firewall), and Firewall rules with no changes. I can access the webpage hosted on 192.168.101.201 on the LAN, but I get no response from the Web Server when I attempt to access the website using my external IP address.

 

Any ideas?

 

firewall {                                                                      
    all-ping enable                                                             
    broadcast-ping disable                                                      
    group {                                                                     
        network-group BOGONS {                                                  
            description "Bogus Networks"                                        
            network 10.0.0.0/8                                                  
            network 100.64.0.0/10                                               
            network 127.0.0.0/8                                                 
            network 169.254.0.0/16                                              
            network 172.16.0.0/12                                               
            network 192.0.0.0/24                                                
            network 192.0.2.0/24                                                
            network 192.168.0.0/16                                              
            network 198.18.0.0/15                                               
            network 198.51.100.0/24                                             
            network 203.0.113.0/24                                              
            network 224.0.0.0/3                                                 
        }                                                                       
        network-group LAN_NETWORKS {                                            
            description "RFC1918 LAN Networks"                                  
            network 192.168.0.0/16                                              
            network 172.16.0.0/12                                               
            network 10.0.0.0/8
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to LAN (FORWARD)"
        rule 10 {
            action accept
            description "Allow Established/Related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Allow HTTP/TCP"
            destination {
                address 192.168.101.201
                port 80
            }
            log disable
            protocol tcp
            source {
                port 80
            }
        }
        rule 30 {
            action accept
            description "Allow HTTPS/TCP"
            destination {
                address 192.168.101.201
                port 443
            }
            log disable
            protocol tcp
            source {
                port 443
            }
        }
        rule 40 {
            action drop
            description "Drop Invalid State (Packet)"
            log disable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
        rule 50 {
            action drop
            description "Drop BOGONS (Bogus Connection)"
            log enable
            protocol all
            source {
                group {
                    network-group BOGONS
                }
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to ROUTER (INPUT)"
        rule 10 {
            action accept
            description "Allow Established/Related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Allow HTTP/TCP"
            destination {
                address 192.168.101.201
                port 80
            }
            log disable
            protocol tcp
            source {
                port 80
            }
        }
        rule 30 {
            action accept
            description "Allow HTTPS/TCP"
            destination {
                address 192.168.101.201
                port 443
            }
            log disable
            protocol tcp
            source {
                port 443
            }
        }
        rule 40 {
            action drop
            description "Drop Invalid State (Packet)"
            log disable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
        rule 50 {
            action drop
            description "Drop BOGONS (Bogus Connection)"
            log enable
            protocol all
            source {
                group {
                    network-group BOGONS
                }
            }
        }
    }
    name WAN_OUT {
        default-action accept
        description "LAN through WAN to INTERNET (OUTPUT)"
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    bridge br0 {
        address 192.168.101.1/24
        aging 300
        bridged-conntrack disable
        hello-time 2
        max-age 20
        priority 32768
        promiscuous disable
        stp false
    }
    ethernet eth0 {
        address dhcp
        description WAN
        dhcp-options {
            default-route update
            default-route-distance 210
            name-server no-update
        }
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
            out {
                name WAN_OUT
            }
        }
        speed auto
    }
    ethernet eth1 {
        bridge-group {
            bridge br0
        }
        description ****
        duplex auto
        speed auto
    }
    ethernet eth2 {
        bridge-group {
            bridge br0
        }
        description ****
        duplex auto
        speed auto
    }
    ethernet eth3 {
        bridge-group {
            bridge br0
        }
        description ****
        duplex auto
        speed auto
    }
    ethernet eth4 {
        bridge-group {
            bridge br0
        }
        description ****
        duplex auto
        speed auto
    }
    ethernet eth5 {
        bridge-group {
            bridge br0
        }
        description ****
        duplex auto
        speed auto
    }
    ethernet eth6 {
        bridge-group {
            bridge br0
        }
        description ****
        duplex auto
        speed auto
    }
    ethernet eth7 {
        bridge-group {
            bridge br0
        }
        description ****
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface br0
    wan-interface eth0
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name DEFAULT {
            authoritative disable
            subnet 192.168.101.0/24 {
                default-router 192.168.101.1
                dns-server 1.1.1.1
                dns-server 1.0.0.1
                lease 86400
                start 192.168.101.2 {
                    stop 192.168.101.254
                }
                static-mapping **** {
                    ip-address 192.168.101.5
                    mac-address B0:5A:DA:6C:6D:66
                }
                static-mapping **** {
                    ip-address 192.168.101.2
                    mac-address f0:9f:c2:2c:63:6b
                }
                static-mapping **** {
                    ip-address 192.168.101.3
                    mac-address 08:60:6E:BD:6C:A0
                }
                static-mapping **** {
                    ip-address 192.168.101.4
                    mac-address 00:11:32:2C:83:FC
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 0
            listen-on br0
            system
        }
    }
    gui {
        http-port 80
        https-port 443
        listen-address 192.168.101.1
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description Masquerade
            log disable
            outbound-interface eth0
            protocol all
            type masquerade
        }
    }
    ssh {
        listen-address 192.168.101.1
        port 22
        protocol-version v2
    }
    telnet {
        listen-address 192.168.101.1
        port 23
    }
    ubnt-discover {
        disable
    }
    unms {
        disable
    }
}
system {
    host-name ****
    login {
        user **** {
            authentication {
                encrypted-password ****
                plaintext-password ****
            }
            full-name "****"
            level admin
        }
    }
    name-server 127.0.0.1
    ntp {
        server 0.us.pool.ntp.org {
        }
        server 1.us.pool.ntp.org {
        }
        server 2.us.pool.ntp.org {
        }
        server 3.us.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
    traffic-analysis {
        dpi disable
        export disable
    }
}  

 


Accepted Solutions
SuperUser
Posts: 8,216
Registered: ‎01-05-2012
Kudos: 2178
Solutions: 1086

Re: Another Port 80 Forwarding issue.

Ok, replace the destination address in the rule 5040, and declare 192.168.101.201.

View solution in original post


All Replies
New Member
Posts: 21
Registered: ‎12-13-2018
Kudos: 7
Solutions: 1

Re: Another Port 80 Forwarding issue.

It looks as if it could be the rule 20 on your WAN_IN firewall. Try removing the source port 80, just leaving the destination port 80. The client will typically be using a random port to initiate the traffic to the HTTP port 80.


EdgeRouter ER-X-SFP | EdgeSwitch ES-8-150W | UAP-AC-LR | UAP-NanoHD | UniFi NMC - Ubuntu 16.04.5
SonicWALL TZ300
Meraki MR34

New Member
Posts: 18
Registered: ‎12-07-2018

Re: Another Port 80 Forwarding issue.

Thanks for your reply. I just updated the rule to exclude port 80 from the source, and still nothing.
Veteran Member
Posts: 7,626
Registered: ‎03-24-2016
Kudos: 1984
Solutions: 874

Re: Another Port 80 Forwarding issue.

You need either:

 

-port forward rule (combined with auto-firewall enabled or manual WAN_IN rule)

OR

-dNAT rule + manual WAN_IN rule

 

You have neither dnat rule nor port forward configured

SuperUser
Posts: 8,216
Registered: ‎01-05-2012
Kudos: 2178
Solutions: 1086

Re: Another Port 80 Forwarding issue.

You already have some firewall rules in WAN_IN and WAN_LOCAL, but, the rule 30 and 40, in WAN_LOCAL are useless, and since you want deny the access to some ip addresses, you may try

Spoiler
configure
edit firewall name WAN_IN
rename rule 40 to rule 15
commit;exit
edit firewall name WAN_LOCAL
delete rule 20
delete rule 30
commit;exit
set service nat rule 10 type destination
set service nat rule 10 destination group address-group ADDRv4_eth0
set service nat rule 10 destination port 80,443
set service nat rule 10 protocol tcp
set service nat rule 10 inbound-interface eth0
set service nat rule 10 inside-address address 192.168.101.201
set service nat rule 20 type destination
set service nat rule 20 destination group address-group ADDRv4_eth0
set service nat rule 20 destination port 80,443
set service nat rule 20 protocol tcp
set service nat rule 20 inbound-interface br0
set service nat rule 20 inside-address address 192.168.101.201
set service nat rule 5040 type masquerade
set service nat rule 5040 source address 192.168.101.0/24
set service nat rule 5040 destination address 192.168.101.1
set service nat rule 5040 protocol tcp
set service nat rule 5040 destination port 80,443
set service nat rule 5040 outbound-interface br0
commit

Test, from outside as well as from within the lan, if ok, issue save.

Cheers,

jonatha

SuperUser
Posts: 8,216
Registered: ‎01-05-2012
Kudos: 2178
Solutions: 1086

Re: Another Port 80 Forwarding issue.

Do you have a routable public ip address ? If, from within the lan, you type in a browser

<http://ip.of.eth0> or <https://ip.of.eth0>

Nothing happens ?

New Member
Posts: 18
Registered: ‎12-07-2018

Re: Another Port 80 Forwarding issue.

[ Edited ]

If I use the public IP address with the most recent configuration I get an error that the request timed out. Before it was just rejected, so I guess that is improvement lol.

 

Nmap was showing the port "filtered" with the old configuration. I have not checked it since the changes.

 

EDIT: Nmap now shows the port as "Open"

New Member
Posts: 18
Registered: ‎12-07-2018

Re: Another Port 80 Forwarding issue.

Reposted cause I accidently deleted it.

 

firewall {                                                                      
    all-ping enable                                                             
    broadcast-ping disable                                                      
    group {                                                                     
        network-group BOGONS {                                                  
            description "Bogus Networks"                                        
            network 10.0.0.0/8                                                  
            network 100.64.0.0/10                                               
            network 127.0.0.0/8                                                 
            network 169.254.0.0/16                                              
            network 172.16.0.0/12                                               
            network 192.0.0.0/24                                                
            network 192.0.2.0/24                                                
            network 192.168.0.0/16                                              
            network 198.18.0.0/15                                               
            network 198.51.100.0/24                                             
            network 203.0.113.0/24                                              
            network 224.0.0.0/3                                                 
        }                                                                       
        network-group LAN_NETWORKS {                                            
            description "RFC1918 LAN Networks"                                  
            network 192.168.0.0/16                                              
            network 172.16.0.0/12                                               
            network 10.0.0.0/8
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to LAN (FORWARD)"
        rule 10 {
            action accept
            description "Allow Established/Related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop Invalid State (Packet)"
            log disable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
        rule 30 {
            action accept
            description "Allow HTTP/TCP"
            destination {
                address 192.168.101.201
                port 80
            }
            log disable
            protocol tcp
            source {
            }
        }
        rule 40 {
            action accept
            description "Allow HTTPS/TCP"
            destination {
                address 192.168.101.201
                port 443
            }
            log disable
            protocol tcp
            source {
            }
        }
        rule 50 {
            action drop
            description "Drop BOGONS (Bogus Connection)"
            log enable
            protocol all
            source {
                group {
                    network-group BOGONS
                }
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to ROUTER (INPUT)"
        rule 10 {
            action accept
            description "Allow Established/Related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 40 {
            action drop
            description "Drop Invalid State (Packet)"
            log disable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
        rule 50 {
            action drop
            description "Drop BOGONS (Bogus Connection)"
            log enable
            protocol all
            source {
                group {
                    network-group BOGONS
                }
            }
        }
    }
    name WAN_OUT {
        default-action accept
        description "LAN through WAN to INTERNET (OUTPUT)"
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    bridge br0 {
        address 192.168.101.1/24
        aging 300
        bridged-conntrack disable
        hello-time 2
        max-age 20
        priority 32768
        promiscuous disable
        stp false
    }
    ethernet eth0 {
        address dhcp
        description WAN
        dhcp-options {
            default-route update
            default-route-distance 210
            name-server no-update
        }
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
            out {
                name WAN_OUT
            }
        }
        speed auto
    }
    ethernet eth1 {
        bridge-group {
            bridge br0
        }
        description ****
        duplex auto
        speed auto
    }
    ethernet eth2 {
        bridge-group {
            bridge br0
        }
        description ****
        duplex auto
        speed auto
    }
    ethernet eth3 {
        bridge-group {
            bridge br0
        }
        description ****
        duplex auto
        speed auto
    }
    ethernet eth4 {
        bridge-group {
            bridge br0
        }
        description ****
        duplex auto
        speed auto
    }
    ethernet eth5 {
        bridge-group {
            bridge br0
        }
        description ****
        duplex auto
        speed auto
    }
    ethernet eth6 {
        bridge-group {
            bridge br0
        }
        description ****
        duplex auto
        speed auto
    }
    ethernet eth7 {
        bridge-group {
            bridge br0
        }
        description ****
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat disable
    lan-interface br0
    wan-interface eth0
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name DEFAULT {
            authoritative disable
            subnet 192.168.101.0/24 {
                default-router 192.168.101.1
                dns-server 1.1.1.1
                dns-server 1.0.0.1
                lease 86400
                start 192.168.101.2 {
                    stop 192.168.101.254
                }
                static-mapping **** {
                    ip-address 192.168.101.5
                    mac-address B0:5A:DA:6C:6D:66
                }
                static-mapping **** {
                    ip-address 192.168.101.2
                    mac-address f0:9f:c2:2c:63:6b
                }
                static-mapping **** {
                    ip-address 192.168.101.3
                    mac-address 08:60:6E:BD:6C:A0
                }
                static-mapping **** {
                    ip-address 192.168.101.4
                    mac-address 00:11:32:2C:83:FC
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 0
            listen-on br0
            system
        }
    }
    gui {
        http-port 80
        https-port 443
        listen-address 192.168.101.1
        older-ciphers enable
    }
    nat {
        rule 10 {
            destination {
                group {
                    address-group ADDRv4_eth0
                }
                port 80,443
            }
            inbound-interface eth0
            inside-address {
                address 192.168.101.201
            }
            protocol tcp
            type destination
        }
        rule 20 {
            destination {
                group {
                    address-group ADDRv4_eth0
                }
                port 80,443
            }
            inbound-interface br0
            inside-address {
                address 192.168.101.201
            }
            protocol tcp
            type destination
        }
        rule 5000 {
            description Masquerade
            log disable
            outbound-interface eth0
            protocol all
            type masquerade
        }
        rule 5040 {
            destination {
                address 192.168.101.1
                port 80,443
            }
            outbound-interface br0
            protocol tcp
            source {
                address 192.168.101.0/24
            }
            type masquerade
        }
    }
    ssh {
        listen-address 192.168.101.1
        port 22
        protocol-version v2
    }
    telnet {
        listen-address 192.168.101.1
        port 23
    }
    ubnt-discover {
        disable
    }
    unms {
        disable
    }
}
system {
    host-name ****
    login {
        user **** {
            authentication {
                encrypted-password ****
                plaintext-password ****
            }
            full-name "****"
            level admin
        }
    }
    name-server 127.0.0.1
    ntp {
        server 0.us.pool.ntp.org {
        }
        server 1.us.pool.ntp.org {
        }
        server 2.us.pool.ntp.org {
        }
        server 3.us.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
    traffic-analysis {
        dpi disable
        export disable
    }
}
SuperUser
Posts: 8,216
Registered: ‎01-05-2012
Kudos: 2178
Solutions: 1086

Re: Another Port 80 Forwarding issue.

If you issue, on the edgerouter

Spoiler
sudo tcpdump -ni br0 host 192.168.101.201 and dst port 80

And then you try to connect, do you see something in the tcpdump's output ? If you set on the fly a rule, with the port-forward tab, does it work ?

 

 

New Member
Posts: 18
Registered: ‎12-07-2018

Re: Another Port 80 Forwarding issue.

[ Edited ]

Okay, it looks like we got it limping so far lol.

 

If I input my Public IP address on a device within the LAN I get a timeout.

 

If I input my Public IP address from a device that is not connected to my LAN the website is displayed as expected.

 

So, I have external access, just not internal access at this point. I did not set Port Forwarding.

New Member
Posts: 18
Registered: ‎12-07-2018

Re: Another Port 80 Forwarding issue.

Thank you for your help so far btw.

SuperUser
Posts: 8,216
Registered: ‎01-05-2012
Kudos: 2178
Solutions: 1086

Re: Another Port 80 Forwarding issue.

If you issue

Spoiler
sudo tcpdump -ni br0 host 192.168.101.201 and dst port 80

Then from within the lan, you type <http://public.ip.eth0>, what's the output of the tcpdump ?

 

New Member
Posts: 18
Registered: ‎12-07-2018

Re: Another Port 80 Forwarding issue.

Here is the output. Doesn't look like a reply is being sent.

 

13:27:13.478583 IP 192.168.101.13.51775 > 192.168.101.201.80: Flags [S], seq 754007849, win 65535, options [m
ss 1460,nop,wscale 8,nop,nop,sackOK], length 0                                                               
13:27:13.478664 IP 192.168.101.13.51775 > 192.168.101.201.80: Flags [S], seq 754007849, win 65535, options [m
ss 1460,nop,wscale 8,nop,nop,sackOK], length 0                                                               
13:27:14.479694 IP 192.168.101.13.51775 > 192.168.101.201.80: Flags [S], seq 754007849, win 65535, options [m
ss 1460,nop,wscale 8,nop,nop,sackOK], length 0                                                               
13:27:14.479758 IP 192.168.101.13.51775 > 192.168.101.201.80: Flags [S], seq 754007849, win 65535, options [m
ss 1460,nop,wscale 8,nop,nop,sackOK], length 0                                                               
13:27:16.479730 IP 192.168.101.13.51775 > 192.168.101.201.80: Flags [S], seq 754007849, win 65535, options [m
ss 1460,nop,wscale 8,nop,nop,sackOK], length 0                                                               
13:27:16.479822 IP 192.168.101.13.51775 > 192.168.101.201.80: Flags [S], seq 754007849, win 65535, options [m
ss 1460,nop,wscale 8,nop,nop,sackOK], length 0                                                               
New Member
Posts: 36
Registered: 3 weeks ago
Kudos: 5

Re: Another Port 80 Forwarding issue.

On the last configuration post, you don't have a DHCP static map for the web server at 192.168.101.201.  Is the IP address statically set on the web server itself and if so then it should not be part of the DHCP pool.  If it is getting a DHCP address could it be differnet than 201?

 

Y-ASK

New Member
Posts: 36
Registered: 3 weeks ago
Kudos: 5

Re: Another Port 80 Forwarding issue.

Also NAT Rule 20 looks kind of odd.  Not sure what you are trying to do here...

 

Y-ASK

New Member
Posts: 18
Registered: ‎12-07-2018

Re: Another Port 80 Forwarding issue.

Redfive suggested the NAT 20 Rule as a potential fix, and so far it is as close as I have gotten. As for the DHCP question, it was set statically on the server but not in the router; I have since mapped it statically on the router just to see if that might have been causing an issue, but I'm still not able to access the webpage from the LAN. External access is working.

SuperUser
Posts: 8,216
Registered: ‎01-05-2012
Kudos: 2178
Solutions: 1086

Re: Another Port 80 Forwarding issue.

Ok, replace the destination address in the rule 5040, and declare 192.168.101.201.

New Member
Posts: 36
Registered: 3 weeks ago
Kudos: 5

Re: Another Port 80 Forwarding issue.

I guess I just don't understand how the br0 (Bridge) interface works.  I would have thought that NAT Rule 5040 wouldn't even be needed.  I also would have thought that the br0 Interface and all the Ethernet Interfaces associated with br0 would be acting like a switch and the gateway IP address would never even come into play when going from say eth1 to eth2 or eth3, etc.  So can you ping (assuming that all the device on the internal network has ping enbled) all the different devices on all the different internal ethernet ports?

 

And on the WAN side, are you getting your WAN IP address from your ISP or are you in control of the DHCP process that provides the WAN IP address to the device?

 

 

Y-ASK

New Member
Posts: 10
Registered: ‎01-12-2017
Kudos: 2

Re: Another Port 80 Forwarding issue.

No the BR or bridge does not act as a switch. You need to use NAT to get the ports to talk to each other and operate each port on a seperate subnet. At least thats what worked for me. You can then define which ports get access to the internet (say eth0) or which ports get access to each other (eth1 thru whatever). I also needed to add some static routes to keep everything playing nice network to network. Not sure if it was required but I had a few devices not behaving correctly and this fixed the issue for me. As far as setting up the DHCP on the wan side... its up to you and your ISP. Are you paying for static? if so you can force the values in. If you're not then DHCP works fine.

New Member
Posts: 18
Registered: ‎12-07-2018

Re: Another Port 80 Forwarding issue.

[ Edited ]

By declare 192.168.101.201 do you mean just change the IP Address in rule 5040 to that? I changed 192.168.101.1 to 192.168.101.201 and still the same thing. External access, but no internal access.

 

@tkffaulthis would probably not be an issue if I just added a managed switch to my network lol.

Reply