Reply
New Member
Posts: 18
Registered: ‎12-07-2018

Re: Another Port 80 Forwarding issue.

@Y-ASKThe IP address is dynamically assigned by my ISP. I'm using the DDNS service on the EdgeRouter to keep my domain pointing to the right location.

New Member
Posts: 10
Registered: ‎01-12-2017
Kudos: 2

Re: Another Port 80 Forwarding issue.

Sure adding a managed switch is always the best option if you're not looking to split subnets. I use both. I have a managed switch behind the edgerouter for my internal network and I have a split subnet for Unifi, UNMS, and Web Services. It just depends on your use case.

New Member
Posts: 18
Registered: ‎12-07-2018

Re: Another Port 80 Forwarding issue.

[ Edited ]

Also depends on your pocket book lol. The struggle is real over here. I would like to move to a USG, Switch, CloudKey, and a few AP's eventually, but as of right now, I'm just working with what I have.

SuperUser
Posts: 8,178
Registered: ‎01-05-2012
Kudos: 2169
Solutions: 1074

Re: Another Port 80 Forwarding issue.

Can you try again this ?

New Member
Posts: 18
Registered: ‎12-07-2018

Re: Another Port 80 Forwarding issue.

07:30:59.543094 IP 192.168.101.13.60339 > 192.168.101.201.80: Flags [S], seq 2770823787, win 65535, options [mss 14
60,nop,wscale 8,nop,nop,sackOK], length 0                                                                          
07:30:59.543178 IP 192.168.101.1.60339 > 192.168.101.201.80: Flags [S], seq 2770823787, win 65535, options [mss 146
0,nop,wscale 8,nop,nop,sackOK], length 0                                                                           
07:30:59.543688 IP 192.168.101.13.60339 > 192.168.101.201.80: Flags [.], ack 755370450, win 1024, length 0         
07:30:59.543745 IP 192.168.101.1.60339 > 192.168.101.201.80: Flags [.], ack 755370450, win 1024, length 0          
07:30:59.543761 IP 192.168.101.13.60339 > 192.168.101.201.80: Flags [P.], seq 0:373, ack 1, win 1024, length 373: H
TTP: GET / HTTP/1.1                                                                                                
07:30:59.543810 IP 192.168.101.1.60339 > 192.168.101.201.80: Flags [P.], seq 0:373, ack 1, win 1024, length 373: HT
TP: GET / HTTP/1.1                                                                                                 
07:30:59.607652 IP 192.168.101.13.60339 > 192.168.101.201.80: Flags [.], ack 376, win 1022, length 0               
07:30:59.607711 IP 192.168.101.1.60339 > 192.168.101.201.80: Flags [.], ack 376, win 1022, length 0                
07:32:20.033729 IP 107.77.249.6.7708 > 192.168.101.201.80: Flags [SEW], seq 3152303049, win 14400, options [mss 144
0,sackOK,TS val 4290144834 ecr 0,nop,wscale 8], length 0                                                           
07:32:20.048008 IP 107.77.249.6.7708 > 192.168.101.201.80: Flags [.], ack 984322038, win 57, length 0              
07:32:20.048991 IP 107.77.249.6.7708 > 192.168.101.201.80: Flags [P.], seq 0:390, ack 1, win 57, length 390: HTTP: 
GET / HTTP/1.1                                                                                                     
07:32:20.063415 IP 107.77.249.6.7708 > 192.168.101.201.80: Flags [.], ack 376, win 61, length 0                    
07:32:20.172536 IP 107.77.249.6.7708 > 192.168.101.201.80: Flags [P.], seq 390:747, ack 376, win 61, length 357: HT
TP: GET /favicon.ico HTTP/1.1                                                                                      
07:32:20.190514 IP 107.77.249.6.7708 > 192.168.101.201.80: Flags [.], ack 1759, win 72, length 0                   
07:32:49.529475 IP 192.168.101.13.60339 > 192.168.101.201.80: Flags [F.], seq 373, ack 376, win 1022, length 0     
07:32:49.529537 IP 192.168.101.1.60339 > 192.168.101.201.80: Flags [F.], seq 373, ack 376, win 1022, length 0      
07:32:49.529983 IP 192.168.101.13.60339 > 192.168.101.201.80: Flags [.], ack 377, win 1022, length 0               
07:32:49.530036 IP 192.168.101.1.60339 > 192.168.101.201.80: Flags [.], ack 377, win 1022, length 0                

It appears we are working now, not sure why. The change was made to the br0 Source NAT Rule and I still could not access the website; I tried it again and it is working from both inside and outside the network.

Thank you very much for your help.

New Member
Posts: 32
Registered: 3 weeks ago
Kudos: 5

Re: Another Port 80 Forwarding issue.

Would it be possible for you to post your Config info again based on how it's setup now?  Just trying to learn something from this.

 

Thank,

Y-ASK

New Member
Posts: 18
Registered: ‎12-07-2018

Re: Another Port 80 Forwarding issue.

I would love too, but it won't let me post anything that exceeds 25,000 characters lol

New Member
Posts: 18
Registered: ‎12-07-2018

Re: Another Port 80 Forwarding issue.

[ Edited ]

@redfive

 

aparently I accepted that as a solution too quickly.

 

So when I'm preforming the tcpdump, I can access the website internally and externally without any issues. When I stop the tcpdump, I can no longer access the website internally using the public IP address, only externally.

 

EDIT: it seems to be spotty, sometimes I get a reply, other times I don't. I mostly get a consistant connection when I'm performing the tcpdump.

SuperUser
Posts: 8,178
Registered: ‎01-05-2012
Kudos: 2169
Solutions: 1074

Re: Another Port 80 Forwarding issue.

[ Edited ]

Can you post the output of

Spoiler
configure
show service nat

And (this is for another thing)

Spoiler
show firewall name WAN_IN

Edit .. to be honest, I'm not able to replicate the issue, I've tried a similar config, but seems always working .... Maybe some hints here ? But, in any case, with a couple of cheap 8P gigabit switch, you can use more networks, and avoid the software bridge (using it, is never a good idea)

New Member
Posts: 18
Registered: ‎12-07-2018

Re: Another Port 80 Forwarding issue.

 rule 1 {                                                                       
     destination {                                                              
         group {                                                                
             address-group ADDRv4_eth0                                          
         }                                                                      
         port 80,443                                                            
     }                                                                          
     inbound-interface eth0                                                     
     inside-address {                                                           
         address 192.168.101.201                                                
     }                                                                          
     log disable                                                                
     protocol tcp                                                               
     type destination                                                           
 }                                                                              
 rule 2 {                                                                       
     destination {                                                              
         group {                                                                
             address-group ADDRv4_eth0                                          
         }                                                                      
         port 80,443                                                            
     }                                                                          
     inbound-interface br0                                                      
     inside-address {
         address 192.168.101.201
     }
     log disable
     protocol tcp
     type destination
 }
 rule 5000 {
     description "Masquerade eth0"
     log disable
     outbound-interface eth0
     protocol all
     type masquerade
 }
 rule 5001 {
     description "Masquerade br0"
     destination {
         address 192.168.101.201
         port 80,443
     }
     log disable
     outbound-interface br0
     protocol tcp
     source {
         address 192.168.101.0/24
     }
     type masquerade
 }
 default-action drop                                                            
 description "WAN to LAN (FORWARD)"                                             
 rule 10 {                                                                      
     action accept                                                              
     description "Allow Established/Related"                                    
     log disable                                                                
     protocol all                                                               
     state {                                                                    
         established enable                                                     
         invalid disable                                                        
         new disable                                                            
         related enable                                                         
     }                                                                          
 }                                                                              
 rule 20 {                                                                      
     action drop                                                                
     description "Drop Invalid State (Packet)"                                  
     log disable                                                                
     protocol all                                                               
     state {                                                                    
         established disable                                                    
         invalid enable                                                         
         new disable                                                            
         related disable
     }
 }
 rule 30 {
     action accept
     description "Allow HTTP/HTTPS"
     destination {
         address 192.168.101.201
         port 80,443
     }
     log disable
     protocol tcp
     source {
     }
 }
 rule 50 {
     action drop
     description "Drop BOGONS (Bogus Connection)"
     log enable
     protocol all
     source {
         group {
             network-group BOGONS
         }
     }
 }
New Member
Posts: 18
Registered: ‎12-07-2018

Re: Another Port 80 Forwarding issue.

My next network change is to add a switch, but unfortunately that won't be for a while.

SuperUser
Posts: 8,178
Registered: ‎01-05-2012
Kudos: 2169
Solutions: 1074

Re: Another Port 80 Forwarding issue.

Can you try with the port-forward ? Just for see if it makes any difference. The port-forward section, based on you previously posted config, should be

Spoiler
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface br0
    wan-interface eth0
}

Issue configure, then copy and paste all the below commands, at once

Spoiler
delete service nat rule 1
delete service nat rule 2
delete service nat rule 5001

Hit <enter>, then commit.

Copy and paste the below commands

Spoiler
set port-forward rule 1 forward-to address 192.168.101.201
set port-forward rule 1 forward-to port 80
set port-forward rule 1 original-port 80
set port-forward rule 1 protocol tcp
set port-forward rule 2 forward-to address 192.168.101.201
set port-forward rule 2 forward-to port 443
set port-forward rule 2 original-port 443
set port-forward rule 2 protocol tcp

Hit <enter>, then commit. Test, from outside as well as from inside. For revert back to manual mode (a bit more detailed), configure, then copy and paste

Spoiler
delete port-forward
set service nat rule 20 destination group address-group ADDRv4_eth0
set service nat rule 20 destination port 80
set service nat rule 20 inbound-interface br0
set service nat rule 20 inside-address address 192.168.101.201
set service nat rule 20 protocol tcp
set service nat rule 20 type destination
set service nat rule 30 destination group address-group ADDRv4_eth0
set service nat rule 30 destination port 443
set service nat rule 30 inbound-interface br0
set service nat rule 30 inside-address address 192.168.101.201
set service nat rule 30 protocol tcp
set service nat rule 30 type destination
set service nat rule 5040 destination address 192.168.101.201
set service nat rule 5040 destination port 80
set service nat rule 5040 outbound-interface br0
set service nat rule 5040 protocol tcp
set service nat rule 5040 source address 192.168.101.0/24
set service nat rule 5040 type masquerade
set service nat rule 5050 destination address 192.168.101.201
set service nat rule 5050 destination port 443
set service nat rule 5050 outbound-interface br0
set service nat rule 5050 protocol tcp
set service nat rule 5050 source address 192.168.101.0/24
set service nat rule 5050 type masquerade

<enter>, then commit;save.

But, as said, a cheap 8P switch.... Man Happy

 

 

 

New Member
Posts: 18
Registered: ‎12-07-2018

Re: Another Port 80 Forwarding issue.

@redfive 

 

Thanks for the help. I think I'm going to shelve this for now, get the network setup properly with a switch, and come back to it once that is done.

New Member
Posts: 18
Registered: ‎01-15-2019
Kudos: 2

Re: Another Port 80 Forwarding issue.

I was going to post a new thread about my issues with Port Forwarding and Auto Firewall not working.

 

Then I remember I have a double NAT situation. I have an ARRIS modem/router provided my AT&T. I just set up port forwarding under "NAT/Gaming" on my ARRIS router to forward the HTTP/HTTPS ports to my EdgeRouter. Then on my EdgeRouter set up port forwarding for the same ports to Web Server IP Address with Auto Firewall check.

 

Now everything is working.

Reply