New Member
Posts: 3
Registered: ‎01-29-2018
Kudos: 1
Solutions: 1
Accepted Solution

EdgeRouter X - Port Forwarding Issue

[ Edited ]

Hi,

 

I followed the newly created help configuration for setting up a simple port forwarding --> https://help.ubnt.com/hc/en-us/articles/217367937-EdgeRouter-Port-Forwarding which is actually straight forward .. 

 

configure
set port-forward auto-firewall enable
set port-forward hairpin-nat enable
set port-forward wan-interface eth0
set port-forward lan-interface switch0.10

set port-forward rule 1 description telenot
set port-forward rule 1 forward-to address 192.168.10.85
set port-forward rule 1 forward-to port 52516
set port-forward rule 1 original-port 52516
set port-forward rule 1 protocol tcp

commit ; save

 

My problem is, that I'm able to access my destination server from external but not from LAN. Hopefully, someone is able to give me some help. Port 52516 should be forwarded to destination 192.168.10.85:52516. When accessing the port forwarding rule from LAN I can see that the counter on "port forwarding" tab is increased. 

 

My setup looks like follows: 

WAN --> ETH0

ETH* --> Switch.0 (VLAN 10, VLAN11, ...)

 

tcpdump when accessing from LAN...

  

 

ubnt@ubnt:~$ sudo tcpdump -i switch0 -n tcp dst port 52516
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on switch0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:52:21.023310 IP 192.168.10.132.61758 > 91.64.160.43.52516: Flags [SEW], seq 2184744176, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 753476428 ecr 0,sackOK,eol], length 0

 

ubnt@ubnt:~$ sudo iptables -L -v -n

...
Chain UBNT_PFOR_FW_RULES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.10.85        tcp dpt:52516
...
ubnt@ubnt:~$ sudo iptables -t nat -L -v -n
....
Chain UBNT_PFOR_DNAT_RULES (2 references)
 pkts bytes target     prot opt in     out     source               destination         
   45  2880 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:52516 to:192.168.10.85:52516

Chain UBNT_PFOR_SNAT_RULES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  tcp  --  *      switch0.10  0.0.0.0/0            192.168.10.85        match-set NETv4_switch0.10 src tcp dpt:52516
....

 

I figured out that my firewall rule for LAN_IN is causing the problem. But I don't understand this because my SRC and DST address is in the same network?!

Feb 15 15:44:50 ubnt kernel: [LAN_IN-20-D]IN=switch0.10 OUT=switch0.10 MAC=78:8a:20:bc:9c:04:d0:2b:20:e3:93:2f:08:00:45:00:00:40 src=192.168.10.132 DST=192.168.10.85 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=62963 DPT=52516 WINDOW=65535 RES=0x00 SYN URGP=0 

 

My current config below:

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group PRIVATE_NETS {
            network 192.168.0.0/16
            network 172.16.0.0/12
            network 10.0.0.0/8
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name LAN_IN {
        default-action accept
        rule 10 {
            action accept
            description "Accept Doorbell to SIP"
            destination {
                address 192.168.10.64
            }
            log disable
            protocol all
            source {
                address 192.168.13.0/24
                group {
                }
            }
            state {
                established disable
                invalid disable
                new enable
                related disable
            }
        }
        rule 20 {
            action drop
            description "Drop traffic to other LANs"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            log disable
            protocol all
            source {
            }
            state {
                established disable
                invalid enable
                new enable
                related disable
            }
        }
    }
    name LAN_LOCAL {
        default-action drop
        rule 10 {
            action accept
            description "Allow client DHCP"
            destination {
                port 67
            }
            log disable
            protocol udp
        }
        rule 20 {
            action accept
            description "Allow client DNS"
            destination {
                port 53
            }
            log disable
            protocol tcp_udp
        }
        rule 21 {
            action accept
            description "Allow client UNMS Broadcast"
            destination {
                port 10001
            }
            log disable
            protocol udp
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 40 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description IKE
            destination {
                port 500
            }
            log disable
            protocol udp
        }
        rule 40 {
            action accept
            description ESP
            log disable
            protocol esp
        }
        rule 50 {
            action accept
            description NAT-T
            destination {
                port 4500
            }
            log disable
            protocol udp
        }
        rule 60 {
            action accept
            description L2TP
            destination {
                port 1701
            }
            ipsec {
                match-ipsec
            }
            log disable
            protocol udp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 172.16.1.1/24
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        description Local
        mtu 1500
        switch-port {
            interface eth2 {
                vlan {
                    pvid 10
                }
            }
            interface eth3 {
                vlan {
                    vid 10
                    vid 11
                    vid 13
                    vid 20
                }
            }
            interface eth4 {
                vlan {
                    vid 10
                    vid 11
                    vid 13
                    vid 20
                }
            }
            vlan-aware enable
        }
        vif 1 {
            address 192.168.1.1/24
            mtu 1500
        }
        vif 10 {
            address 192.168.10.1/24
            firewall {
                in {
                    name LAN_IN
                }
                local {
                    name LAN_LOCAL
                }
            }
            mtu 1500
        }
        vif 11 {
            address 192.168.11.1/24
            description Guest
            firewall {
                in {
                    name LAN_IN
                }
                local {
                    name LAN_LOCAL
                }
            }
            mtu 1500
        }
        vif 13 {
            address 192.168.13.1/24
            firewall {
                in {
                    name LAN_IN
                }
                local {
                    name LAN_LOCAL
                }
            }
            mtu 1500
        }
        vif 20 {
            address 192.168.20.1/24
            firewall {
                in {
                    name LAN_IN
                }
                local {
                    name LAN_LOCAL
                }
            }
            mtu 1500
        }
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface switch0.10
    rule 1 {
        description telenot
        forward-to {
            address 192.168.10.85
            port 52516
        }
        original-port 52516
        protocol tcp
    }
    wan-interface eth0
}
    nat {
        rule 5000 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }

 

Update: I was able to get it working adding another firewall rule for LAN_IN:

 

name LAN_IN {
        default-action accept
        rule 10 {
            action accept
            description "Accept Doorbell to SIP"
            destination {
                address 192.168.10.64
            }
            log disable
            protocol all
            source {
                address 192.168.13.0/24
                group {
                }
            }
            state {
                established disable
                invalid disable
                new enable
                related disable
            }
        }
        rule 20 {
            action accept
            description "Accept Telenot"
            destination {
                address 192.168.10.85
                port 52516
            }
            log disable
            protocol tcp
            source {
                address 192.168.10.0/24
            }
        }
        rule 30 {
            action drop
            description "Drop traffic to other LANs"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            log enable
            protocol all
            source {
            }
            state {
                established disable
                invalid enable
                new enable
                related disable
            }
        }
    }

Is this the right approach or would the solution been another way?

 

Regards, 

Michel

 

 


Accepted Solutions
SuperUser
Posts: 8,567
Registered: ‎01-05-2012
Kudos: 2259
Solutions: 1141

Re: EdgeRouter X - Port Forwarding Issue

I think that this is the expected behavior, If you take a look at the full filter table

sudo iptables -t filter -nvL

You'll see that the Chain UBNT_PFOR_FW_RULES is the target of UBNT_PFOR_FW_HOOK, and in this chain, is allowed your wan interface, not the lan, so, if you have firewall rules IN direction on your lan interfaces, the auto-firewall doesn't help in your case.

Cheers,

jonatha

View solution in original post


All Replies
SuperUser
Posts: 8,567
Registered: ‎01-05-2012
Kudos: 2259
Solutions: 1141

Re: EdgeRouter X - Port Forwarding Issue

I think that this is the expected behavior, If you take a look at the full filter table

sudo iptables -t filter -nvL

You'll see that the Chain UBNT_PFOR_FW_RULES is the target of UBNT_PFOR_FW_HOOK, and in this chain, is allowed your wan interface, not the lan, so, if you have firewall rules IN direction on your lan interfaces, the auto-firewall doesn't help in your case.

Cheers,

jonatha