Emerging Member
Posts: 91
Registered: ‎05-18-2013
Kudos: 90
Solutions: 5
Accepted Solution

Port forwarding not working

[ Edited ]

I know it must be my config, but I have been over the tutorial, I have been over the posts. I am doing the testing from my cell phone connection so that I am not falling into the trap of testing it from internally. 

 

I am starting with something simple: port forward port 4568 to 22 internally. 

 

I have the firewall rules and the nat rules just like the tutorial and all the examples list them. But all the stats and counters indicate that my rules are not getting hit so there must be something else not working.

 

Here are the relevant snippets 

 

NAT rules:

    nat {
        rule 1 {
            description imap
            destination {
                port 993
            }
            inbound-interface eth0
            inside-address {
                address 192.168.1.8
                port 993
            }
            log disable
            protocol tcp_udp
            type destination
        }
        rule 2 {
            description sendmail
            destination {
                port 587
            }
            inbound-interface eth0
            inside-address {
                address 192.168.1.8
                port 587
            }
            log disable
            protocol tcp_udp
            type destination
        }
        rule 3 {
            description ssh
            destination {
                address 173.33.166.150
                port 4568
            }
            inbound-interface eth0
            inside-address {
                address 192.168.1.8
                port 22
            }
            log enable
            protocol tcp
            type destination
        }
        rule 4 {
            description ssh
            destination {
                address 173.33.166.150
                port 25
            }
            inbound-interface eth0
            inside-address {
                address 192.168.1.8
                port 25
            }
            log enable
            protocol tcp
            type destination
        }
        rule 5001 {
            description "Masquerade Rule for LAN"
            log disable
            outbound-interface eth0
            protocol all
            source {
                address 192.168.1.0/24
            }
            type masquerade
        }
    }

 Here is my firewall ruleset:

firewall {
    all-ping enable
    broadcast-ping disable
    conntrack-expect-table-size 4096
    conntrack-hash-size 4096
    conntrack-table-size 32768
    conntrack-tcp-loose enable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "Internet inbound rule to drop all"
        enable-default-log
        rule 1 {
            action accept
            description "allow established sessions"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 2 {
            action drop
            description "drop invalid state"
            log disable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
        rule 3 {
            action accept
            description "SSH to MacPro"
            destination {
                address 192.168.1.8
                port 22
            }
            log enable
            protocol tcp
        }
        rule 4 {
            action accept
            description "Read Mail"
            destination {
                address 192.168.1.8
                port 993
            }
            log disable
            protocol tcp
        }
        rule 5 {
            action accept
            description "Send Mail"
            destination {
                address 192.168.1.8
                port 587
            }
            log disable
            protocol tcp
        }
        rule 6 {
            action accept
            description Mail
            destination {
                address 192.168.1.8
                port 25
            }
            log enable
            protocol tcp
        }
    }
    name WAN_local {
        default-action drop
        description "internet access to mgmt capabilities "
        enable-default-log
        rule 1 {
            action accept
            description "Allow established state"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 2 {
            action drop
            description "Drop invalid state"
            log disable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
        rule 3 {
            action accept
            description "Allow PPTP"
            destination {
                port 1723
            }
            log enable
            protocol tcp
        }
        rule 4 {
            action accept
            description "Allow GRE for PPTP VPN"
            log disable
            protocol gre
        }
        rule 5 {
            action accept
            description "Allow ICMP with rate limit 50/m"
            log disable
            protocol icmp
            recent {
                count 50
                time 60
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}

 Any help would be much appreciated. Is there another part of the config that I should be looking at that would be preventing the traffic from even getting to these rules? 

 

I don't see any attempts in /var/log/messages and I have logging enabled. I see lots of other people trying to get to random ports, but I don't see any attempts to the ports I am forwarding. 

 

BTW, I also followed the PPTP example and I am pretty sure it is all setup correctly, but when I try to PPTP from my mac on my cell phone network, it times out. Again nothing in the log. 

 

I have also attached my full config. I am using eth0 for wan, eth1 for lan. eth2 is unconnected.

 

Thanks

 

Greg


Accepted Solutions
Ubiquiti Employee
Posts: 2,991
Registered: ‎02-04-2013
Kudos: 354
Solutions: 289

Re: Port forwarding not working


@gveresex wrote:

 

 

gveres@ubnt:~$ show nat translations | match dnat
99.236.109.55        192.168.1.8          dnat  udp   10      
99.236.109.55        192.168.1.8          dnat  tcp   52      
gveres@ubnt:~$ 

 


Is 173.33.166.150 or 99.236.109.55 your WAN IP? Try delete "destination address 173.33.166.150" from all the DNAT rules, and move rule 1 and rule 2 of WAN_IN and WAN_LOCAL to the end. And normally, you can remove firewall under the interface temporarily then test NAT.

View solution in original post


All Replies
Emerging Member
Posts: 91
Registered: ‎05-18-2013
Kudos: 90
Solutions: 5

Re: Port forwarding not working

[ Edited ]

there was one more thing that I just remembered. The tutorial says to use "show nat translations" and I should see something like that refers to the :4568 and :22 addresses. I don't. Here is my output of "show nat translations | match dnat"

 

gveres@ubnt:~$ show nat translations | match dnat
99.236.109.55        192.168.1.8          dnat  udp   10      
99.236.109.55        192.168.1.8          dnat  tcp   52      
gveres@ubnt:~$ 

 

From this it makes me think that the configuration hasn't been applied. I have gone into configure mode, typed "save", "exit", "reboot" and I am still in the same situation. Actually after a clean reboot there is no dnat type of translations found.

 

Is that an indication of what is wrong? BTW, I am on the 1.1.0:

gveres@ubnt:~$ show version 
Version:      v1.1.0
Build ID:     4543695
Build on:     03/12/13 10:19
Copyright:    2012-2013 Ubiquiti Networks, Inc.
HW model:     EdgeRouter Lite 3-Port
HW S/N:       
Uptime:       20:46:12 up 2 min,  1 user,  load average: 0.59, 0.40, 0.16

 

Ubiquiti Employee
Posts: 2,991
Registered: ‎02-04-2013
Kudos: 354
Solutions: 289

Re: Port forwarding not working


@gveresex wrote:

 

 

gveres@ubnt:~$ show nat translations | match dnat
99.236.109.55        192.168.1.8          dnat  udp   10      
99.236.109.55        192.168.1.8          dnat  tcp   52      
gveres@ubnt:~$ 

 


Is 173.33.166.150 or 99.236.109.55 your WAN IP? Try delete "destination address 173.33.166.150" from all the DNAT rules, and move rule 1 and rule 2 of WAN_IN and WAN_LOCAL to the end. And normally, you can remove firewall under the interface temporarily then test NAT.

SuperUser
Posts: 21,761
Registered: ‎11-20-2011
Kudos: 7932
Solutions: 233

Re: Port forwarding not working

all you have to do is "commit"

 

commit writes the changes to the active config, but doesn't save them. save saves the current config, but it's just re-saving the current config if you never do a "commit" first

 

either way, if you do a commit & save, you don't have to reboot



isp builder | linux sorcerer | datacenter automation conjurer | blog: blog.engineered.online
link to our slack channel on the blog
Emerging Member
Posts: 91
Registered: ‎05-18-2013
Kudos: 90
Solutions: 5

Re: Port forwarding not working

This is part of the problem, yes. I just realized that my ISP changed my IP on my today sometime after putting the new router in place.

 

Now when I ssh to the correct IP addr I see the log message of the WAN_local-default-D denying the traffic. 

 

I will try the suggestions here. and get back to you.

 

Thanks

Greg

Highlighted
Emerging Member
Posts: 91
Registered: ‎05-18-2013
Kudos: 90
Solutions: 5

Re: Port forwarding not working

Sure enough, there is one more thing to check when it seems like Port Forwarding doesn't work:

 

Make sure your ISP hasn't changed your IP address on you! Banghead

 

That would have saved me many hours this afternoon and evening. Thank you Arthur for pointing that out. Some how my Dynamic DNS client wasn't running. After the DNS records propogated, everything is working. 

 

There are some counters that don't see to be going up, but the traffic is flowing. 

 

Thanks for your help. 

Greg