So I’ve got a production router that I need to open some ports on for a Vodafone Sure Signal unit. Thought I’d done everything right but it still didn’t work so I decided to remove Vodafones IP and do some basic port tests with www.yougetsignal.com/tools/open-ports/
I see the packets register in the firewall/NAT tab but the site still says the port is closed. I did have a rule blocking outgoing icmp requests but i disabled it temporarily for this, still not showing as open. I even disabled the entire firewall for a minute but still the same result.
Can anyone point me in the right direction for this one please?
We have a number of clients sitting behind a Cloud Core Router which is our route out to the internet.
All individual clients have a SRC-NAT rule on the CCR so that they have a unique IP address to the outside world eg
0 chain=srcnat action=src-nat to-addresses=185.52.xxx.xxx src-address=10.10.20.221 out-interface=sfp1 log=no log-prefix=“”
By default we don’t have matching DST-NAT rules, so any traffic generated from outside our network is dropped at the firewall.
The last rule in our NAT table is a catch call which puts any remaining outgoing traffic on our default external IP address
143 chain=srcnat action=src-nat to-addresses=94.142.xxx.xxx out-interface=sfp1 log=no log-prefix=“”
This was what we used for all traffic until we were provided with static IP addresses for each client.
Unfortunately we have a problem with SureSignal - it does not work for anyone that has been assigned a static IP address, but works fine if we disable their rule and allow the catch all at the end.
Any ideas?
When you have static IP addresses for the clients, you should simply route their traffic instead of using NAT.
That way you avoid all possible issues that are related to NAT.
