Port forwards only work inside?

bdungey · March 9, 2014, 6:27pm

I just switched to a RB2011UiAS-RM from a dlink soho router.

Okay, so I have two problems, and I don’t know if they’re connected.

If I ping a domain that is being forwarded to me, it does not resolve anymore.
Port forwards only work from inside the network.

The domain is pointing to my IP. I need that traffic to be forwarded to a Teamspeak server, accessible from the outside. Currently, when I try to connect to the server from inside, via IP or that domain, it works. Externally, it does not.

Internal Network:

192.168.0.x/24

The ports:

Application: TEAMSPK3 External port: 9987 Internal port: 9987 Protocol: UDP (Default voice port)

Application: TEAMSK3A External port: 10011 Internal port: 10011 Protocol: TCP (Default server query port)

Application: TEAMSK3B External port: 30033 Internal port: 30033 Protocol: TCP/UDP (Default file transfer port)

As I’ve seen posted, here’s the print out from NAT and Firewall.

NAT

Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=dstnat action=dst-nat to-addresses=192.168.0.34 to-ports=9987 
     protocol=udp dst-port=9987 

 1   chain=dstnat action=dst-nat to-addresses=192.168.0.34 to-ports=30033 
     protocol=tcp dst-port=30033 

 2   chain=dstnat action=dst-nat to-addresses=192.168.0.34 to-ports=10011 
     protocol=tcp dst-port=10011 

 3   ;;; default configuration
     chain=srcnat action=masquerade out-interface=ether1-gateway

FIREWALL

Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=input action=accept protocol=udp dst-port=9987 

 1   chain=input action=accept protocol=tcp dst-port=30033 

 2   chain=input action=accept protocol=tcp dst-port=10011 

 3   ;;; default configuration
     chain=input action=accept protocol=icmp 

 4 X ;;; default configuration
     chain=input action=accept connection-state=established 

 5 X ;;; default configuration
     chain=input action=accept connection-state=related 

 6   ;;; default configuration
     chain=input action=accept in-interface=ether1-gateway 

 7 X ;;; default configuration
     chain=forward action=accept connection-state=established 

 8 X ;;; default configuration
     chain=forward action=accept connection-state=related 

 9 X ;;; default configuration

rower · March 17, 2014, 2:07am

firewall rules should be on FORWARD chain not on INPUT . think, that INPUT is for traffic destined to router itself, while FORWARD is for transit. yes, NATed traffis is also “in transit”.

so, you have to enable those rules ##7-9.

otherwise - i (personally) feel frustrated with DST-NAT rules without clear indication of IN-INTERFACE or DST-ADDRESS, however, these should work anyway.

SurferTim · March 17, 2014, 2:42am

If I ping a domain that is being forwarded to me, it does not resolve anymore.

It doesn’t resolve or doesn’t respond?

j7n · March 17, 2014, 7:21pm

Without any dst-address, this rule will prevent communication with other internet servers on port 9987. Add “dst-address-type=local”.

It should work anyway, unless there are more firewall rules below 9 preventing it.