HI There,

I have an internet sharing network built.

I have users connecting to the core (internet router) to get access to the internet.

Setup: Each Company is on a different VLAN and they all connect to the core router which connects to the internet. Everything works fine. The problem is that when I port forward from outside the Wan to any device in any of the subnets, it does not work. I have tried the following:

A) on The WAN facing router
NAT:
0 chain=srcnat action=masquerade out-interface=Ether1 - WAN log=no
log-prefix=""

1 chain=dstnat action=dst-nat to-addresses=192.168.1.70 to-ports=3389
protocol=tcp in-interface=Ether1 - WAN dst-port=40000 log=yes
log-prefix="RDP"

Filter

17 chain=forward action=accept connection-state=established log=yes
log-prefix=""

18 chain=forward action=accept connection-nat-state=dstnat log=yes
log-prefix=""


B) On the client router
IP: 10.1.13.2/30
Gateway (TO WAN Router): 10.1.13.1/30
LAN: 192.168.1.0/24
LAN: Gateway: 192.168.1.254/24
The destination PC: 192.168.1.70
Port 3389
External port: 40000

Please, any timely response would be highly appreciated.

Does WAN facing router have route to 192.168.1.70? In other words, client router doesn't have NAT and isn't hiding 192.168.1.0/24 behind 10.1.13.2, right? If it's like this, it should work, as long as incoming connection is not blocked on client router, or by firewall on target PC.

Do some debugging and find out where exectly it fails. Does initial packet from internet pass through WAN router? Does it pass through client router? Does the server send anything back? Use either Tools->Torch, or logging rules in prerouting/postrouting.

Hi Sob,

Thanks Will do some debugging and come back to you.

Is there a way I can get the port-forwarding rules done on the client router itself? The point is that we are trying to avoid situations were the client contact us to do port-forwards, as they would want to manage their router?
What If I had NAT going on the client router, say using the 10.x.x.x network would it be a better way to implement this? (double-Nat)

Thanks so much

CHamp

The best way would be to give public address directly to client router. Or you can do 1:1 NAT, so everything coming to public address would be sent to client router, and they could further forward inside whatever they wanted. But it's still NAT, so not too good. In case address shortage is not the main problem, and you'd have a free one to use with 1:1 NAT, then you should be able to give it to them directly too.

At WAN Router you cant put wan interface in dst-nat role, you need your WAN Public IP Address

HI Sob,

We only have one WAN IP Address.
So all client networks go through that main one. I am just looking for a way to get them all to share that same IP when using port-forward. If I did a 1:1 nat i'd need to have more than one public IP facing on the internet facing router.

Thanks so much

Hi ingdaka,

Thanks so much, the port-forwarding worked.

Please could you advise on how I can get this to work only on the client side?
Without having to make changes to the main router any time a port forward needs to be done.

Also as stated with SOB, what would be the alternative on a double-Nat scenario?

Regards
Champ

You can forward a range of ports to each client (dst-port=<from>-<to>), I don't know how much, ten, hundered, depends on what they need, and let them decide what they do with them. They will all arrive to their router, and they can pick some and forward them further to their internal servers. And as long as they don't run out, they wouldn't need to contact you for changes.

If you have bridge in your VLAN configuration, you must user bridge filter and bridge NAT in bridge menu not in IP menu

You can forward a range of ports to each client (dst-port=<from>-<to>), I don't know how much, ten, hundered, depends on what they need, and let them decide what they do with them. They will all arrive to their router, and they can pick some and forward them further to their internal servers. And as long as they don't run out, they wouldn't need to contact you for changes.

HI Sob,

Thanks for this.
This worked perfectly.
Thanks so much for your patience.

Regards

Thanks everyone!!