Community discussions

MUM Europe 2020
 
User avatar
bigcw
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Mon Sep 08, 2014 2:38 pm

WAN IP not being seen by LAN server with port forward

Wed Feb 03, 2016 3:18 pm

Hi Everyone

Can anyone give some pointers on this, please.

Hardware is 1009-8G-1S-1S+ with ROS 6.30.4.

It is just doing a simple NAT from a public IP address (/30) on the SFP port to an office of PCs. Standard config with DHCP server, firewall srcnat masquerade rule, etc.

They have an FTP server on the LAN side with has port 21 forwarded to it via a dst-nat rule.

The client reports that the FTP server sees all WAN traffic as originating from the router's LAN IP eg 192.168.88.1 instead of a.b.c.d public IP. He needs it to report the WAN IP as he has access lists, traffic policies per IP, etc.

Is there some trick, or something I have missed, that stops the WAN address being rewritten to 192.168.88.1 during a port forward?

Thanks, Chris
Ecom International Network - Operators of AS61337 with POPs in Europe and North America - www.ecomltd.co.uk
Colocker Data Centre - The data centre with a difference! - www.colocker.com
 
User avatar
bigcw
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Mon Sep 08, 2014 2:38 pm

Re: WAN IP not being seen by LAN server with port forward

Wed Feb 03, 2016 10:43 pm

Figured this out, but in case anyone in the future needs the solution:

If you omit either 'out interface' or 'src address' from your masquerade rule it causes the symptoms I describe. I suspect because the packet matches the masquerade rule both outbound (as expected) but also inbound due the the port redirect.

Either specifying an out interface or putting the LAN (eg 192.168.88.0/24) in as the src-address fixes the issue.

Cheers, Chris
Ecom International Network - Operators of AS61337 with POPs in Europe and North America - www.ecomltd.co.uk
Colocker Data Centre - The data centre with a difference! - www.colocker.com
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: WAN IP not being seen by LAN server with port forward

Wed Feb 03, 2016 11:06 pm

Figured this out, but in case anyone in the future needs the solution:

If you omit either 'out interface' or 'src address' from your masquerade rule it causes the symptoms I describe. I suspect because the packet matches the masquerade rule both outbound (as expected) but also inbound due the the port redirect.

Either specifying an out interface or putting the LAN (eg 192.168.88.0/24) in as the src-address fixes the issue.

Cheers, Chris
I prefer the out interface method because if you ever change IP addressing of your LAN (or add more internal subnets) then you won't need to remember to modify the firewall rules.
When given a spoon,
you should not cling to your fork.
The soup will get cold.

Who is online

Users browsing this forum: No registered users and 101 guests