Forward everything to a specific host inside my LAN

I’m not going to open a new topic, but I’m getting very confused with the firewall and port forward thingy.

Now I want to forward everything from the firewall coming in from the internet on port 6556 to a specific host inside my LAN. But no matter, how I add the port forward (altho it is pretty straight forward, I love it), if I try to start the service on the remote server to connect to my local workstation, I get the no route to the host error message. What is going on now?

Also, how can I create new services for the firewall rules? That might fix my issues, but not sure. :confused:

:confused: :confused: :confused: :confused: :confused: :confused: :confused: :confused: :confused: :confused: :confused: :confused: :confused: :confused: :confused: :confused: :confused: :confused: :confused: :confused: :confused: :confused: :confused: :confused: :confused: :confused:

Why do you need it? What’s the purpose? Doing it you bypass all firewall checks and your host will be directly exposed to Internet.

Do you know Check_mk? It is a monitoring group of softwares. I have this monitoring server on a VPS somewhere on the net so it can observe all our other servers. Now, we have another server in the office and I want to monitor that as well. For the monitoring server to communicate with the client, I have to open a port (6556). This works on all the other servers what we have. But I can’t get the monitoring server over the NethServer to see our local server. How would you do this?

You have to create a object with the ip of your internal host:

“Firewall object” -> tab “Hosts” -> “Create new” ->
Name: Assign a name
IP Address: IP of the host where the agent is installed
Description: (Optional)
-> “Submit”

Then you have to create a forward:

“Port forwarding” -> “Create New” ->
Protocol: TCP
WAN IP: the IP of the RED interface where the connection coming from
Origin port: 6556
Destination Port: 6556
Destination host: the name of the object created previously (click on the pencil then select it from the list)
Allow only from: (Optional) put the IP where the connection is originated (the public IP of the server where Check_MK is installed)/32
Description: (Optional)
-> “Submit”

Did what you’ve asked. Every point was done, except one. At creating a forward, where I’m supposed to set the WAN IP. I have only a radio button there titled Any. After I’ve set it all up, the monitoring server is still saying no route to host:

USER@omd ~ $ telnet 37.220.XXX.XXX 6556
Trying 37.220.XXX.XXX...
telnet: connect to address 37.220.XXX.XXX: No route to host

37.220.XXX.XXX is my IP address, that can be seen from the world. In the test I’ve tried to telnet on the specific port into the local machine.

If this works, then the monitoring works too. Maybe this is not NethServer releated? But it must be, because this error came after I’ve replaced my CentOS 7 server with NethServer. Before that, this function worked perfectly. I’ve opened a port on firewall-cmd and forwarded it directly.

I also want to point out, that creating a firewall object was not really nedad I think, because there was already an object with the same information. But never the less, I’ve created another one.

And it is still not working

You have “Any” in WAN IP because you have only a Public IP on your red.

You made some rule in “Firewall Rules” that blocks every connection from lan to internet?
Please disable it temporarily then try again the connection.

1 Like

I have 3 rules.
Drop blue to green
Accept green to firewall
Accept green to blue

Green and blue is a bit mixed up because I didn’t know about the zone hierarchy by the time I’ve created the server. So currently my green zone is the LAN and Blue is a guest network. I also have RED zone and I have my ppp0 interface assigned to it since we are using ADSL internet connection. The drop rule was made so guests won’t be able to reach the LAN. the rest is obvious.

Now if I disable the only Drop rule I get the same error message. However, if I remove the port forwarding, then telnet is just hanging there without errors.
So then my drop rule was the reason to deny the connection in the first place, but the port forward also messes something up. :confused: This is getting stranger from minute to minute.

“Drop blue to green” should be the default so you don’t have to put a rule…
(and maybe the ohter two rules aren’t necessary too)

If I remember correctly, by default, the traffic is permitted in this direction:


but is denied in the opposite direction

RED -/-> ORANGE -/-> BLUE -/-> GREEN

There’s some firewall in the host where the agent is installed that blocks the connection?

Nope. The connection looks like this:

Monitoring server --> INTERNET --> NethServer --> Local Machine (in Green zone)

I’ve dropped away the Drop blue to green rule, but still, if I enable the port forward, then the connection sais no route. If there is not port forward, then I get a timed out.

I mean the Nethserver default, not your specific configuration :slight_smile:

You have a PPPoE connection directly on the RED interface?

  • enp1s0 - PPPoE (red) [shows in black color]
  • enp2s10 - LAN (green) 10.0.XXX.1 [shows in green color]
  • enp2s8 - Guests (blue) 192.168.XXX.1 [shows in blue color]
  • ppp0 - Internet (red) - red1 [shows in red color]

Ok, that is out of my knowledge…

Maybe some issue with the port forwarding when red is a PPPoE connection?
@filippo_carletti @davide_marini @alefattorini

Could be because if I have no FW rule at all, only a port forward, then telnet failes with a no route to host error. Otherwise it just times out. Can you mark somebody in the “chat” who has deeper knowledge than us? :yum:


Without FW rules all should work flawlessly…

I don’t like too much to have a PPPoE connection directly on Nethserver… I prefer to put a router in front that does that dirty work! :slight_smile:

Hehe, give money and I will buy a gigabit router for this task. :smiley: But honestly, this is why we have this server. It serves as a firewall with DHCP server and nothing else. I think it is perfect for this task and NethServer should also be able to deal with this. :wink:

1 Like

Port fwd rules on PPPoE works only with Any interface.
Attach screenshot of the port forward configuration page.
From nethserver shell, run “nc -v lan_ip 6556” and copy and paste output here.
Capture output of “shorewall dump” and put somewhere on the net to download (pastebin, gist, whatever).

I might have found the issue.

[root@firewall ~]# nc -v 10.0.XXX.XXX 6556
Ncat: Version 6.40 ( )
Ncat: No route to host.

Do you still need the shorewall logs despite the fact, even Ncat sais no route to host?

Yes you did. :slight_smile:
You must fix the 10.0.x.x system, this isn’t a problem on nethserver.
If you know an open port on 10.0.x.x, you can double check that port forwards are working fine changing dest port to that open port.


I’m going to stab myself in the d*ck… I’m begging your parton gentlemen, I was 120% sure I’ve already opened the port on the backup machine. I’m crying and laughing.