NethServer Version: 7.7.1908
I am new to Nethserver and trying to get portforwards done.
I have setup the Port Forward in NETH
When I try and connect to the port it does not work.
[root@FW ~]# grep -i DNAT /etc/shorewall/rules
DNAT-:info net 10.107.0.2:8989 tcp 8989 - &enp2s0,&enp3s0
[root@FW ~]# tcpdump -i enp2s0 port 8989
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp2s0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:51:14.001922 IP vc-gp-n-41-13-212-204.umts.vodacom.co.za.51910 > FW.itts.co.za.sunwebadmins: Flags [S], seq 3822142757, win 65535, options [mss 1350,sackOK,TS val 75697782 ecr 0,nop,wscale 8], length 0
16:51:14.014400 IP vc-gp-n-41-13-212-204.umts.vodacom.co.za.51911 > FW.itts.co.za.sunwebadmins: Flags [S], seq 1818226737, win 65535, options [mss 1350,sackOK,TS val 75697782 ecr 0,nop,wscale 8], length 0
And when i open URL on my local machine it works. So the PF is set correctly on LAN side just not getting in from the WAN.
Any advice?
m.traeumner
(Michael Träumner)
March 13, 2020, 1:58pm
2
Hi, welcome @Juan_Kilian ,
Can you tell us something about your network configuration.
What is in front of the red interface? A router? If so you have to forward the port at your router.
Hi
I have fibre connected to RED interface, and my red interface has a public facing /29 ip address.
I have a couple of Mikrotik devices on the green interface side of the Neth server that I need to PF some ports to.
mrmarkuz
(Markus Neuberger)
March 13, 2020, 11:01pm
4
You may have to enable hairpin NAT in the firewall settings to make port forwards work from internal:
https://docs.nethserver.org/en/v7/firewall2.html#settings
1 Like
Good morning
Port Forwards works internal without hairpin nat.
I cant get it to work from outside in.
tmp501
(philip ballinger)
October 26, 2020, 4:44pm
6
hey, also got port forwarding issues to a client…
nethserver7.8 as gateway,one red wan, one bridge(lan switch, wifi), firewall and fail2ban enabled.
made an alias for my wan -> dunno if that was necessary
firewall port forward: 6881 tcp as source and destination, client ip to wan alias
Enable hairpin NAT -> on
what am i missing? thanks.
shorewall check
Checking using Shorewall 5.1.10.2…
Processing /etc/shorewall/params …
Processing /etc/shorewall/shorewall.conf…
Loading Modules…
Checking /etc/shorewall/zones…
Checking /etc/shorewall/interfaces…
Determining Hosts in Zones…
Locating Action Files…
Checking /etc/shorewall/policy…
Running /etc/shorewall/initdone…
Adding Anti-smurf Rules
Adding rules for DHCP
Checking TCP Flags filtering…
Checking Kernel Route Filtering…
Checking Martian Logging…
Checking /etc/shorewall/snat…
Checking MAC Filtration – Phase 1…
Checking /etc/shorewall/blrules…
Checking /etc/shorewall/rules…
Checking /etc/shorewall/conntrack…
Checking MAC Filtration – Phase 2…
Applying Policies…
Checking /etc/shorewall/mangle…
Checking /etc/shorewall/stoppedrules…
Shorewall configuration verified
[root@tank ~]# grep -i DNAT /etc/shorewall/rules
DNAT:info net loc:CLIENT-IP:6881 tcp 6881 - WAN-ALIAS-IP
DNAT:info loc loc:CLIENT-IP:6881 tcp 6881 - WAN-ALIAS-IP
DNAT:none net loc:CLIENT-IP:8881 udp 8881 - WAN-ALIAS-IP
DNAT:none loc loc:CLIENT-IP:8881 udp 8881 - WAN-ALIAS-IP
tcpdump -i enp0s31f6 ‘port 6881’
listening on enp0s31f6, link-type EN10MB (Ethernet), capture size 262144 bytes
17:30:59.557335 IP 198.199.98.246.50244 > ISP-IP.6881: Flags [S], seq 682372862, win 14600, options [mss 1460,sackOK,TS val 3165964309 ecr 0,nop,wscale 8], length 0
tail -f /var/log/firewall.log
Oct 26 17:29:00 tank kernel: Shorewall:net2fw:DROP:IN=enp0s31f6 OUT= MAC=2c:4d:54:d0:64:87:00:17:10:7f:52:20:08:00 SRC=45.129.33.14 DST=ISP-IP LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=58912 PROTO=TCP SPT=41366 DPT=33898 WINDOW=1024 RES=0x00 SYN URGP=0
m.traeumner
(Michael Träumner)
October 28, 2020, 1:37pm
7
@support_team
Can somebody help?
pike
(Michael Kicks)
October 28, 2020, 6:32pm
8
tmp501:
Enable hairpin NAT → on
For bittorrent Hairpin NAT should not be necessary…
tmp501
(philip ballinger)
October 29, 2020, 8:06am
9
ok turned it off. but the issue remains. i checked that the prob is not at the client firewall by temporarily turning it off. maybe it’s related to the bridge that i have?