D-Link Forums
D-Link VPN Router => DSR-500N => Topic started by: embraced on September 12, 2016, 05:40:42 PM
-
problem with firewall rule
hello brothers, please helpe with this problem
I am setting up my PCs to access the remote desktop (external access), but only the first firewall configuration works, the other settings in the list of rules do not work, I can only access only the first computer to be on the list of rules, for example:
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
FIREWALL RULES
LIST RULES ON ROUTER
(https://s21.postimg.org/5bxyl6u1f/firewall_rules.png) (https://postimg.org/image/5bxyl6u1f/)
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
FIRST RULE ON LIST (functional ok)
(https://s21.postimg.org/4np428vbn/rule_1_ok.png) (https://postimg.org/image/4np428vbn/)
STATUS: Enabled
FROM ZONE: WAN
TO ZONE: Default
SERVICE: RealVNC (TCP PORTS ALLOW RANGE)
BLOCK / ALLOW: Allow Always
SOURCE HOSTS: Any
LOCAL SERVER: 192.168.0.101
DESTINATION INTERNET: WAN1
RULE PRIORITY 1
Note: vnc software configured to receive access on port 5800
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
SECOND RULE ON LIST (not functional)
(https://s21.postimg.org/7vtlfahlf/rule_2_not_ok.png) (https://postimg.org/image/7vtlfahlf/)
STATUS: Enabled
FROM ZONE: WAN
TO ZONE: Default
SERVICE: RealVNC (TCP PORTS ALLOW RANGE)
BLOCK / ALLOW: Allow Always
SOURCE HOSTS: Any
LOCAL SERVER: 192.168.0.102
DESTINATION INTERNET: WAN1
RULE PRIORITY 2
Note: vnc software configured to receive access on port 5820
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
CUSTOM SERVIÇE (REALVNC)
(https://s14.postimg.org/uyd6udqtp/custom_service.png) (https://postimg.org/image/uyd6udqtp/)
IMPORTANT:
if I put the second rule settings in the first position it starts to work , it seems that there is something related to the first position in the list , the others do not work
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
Can you help me with this problem?
DSR1000 N
My firmware is 2.11B201C_WW
-
Link>Welcome! (http://forums.dlink.com/index.php?topic=48135.0)
- What Hardware version is your router? Look at sticker under the router case.
- What region are you located?
-
Hello Friend! thanks for listening.
follow the informations:
H / W VER: A1
LOCATION : BRAZIL
you need any more information ? FCC ID? IC number ?
Just now I tested a few things on the remote access to my computers , see:
>> When I disable the first firewall rule >> PC 01 [192.168.0.101] [DDNS+:5800]
the second rule back to work and I can access my PC 2 [192.168.0.102] [DDNS+:5820]
>>If i reenable the first rule, the second rule stops working again :(
>>It seems that something causes only the first firewall rule to read , I'm confused .
-
Seems like when using a single destination IP address it works, one at a time. Seems like you may need to see if the router can be configured for a range of destination IP addresses for just one rule. 192.198.0.101 thru .103. Can you set a IP address range?
-
Exactly! I also thought about something like this , but I can not determine an internal ip range.
See the image of Rule settings For example:
(https://s10.postimg.org/5j13w0kdx/no_internal_range.png) (https://postimg.org/image/5j13w0kdx/)
I can determine only IP External :(
MAYBE For configuration with cable console I can , but I must admit they did not know how to do, do not know the commands .
I will try to reverse the position of Insecure LAN < > SECURE and see if with the reverse configuration I get something , a moment .... soon return with the information
-
Might want to phone contact your regional D-Link support office and ask for help and information on this...Keep us posted.
-
New tests:
[/b]
Inverse mode doesn't works :(
Ip range option exist on this metod but dnt work
See example:
(https://s16.postimg.org/5hb4vpe5t/inverse_dntwork.png) (https://postimg.org/image/5hb4vpe5t/)
-
Hi,
I don't know if my interpretation of your configuration is right (because I'm no expert for DSR1000N routers), but I assume, due to NAT, you want to do port forwarding for the realvnc port from your public IP address to your internal PCs.
By principle this can only be successful for one PC, because the combination [public IP address, rvnc port] can only be mapped once to one PC.
If you want to reach all PCs, for any PC you have to define an additional port for your public IP, say rvnc+10, rvnc+20, ... and configure an additional port forwarding rule such like:
[public IP address, rvnc] -- port forwarding --> [priv. IP address PC1, rvnc]
[public IP address, rvnc+10] -- port forwarding --> [priv. IP address PC2, rvnc]
[public IP address, rvnc+20] -- port forwarding --> [priv. IP address PC3, rvnc]
...
In contrast your configuration to me looks like:
[public IP address, rvnc] -- port forwarding --> [priv. IP address PC1, rvnc]
[public IP address, rvnc] -- port forwarding --> [priv. IP address PC2, rvnc+10]
[public IP address, rvnc] -- port forwarding --> [priv. IP address PC3, rvnc+20]
...
and this will only work for the first PC.
PT
-
hello friend !, yes I understand your information, and I am grateful for that !
but for each PC to be accessed is informed a specific address, each with a different port .
Example ( RealVNC Viewer) :
(https://s11.postimg.org/vceuefden/Sem_t_tulo.png) (https://postimg.org/image/vceuefden/)
PC 01 >> myddns.com:5800
or
PC 02 >> myddns.com:5820
or
PC 03 >> myddns.com:5830
but only the first address above accepts the connection , the others do not work ...
I correctly understand your message?
sorry for my English ;D
-
friends! I may have achieved success! I'm doing new tests , a real test tomorrow I will do in an external network , soon inform you the setting that was causing this problem.
Surely this router is confusing to define the custom service and the way it forwards the ports released.
tomorrow I bring news!
-
Hello , I think I found the problem with the rules.
When creating the custom service I was telling the firewall to unlock the ports in a range 5800-5900 .
Understanding that the firewall would allow access for that ports range. For each rule was applied the same type of released range ( RealVNC - 5800-5900 - see the 1st posted images).
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
THE PROBLEM:
But it seems that the firewall works differently , strange because I had to create one custom service for each rule in the list, not strange ? For me yes, very strange . Probably the firewall forwards all range of ports for a single IP ( 192.168.0.101 the first rule ) for example.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
PROBLEM SOLVED:
See then how was the list of rules :
(https://s22.postimg.org/gecwygb65/newlistrules.png) (https://postimg.org/image/gecwygb65/)
See the custom service of first rule only:
(https://s22.postimg.org/rrzg9nlot/newrule.png) (https://postimg.org/image/rrzg9nlot/)
What you guys think about the way the firewall works with customized services created?
-
Hi again,
so you just implemented what I suggested when I wrote:
[public IP address, rvnc] -- port forwarding --> [priv. IP address PC1, rvnc]
[public IP address, rvnc+10] -- port forwarding --> [priv. IP address PC2, rvnc]
[public IP address, rvnc+20] -- port forwarding --> [priv. IP address PC3, rvnc]
...
... where rvnc+10, rvnc+20 and so on have to be defined as customized services.
Nothing unusual for me - that's the way I would expect to solve the problem.
PT
-
Yes! my friend , I thank you for your tips ! God bless you , thank you!
I hope this solution helps other users DS 1000 N
Thanks!
-
Glad you got it working. Thank you for all the information and details.
Enjoy. ;)