Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[andrew.keating]

i have set up 2 port forwarding configs to web servers, this is working fine - from the internet - but not from the lan

i have sat, nat and allow action


1      site1_sat      SAT      any      all-nets      core      site1-ext_ip      https
2     site1_nat       NAT     lan              lannet     any             all-nets            https
3     site1_allow     Allow     any         all-nets     core     site1-ext_ip     https

1      site2_sat      SAT      any      all-nets      any      site2-ext_ip     https
2     site2_nat       NAT     lan             lannet     any             all-nets         https
3     site2_allow     Allow     any             all-nets     any             site2ext_ip    https

any ideas what i got wrong in my config

[Fatman]

I don't think this is our problem, but let's try to be more selective with our IP rules.

WAN_LAN_Group/all-nets/core/site1-ext_IP
lan/lannet/core/site1-ext_ip

would have been sufficient.

Do we have any relevant log entries?

If we turn on logging on all of these rules do we get relevant log entries?

Does your server see the SYN inbound, and if so from/to what address and port?

[andrew.keating]

in the logging i see conn_open_natsat from my source ip - desktop on the lan - to the external facing ip
then nothing

[andrew.keating]

ok, then a    conn_close_natsat a little later

what i did notice was that the site2 request logs a site1_nat rule in the log - so something is messed up, site1 request also logs site1_nat

[andrew.keating]

but neither site1 nor site2 work

[danilovav]

Forget using of "any" in IP rules.

Correct port mapping (work from inside too) seems like below

# external
SAT wan/all-nets core/wan_ip yourservice (SAT: new destination = yourprivatehost)
Allow wan/all-nets core/wan_ip yourservice
# internal
SAT lan/lannet core/wan_ip yourservice (SAT: new destination = yourprivatehost)
NAT lan/lannet core/wan_ip yourservice

[andrew.keating]

I just tried you recommendation - but it stopped working from the inside and the outside with that configuration!

[danilovav]

Does DFL specified as default gateway on private host?

[andrew.keating]

yes - dfl is the gateway on the lan.

[andrew.keating]

Is that an issue?  It is the default gateway for the LAN, we don't have another one.

[danilovav]

To find out the reason of problem, enable logging of rules created - it will show you if it's working. Next, see Status > Connections and Status > Logging during test accessing.