Pages: [1]
  Print  
Author Topic: Port forwarding doesn't work - any ideas?  (Read 3073 times)
rhvonlehe
Level 1 Member
*
Posts: 17


« on: December 04, 2008, 07:41:33 AM »

Right now I run 3 services that I expose to the world:
FTP
SSH
Wake On Lan

I can set these services up as virtual servers on the DIR-655, but if I try to use port forwarding to accomplish the same thing, it doesn't work.  For example if I try to set up port forwarding of public port 21 to private port 21 on 192.168.1.202 (my Dlink NAS static ip), it just plain doesn't work.

Why worry if I can get it to work as a virtual server?  Because there very well may be cases in the future where I want to forward a range of ports - running a game server or something like that.  This is one of those things that will annoy me until I figure out what is going wrong.  Does anyone have any ideas as to other settings that might cause port forwarding to fail?  Can you think of a way to use logging or wireshark to troubleshoot?  So far, I have had no clues in the DIR-655's log.  I haven't tried the syslog feature of the router - does that provide more information that the status log?

Here's my network setup behind the DIR-655:
* One desktop on a static IP (not DHCP reservation)
* Two laptops on DHCP
* VOIP box on static IP in the DMZ (not DHCP reservation)
* Dlink NAS on a static IP (not DHCP reservation)
* Old Trendnet router setup as an access point for wireless G traffic - static IP, connection is from LAN port on Trendnet to LAN port on DIR-655.
* The default gateway is the Dlink's IP address 192.168.0.1
* The subnet mask is not the default.  It is 255.255.254.0.  I have my static IPs on 192.168.1.xxx and the dynamic stuff and router on 192.168.0.xxx.

The dlink DNS server is the openDNS servers rather than the comcast ones - I can't imagine that would make a difference.  The Advanced->firewall settings on the DIR-655 are all default.

Help me Obi-Wan Kenobi, you're my only hope  Tongue

Logged
funchords
Level 3 Member
***
Posts: 298


« Reply #1 on: December 04, 2008, 12:29:35 PM »

Both FTP and WOL have programming known as Application Layer Gateways (ALG) to allow them to fully function. 

Do you really have an SSH problem?  Google tells me that SSH may also need an ALG if it does certificate support -- that was news to me and I don't know if that's in the DIR-655's programming).  Still, I don't see a way to redirect SSH other than the usual way.

The UI for FTP and WOL are not exposed in the latest firmware.  They're enabled and no control is there to disable them.  So, creating a conflicting rule would be -- well -- conflicting.

Quote
Why worry if I can get it to work as a virtual server?  Because there very well may be cases in the future where I want to forward a range of ports - running a game server or something like that.

The good news is that these ALGs should be on their registered ports and to direct them you'd use the controls in Virtual Server or Application Server.  None of this should affect private ports (private means you) which are 49152-65535 and any other port that doesn't require an ALG for one reason or another. So there is plenty of range there, just not across any ALG-required ports. 

http://www.iana.org/assignments/port-numbers

The DIR-655 ALG's cut-and-pasted from Advanced-Firewall (paste shows the hidden ones)

Application Level Gateway (ALG) Configuration

PPTP :

PPPoE :

IPSec (VPN) :

RTSP :

Windows/MSN Messenger : (automatically disabled if UPnP is enabled)

FTP :

H.323 (NetMeeting) :

SIP :

Wake-On-LAN :

MMS :
Logged
rhvonlehe
Level 1 Member
*
Posts: 17


« Reply #2 on: December 04, 2008, 02:55:30 PM »

funchords,

This is a very helpful response, in general.

Let me ask a little bit more, though.

Do you really have an SSH problem?

SSH works when set up via the virtual server page, but not when set up via the port forwarding page.  I have not tried reaching any of these services with default settings in the router, so maybe I should.

The UI for FTP and WOL are not exposed in the latest firmware.  They're enabled and no control is there to disable them.  So, creating a conflicting rule would be -- well -- conflicting.

A conflicting rule would be anything that I tried to do in the Advanced->port forwarding page?  So if I created a rule to forward WAN port 21 to LAN port 21 on 192.168.1.202, this would conflict with the default behavior in the ALG?

So if I removed any settings in the port forwarding and virtual servers pages, I should be able to reach my ftp server from the outside world through my router?  That would be awesome (and completely counterintuitive).  I'll try that tonight.

I'll let you know how it goes. Thanks.
Rich




Logged
funchords
Level 3 Member
***
Posts: 298


« Reply #3 on: December 04, 2008, 07:02:20 PM »

No, a conflicting rule would be a rule where the ALG's dependency is on whether a rule appears in the Virtual Server (it's not intuitive and seems to ignore triggers allowed in by rules on either Application or Port forwarding -- it's also not really consistent with D-Link's prior products). 

So if I removed any settings in the port forwarding and virtual servers pages, I should be able to reach my ftp server from the outside world through my router?  That would be awesome (and completely counterintuitive).  I'll try that tonight.

I'll let you know how it goes. Thanks.
Rich
I hope that you'll still need to open WOL and FTP using the Virtual Server page -- for example, hit FTP in the drop-down and then hit that arrow button to the left of it. 

Let me know how it goes -- this part keeps evolving and you see how good the release notes are.  :-(
Logged
rhvonlehe
Level 1 Member
*
Posts: 17


« Reply #4 on: December 05, 2008, 10:04:43 AM »

Yes, I definitely still need the Virtual Server settings.  I tried having nothing set up for ports 21 and 22 - I couldn't get through.  I also tried just for kicks to see if it made any difference to have my destination on a reserved DHCP address, but it didn't.

What you said makes more sense now - the ALG depends on having Virtual Server settings enabled, but for some reason doesn't work when simple Port Forwarding is done.  I'm paraphrasing, but I think that's what you're getting at.

I guess I'm done experimenting for now. 
Logged
funchords
Level 3 Member
***
Posts: 298


« Reply #5 on: December 08, 2008, 08:48:41 PM »

What you said makes more sense now - the ALG depends on having Virtual Server settings enabled, but for some reason doesn't work when simple Port Forwarding is done.  I'm paraphrasing, but I think that's what you're getting at.
Wow, my explanation WAS terrible -- but you understand now and hopefully between the two of us, we'll help someone searching for their own solutions understand what's going on here.
Logged
Pages: [1]
  Print  
 
Jump to:  

Theme by webtechnica.com.