t1n1wall

t1n1wall Support (English) => Firewall/NAT => Topic started by: tuaris on August 01, 2019, 08:05:02 AM

Title: NAT Port Fowarding Ranges Not Workig Correctly
Post by: tuaris on August 01, 2019, 08:05:02 AM
Looks like (at least on build 156) when setting up a Firewall: NAT forwarding rule using a range of ports, only the first port is used as the destination. 

For example I want to create a new rule to forward ports 5269 to 5271 to the internal client 192.168.0.2

- In the "External port range" field I put in 5269 in the first box and 5271 in the second.
- In the "NAT IP" field I put 192.168.0.2
- In the "Local port" field I enter 5269.
- I click save and the corresponding Firewall rules to allow the traffic on this port range are created correctly.

The expected result is that the end port will be calculated automatically so an traffic going to port 5270 will be redirected to 192.168.0.2:5270
The actual result is traffic destined for port 5270 is being redirected to 192.168.0.2:5269

This can be demonstrated with netcat

On: 192.168.0.2 start up two netcat processes
Code: [Select]
```
# nc -l 5270
```
```
# nc -l 5269
```

On an external client make the connection (X.X.X.X is the public IP of the t1n1wall):
Code: [Select]
```
nc X.X.X.X 5270
```

In the t1n1wall log, note the destination port
Code: [Select]
```
Aug  1 02:57:32 <local0.info> stargate pfmon[86]: 02:57:31.881624 em0 @50 pass X.X.X.X,13376 -> 192.168.0.2,5269 PR tcp len 20 40 -S in match
```

On the external client, send some data
Code: [Select]
```
nc X.X.X.X 5270
Test
```

The data is received on the netcat process listening on port 5269:
Code: [Select]
```
# nc -l 5270
```
```
# nc -l 5269
Test
```
Title: Re: NAT Port Fowarding Ranges Not Workig Correctly
Post by: tuaris on August 01, 2019, 08:11:18 AM
I just tested in on a different device that is on 2.11.1b167 and it's the same behavior.
Title: Re: NAT Port Fowarding Ranges Not Workig Correctly
Post by: andywhite on August 10, 2019, 01:47:35 PM
Please try r168
Title: Re: NAT Port Fowarding Ranges Not Workig Correctly
Post by: tuaris on September 09, 2019, 03:12:38 AM
Trying to upgrade to r176 and I'm getting "No image file has been uploaded.".  Tried it on two 156 i386 systems and one 167 amd64 system, all three have the same problem.
Title: Re: NAT Port Fowarding Ranges Not Workig Correctly
Post by: tuaris on September 09, 2019, 03:45:54 AM
I manually re-flashed one of the devices and it appears that r176 solved the issue
Title: Re: NAT Port Fowarding Ranges Not Workig Correctly
Post by: andywhite on September 18, 2019, 10:38:55 AM
t1n1wall is getting less tiny , due to changes in 11.3, snmpd version etc.  I need to take a look at the flashing process as it's probably erroring (with bad messaging) because images are bigger.