Welcome, Guest. Please login or register.

Author Topic: NAT Port Fowarding Ranges Not Workig Correctly  (Read 352 times)

tuaris

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
NAT Port Fowarding Ranges Not Workig Correctly
« on: August 01, 2019, 08:05:02 AM »
Looks like (at least on build 156) when setting up a Firewall: NAT forwarding rule using a range of ports, only the first port is used as the destination. 

For example I want to create a new rule to forward ports 5269 to 5271 to the internal client 192.168.0.2

- In the "External port range" field I put in 5269 in the first box and 5271 in the second.
- In the "NAT IP" field I put 192.168.0.2
- In the "Local port" field I enter 5269.
- I click save and the corresponding Firewall rules to allow the traffic on this port range are created correctly.

The expected result is that the end port will be calculated automatically so an traffic going to port 5270 will be redirected to 192.168.0.2:5270
The actual result is traffic destined for port 5270 is being redirected to 192.168.0.2:5269

This can be demonstrated with netcat

On: 192.168.0.2 start up two netcat processes
Code: [Select]
```
# nc -l 5270
```
```
# nc -l 5269
```

On an external client make the connection (X.X.X.X is the public IP of the t1n1wall):
Code: [Select]
```
nc X.X.X.X 5270
```

In the t1n1wall log, note the destination port
Code: [Select]
```
Aug  1 02:57:32 <local0.info> stargate pfmon[86]: 02:57:31.881624 em0 @50 pass X.X.X.X,13376 -> 192.168.0.2,5269 PR tcp len 20 40 -S in match
```

On the external client, send some data
Code: [Select]
```
nc X.X.X.X 5270
Test
```

The data is received on the netcat process listening on port 5269:
Code: [Select]
```
# nc -l 5270
```
```
# nc -l 5269
Test
```

tuaris

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Re: NAT Port Fowarding Ranges Not Workig Correctly
« Reply #1 on: August 01, 2019, 08:11:18 AM »
I just tested in on a different device that is on 2.11.1b167 and it's the same behavior.

andywhite

  • Administrator
  • Full Member
  • *****
  • Posts: 119
  • Karma: +0/-0
    • View Profile
Re: NAT Port Fowarding Ranges Not Workig Correctly
« Reply #2 on: August 10, 2019, 01:47:35 PM »
Please try r168

tuaris

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Re: NAT Port Fowarding Ranges Not Workig Correctly
« Reply #3 on: September 09, 2019, 03:12:38 AM »
Trying to upgrade to r176 and I'm getting "No image file has been uploaded.".  Tried it on two 156 i386 systems and one 167 amd64 system, all three have the same problem.

tuaris

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Re: NAT Port Fowarding Ranges Not Workig Correctly
« Reply #4 on: September 09, 2019, 03:45:54 AM »
I manually re-flashed one of the devices and it appears that r176 solved the issue

andywhite

  • Administrator
  • Full Member
  • *****
  • Posts: 119
  • Karma: +0/-0
    • View Profile
Re: NAT Port Fowarding Ranges Not Workig Correctly
« Reply #5 on: September 18, 2019, 10:38:55 AM »
t1n1wall is getting less tiny , due to changes in 11.3, snmpd version etc.  I need to take a look at the flashing process as it's probably erroring (with bad messaging) because images are bigger.