Page 1 of 1
7800DX 1-1 NAT and Firewall not working
Posted: Wed Jul 29, 2015 7:22 pm
by oakworthy
I have a 7800DX running the latest 2.32e firmware. I have used one-to-one NAT to point one of my company's external IPv4 addresses (111.222.333.444) to a web server running on an internal address (192.168.1.xxx).
If I don't create any firewall rules, then no one outside my office can see the web server. This is what I'd expect.
But as soon as I create a firewall rule that mentions either 111.222.333.444 or 192.168.1.xxx, the outside world can see all of the open ports on my web server (ftp, ssh, http). Even if I only specify port 80.
How can I use the firewall to control selected ports on an address that has been 1-1 NATted?
Should I be using the Virtual Servers feature on the router instead of one-to-one NAT?
Ta, Robert
Re: 7800DX 1-1 NAT and Firewall not working
Posted: Thu Jul 30, 2015 12:48 pm
by billion_fan
oakworthy wrote:I have a 7800DX running the latest 2.32e firmware. I have used one-to-one NAT to point one of my company's external IPv4 addresses (111.222.333.444) to a web server running on an internal address (192.168.1.xxx).
If I don't create any firewall rules, then no one outside my office can see the web server. This is what I'd expect.
But as soon as I create a firewall rule that mentions either 111.222.333.444 or 192.168.1.xxx, the outside world can see all of the open ports on my web server (ftp, ssh, http). Even if I only specify port 80.
How can I use the firewall to control selected ports on an address that has been 1-1 NATted?
Should I be using the Virtual Servers feature on the router instead of one-to-one NAT?
Ta, Robert
Try setting up the rules within the outgoing filter, 1 rule to block everything and the second to allow traffic (drop rule has to be below the forward rule), example attached, (for the forward rule you can leave the destination address as blank, meaning any WAN IP can can access port 443 used for this example)
Re: 7800DX 1-1 NAT and Firewall not working
Posted: Thu Jul 30, 2015 10:20 pm
by oakworthy
Thanks for this. I tried it, opening only port 80. According to a remote nmap service I just tried, there is now only 1 open port on my server. However, it's 21 rather than 80!!!
Think I'll do a factory reset and start again, and see what happens. If it still plays silly games, I'll post a screen shot here.
Incidentally, I have a BT FTTC modem further up the chain, if that makes any difference. The Billion is being a router but not a modem.
Robert
Re: 7800DX 1-1 NAT and Firewall not working
Posted: Fri Jul 31, 2015 9:15 am
by billion_fan
oakworthy wrote:Thanks for this. I tried it, opening only port 80. According to a remote nmap service I just tried, there is now only 1 open port on my server. However, it's 21 rather than 80!!!
Think I'll do a factory reset and start again, and see what happens. If it still plays silly games, I'll post a screen shot here.
Incidentally, I have a BT FTTC modem further up the chain, if that makes any difference. The Billion is being a router but not a modem.
Robert
That shouldn't really matter (the open reach modem), just use the outgoing filter to block all ports, then set up a forward rule for the ports that are required and you should be fine.