Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 15 replies
  • Answers 1 answer
  • Subscribers 31 subscribers
  • Views 23166 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT Setup not working

Maik Purwin

Hi,

i have installed latest XG 17.03 MR-3 as Nat Setup. I have Port1 for Lan (static) and Port2 for WAN (static). Routing from WAN is like that: WAN -> ISP Router -> XG -> Clients . I want to use DNAT for e.g. SSH to rewrite from Port 2222 to 22. I read DNAT Howto and set it up like this. It has worked one time, but since that any more. Firwall Rule is like that:

  • Source = WAN
  • Allowed Networks = Any
  • Blocking = empty
  • Destination = Server-IP (Client LAN)
  • Service = i created a new one for Port 2222
  • Rout to = Server-IP (Client LAN)
  • Port = 22
  • Zone = LAN
  • Change Port = unchecked
  • Default for advanced options, no masqu, no reflex rule
  • Firwall Logging = checked

I cant see any hint of Problems in Logs. Any help?

thx



This thread was automatically locked due to age.
  • 0 in reply to Ronak Sheth

    Hi,

    no screen, but configuration is on top and network is like that:       

    • Port1
    • LAN
    • Physikalisch
    • Verbunden
    • Automatisch ausgehandelt   
    • 192.168.0.4/255.255.255.0
    • Statisch
                     
    • Port2
    • WAN
    • Physikalisch
    • Verbunden
    • Automatisch ausgehandelt
    • 192.168.1.3/255.255.255.0
    • DHCP

    hope that helps.

  • 0

    Hello Maik,

     

    in my eyes there are two false settings:

    As "Destination" you must define the external WAN-IP of the xg, which will be contacted from the client outside.

    The second thing you must change is: You must set the portmapping by checking of "Change Destination Port(s)": 2222 to 22. This will be changing the destinationport from 2222 to 22.

     

    For me it should be look so:

    Source = WAN
    Allowed Networks = Any
    Blocking = empty
    Destination = WAN-Interface of XG, which in contacted from the client outside
    Service = i created a new one for Port 2222
    Forward to = Under "Protected Server" use the Server-IP (Client LAN)
    Mapped Port = 2222 to 22 (check the flag "Change Destination Port(s)")
    Protected Zone = LAN
    Change Port = checked
    Default for advanced options, no masqu, no reflex rule
    Firwall Logging = checked

    GOOD LUCK!

     

    Mario

  • 0 in reply to Maik Purwin

    Hello Maik,

    this changes a little bit.

    You don't have i public-ip on your wan-interface, instead you have a transfer-net between the isp-router and the xg.

    Therefore on the isp-router must be existing a portforwardingrule, which will be forward the traffic from the isp-router to the xg.
    In your case you need a portforwardingrule on the isp-router, which will be forward every traffic for the isp-router-wan-ip:2222 to xg-port2-ip:2222.

    And make sure, that the isp-router don't use ipv6 (e.g. with ds-lite) for his connection to the internet. In this case i mean (but i'm not sure), you don't have the possibility to connect your xg via public-ip from outside.

     

    Mario  

  • 0

    Hi Mark,

    As you have a ISP router in place ,you XG firewall does not have a public IP (unless you have bridged the ISP router). 

    Configuration on ISP router

    Create a Virtual host/DNAT rule for port  Source as 1:65535 or * and destination as 2222 mapped to port 22222 to XG firewall WAN interface.

    Configuration on XG

    Create a DNAT rule  , Services 2222

    Forward to IPaddress of your system you would like to take SSH and mapped port would be 22.

    Apply NAT MASQ and SAVE.

     

     

  • 0 in reply to Aditya Patel

    Hi to all,

    and sorry for my late reply, but i was very busy. I now have time to reinvestigate this problem and what should i say it works. i have changed nothing and the DNAT works. I think it was the underlying virtualisation, which got an update a few days ago.

    solved