NAT / Masquerading Bug?

Hi there,
On testing your new Beta Version 3.041
we discovered, that when translating a NAT rule with "any" service, then no ports are available. If we specify e.g. "HTTP" service, we can reach the host on the HTTP port.

[:O]
We think it's a bug , as with the service set to "any" it should let pass traffic to all ports.

Overall we congratulate you for this new version, especially the ip-traffic features are gorcious!

kind regards

Connection from the Internet to a Webserver in the DMZ.

DNAT Torino-in
-----------------
Any -> torino-masq / HTTP None torino

torino-masq = external adress
torino = internal adress (192.168.2.64)
HTTP = Service
with HTTP it works !!
with ANY not !!

[ 15 April 2002: Message edited by: McPool ]

Parents

0 Chris_W over 23 years ago

hey,
thank you for that hint,
i was still wondering why i can't get it to work ...
from internal to outside it works fine, but i had the same problem to get inside with pop3, http, ftp ....

does it mean, i have to set up a NAT rule for each service separately?

maybe it works with a definition of a service-group. i'll try this soon.

kind regards, Christian
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Chris_W over 23 years ago

hey,
thank you for that hint,
i was still wondering why i can't get it to work ...
from internal to outside it works fine, but i had the same problem to get inside with pop3, http, ftp ....

does it mean, i have to set up a NAT rule for each service separately?

maybe it works with a definition of a service-group. i'll try this soon.

kind regards, Christian
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 McPool over 23 years ago in reply to Chris_W

Hi Chris,

>does it mean, i have to set up a NAT rule for each service separately?

Yes it does, and it's a lot of typing [:(]

>maybe it works with a definition of a service group.

that's a good hint, thanks
regards
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Chris_W over 23 years ago in reply to McPool

just didn't see the service groups in the field there ... :-(
so it looks like
- set up snat-rules for outgoing services any/any works fine.
- set up dnat-rules for incoming services for each service and each machine separately
this way you can send different services to different local machines, but i thought any meens any ....
- set up a packet filter rule to allow the packets to pass - here we can use network-groups at least... (for all 6 directions )

then it really should work ...

have a nice weekend, Christian
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Otter over 23 years ago in reply to Chris_W

I've been beating my head trying to get this to work and have been unsuccessful until this thread.

I have just reworked my DNAT rules to specify each service (multiple definition per NAT) and it FINALLY is working.

Unfortunately the Service Group definitions aren't selectable from the Service drop down -- that would have eliminated a ton of extra typing for me...

Hopefully, this will be fixed in subsequent releases... (hint hint!)
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Chris_W over 23 years ago in reply to Otter

yeah, mcpool had a really good idea ;-)
thank you,
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel