This is interesting.
I was walking my buddy through a brand new Astaro install when we got to his DNAT setup. I had him do for his services what I do for mine, but it wouldn't let the traffic in.
The way I do mine is to DNAT from the external interface to the address of the listening box - with NO CHANGE of the source IP or the service. This has always worked for me (and still is at this very moment in fact).
The thing is, it wouldn't work for him. The only way he could get his traffic inside is for us to change the source in the DNAT rule to the internal interface of his firewall. This is even with an any->any rule in the packet filter.
Why would I be able to go straight from the outside to my internal host while he absolutely MUST change his source to the internal interface of his firewall?
Any ideas?
This thread was automatically locked due to age.
