I already have a host network definition set up for my domain. It's IPv4 setting points to the webserver's local IP address and it's sub domains are listed in the DNS settings of the definition. I have a DNAT and a firewall rule to allow HTTP/HTTPS Internet traffic in. This works just fine.
I just added, to the same server/domain, a small server applet that is used to route remote desktop traffic. This applet is equivalent to what TeamViewer's routing servers do. It allows you to connect to local and remote computers without the need of adding firewall rules or port forwards on the remote side. Below are the traffic flows that are handled by this applet:
- Remote workstation -> Internet -> UTM -> local server applet -> local workstation
- Remote workstation -> Internet -> UTM -> local server applet -> UTM -> Internet -> different remote workstation
- local workstation -> local server applet -> UTM -> Internet -> remote workstation
- local workstation -> local server applet -> different local workstation
What I originally did was add a service definition for the port I need opened on my UTM and added that service to my current DNAT that handles HTTP/HTTPS Internet traffic to the webserver. It is as follows:
...
Traffic from: Any
Using service: HTTP/HTTPS and port for the server applet
Going to: External WAN address
Change destination to: Host definition of local server with DNS for public sub domains pointing to the server's local IP.
And the service to: blank
...
That did not work for remote to local. When I checked the firewall log, it showed the traffic was being dropped. It showed the public IP of the remote and the local IP of the server. I don't know if local to remote worked. Local to local worked.
I removed the remote desktop service from the DNAT and added the following Full NAT and it works but I'm not following the logic, I don't know if this is safe and if this is the most efficient way:
...
Rule Type: Full NAT
For traffic from: Internet IPv4
Using service: My remote desktop service/port
Going to: External WAN Address
Change destination to: Host definition of local server with DNS for public sub domains pointing to the server's local IP.
And the service to: Blank
Change the source to: Internal address of UTM
And the service to: Blank
...
Of course I had to add a firewall rule. It is:
Any -> Remote desktop service/port -> Host definition of local server with DNS for public sub domains pointing to the server's local IP.
Both the viewer and host exe's of the remote desktop software point to www.mysite.com with the port specified in my network service definition. This is true for local and remote installations.
My question: Is this Full NAT safe and is this the most efficient way? To me, it looks just like the DNAT that did not work???
======================================
[SIZE=5]UPDATE:[/SIZE]
I removed the Full NAT and changed my original DNAT from:
...
Traffic from: Any
Using service: HTTP/HTTPS and port for the server applet
Going to: External WAN address
Change destination to: Host definition of local server with DNS for public sub domains pointing to the server's local IP.
And the service to: blank
...
To:
...
Traffic from: Internet IPv4
Using service: HTTP/HTTPS and port for the server applet
Going to: External WAN address
Change destination to: Host definition of local server with DNS for public sub domains pointing to the server's local IP.
And the service to: blank
...
Now it works without the Full NAT!
Can someone please explain to me why everyone recommends setting 'Traffic from' to "Any" for DNATs? It never made sense to me since the DNAT is basically port forwarding for traffic from the Internet.
This thread was automatically locked due to age.
