1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

IP blocked port forwarding ?

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by Baskerville, Jan 31, 2007.

  1. Baskerville

    Baskerville Network Guru Member

    We are using an RV082.

    Is it possible to allow port forwarding for one fixed external IP to a server on our network ? When we enable port forwarding all external clients are able to access the server port. We tried adding firewall access rules but that did not make any difference. It seems like port forwarding has preference over access rules ?

    Any suggestions how to fix this so we can only have 1 fixed ip accessing our server at a specific port ?
     
  2. d__l

    d__l Network Guru Member

    The port forwarding rule apparently trumps the access rules.

    Did you try an access rule for the specific IP to the server port and no port forward rule for that port?
     
  3. Baskerville

    Baskerville Network Guru Member

    As we only have 1 public IP (assigned to the RV082) the server is on an internal IP (192.168.123.200) so it is basically unreachable from outside without port forwarding... Even if the access rules allow the port on 192.168.123.200, the RV082 will never know to forward traffic to 192.168.123.200 without the port forwarding setup...
     
  4. pablito

    pablito Network Guru Member

    Instead of port forwarding you should put the rules in the UPnP section. Leave UPnP itself turned off. This functions just like port forwarding except that your firewall rules will apply. Works a treat.
     
  5. Baskerville

    Baskerville Network Guru Member

    I will try this out immediately . I hope it works. Thanks for the advice!
     
  6. Baskerville

    Baskerville Network Guru Member

    I just tested and although the uPnP forwarding is working properly, the firewall access rules do not apply although the firewall is enabled :-(

    I am using firmware 1.3.2 because that one has been the most reliable to me... I do not know if there is a known access rules/upnp problem with that version ?

    In the log file I did notice this listing though:

    Feb 2 08:09:05 2007 Failed to add rule File exists
    Feb 2 08:09:05 2007 Failed nat control SIOCADNAT - File exists
    Feb 2 08:09:09 2007 Failed to add rule File exists
    Feb 2 08:09:09 2007 Failed nat control SIOCADNAT - File exists

    Thanks for any suggestions...
     
  7. pablito

    pablito Network Guru Member

    Make sure that you don't still have a rule in port forwarding. If you remove all the PF rules and put them in UPnP it is a bit easier to maintain. After your Allow rule follow it with a Deny All rule. And give it a reboot. Then perhaps try a new firmware.

    The allow rule is something like:
    Rule,Service,WAN,Source,Destination(Internal server)

    Allow,SSH,WAN2,24.1.2.3,192.168.1.2
    Deny,SSH,WAN2,Any,Any
    Deny,SSH,WAN1,Any,Any
     
  8. Baskerville

    Baskerville Network Guru Member

    I have removed port forwarding immediately (since I only had 1 port forwarding rule I wanted to move to UPnP.

    I am not sure whether I understand you correctly regarding the firewall access deny rule. I thought the default "Deny All Traffic [0] WAN1 Any Any Always" was already taking care of denial for other IPs.

    Should the allow rule be priority #1 and deny rule be priority #2 or vice versa ?

    Currently I have this:

    Allow Service[Port] WAN1
    Deny Service[Port] WAN1
    Allow All Traffic [0] LAN
    Deny All Traffic [0] WAN1
    Deny All Traffic [0] WAN2

    Does that seem correct to you ?
     
  9. pablito

    pablito Network Guru Member

    That's basically it. The reason that you need a specific Deny rule is because an Allow All rule is silently autogen added when you add a port forwarding or UPnP rule. The difference is where that autogen rule is inserted. UPnP rules allow you to override it in the firewall.

    What you will have with a UPnP based ruleset:

    Allow Service[Port] WAN1 (specify source/des IPs)
    Deny Service[Port] WAN1 All All
    Deny Service[Port] WAN2 All All
    [auto gen rule] Allow Service[Port] WAN1 All
    [auto gen rule] Allow Service[Port] WAN2 All
    Allow All Traffic [0] LAN
    Deny All Traffic [0] WAN1
    Deny All Traffic [0] WAN2


    The reason that a port forward ruleset won't filter is because you get:

    [auto gen rule] Allow Service[Port] WAN1 All
    [auto gen rule] Allow Service[Port] WAN2 All
    Allow Service[Port] WAN1
    Deny Service[Port] WAN1 All All
    Allow All Traffic [0] LAN
    Deny All Traffic [0] WAN1
    Deny All Traffic [0] WAN2
     
  10. Baskerville

    Baskerville Network Guru Member

    Pablito, you are the man! Finally everything is working as it is supposed to! Thank you very much for your help and detailed information!

    I also have a different problem I have not been able to fix for a while. Some of our devices (server/printers) receive a fixed IP address from the built in RV082 DHCP server through MAC based address control (IP number based on MAC address). The problem is that the DHCP server will internally insert the name "static-host" in its IP tables so I am not able to use the built-in DNS server for name resolution of these static clients (only when 1 fixed IP device is turned on it is reachable through "static-host" by the DNS server). Would you know any solution to have the RV082 insert the host name as indicated in the MAC IP table setup instead of "static-host" ?

    Best regards
     
  11. pablito

    pablito Network Guru Member

    Well you're welcome!

    The DHCP thing is a bit broken I think. I've seen the "static-host" entry in the past but since I'm using an internal DNS it wasn't a problem for me. You might try a search since that topic has come up I'm sure. It might have been fixed in the latest beta version. I haven't seen anything important broken in the beta so it shouldn't hurt to try it.
     
  12. Baskerville

    Baskerville Network Guru Member

    Well I brought it up before but few people seem to have problems with it. I bugged linksys support and they acknowledged the problem but don't really care much.

    Anyway I am already happy I've got the access rules for port forwarding to work so I can live with this problem ;-) If there would be a fix the RV082 would do everything I expect from it...
     

Share This Page