Port Forwading on Dual-WAN RV042

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by gavinostlund, Jan 8, 2007.

  1. gavinostlund

    gavinostlund LI Guru Member

    So, I have an RV042 (firmware: official, with cable modem on WAN1, DSL modem on WAN2, setup in load balance and have shaped the traffic a bit with protocol binding; essentially things are "good" and all works well, but I'm having an issue with forwarding ports...

    We recently added the second WAN and upgraded the firmware (it was still on the original garbage) and after that was done, things worked great, we already had some port forwarding that was setup, like for mail to our primary mail server, DNS and a couple others, and it all still worked...

    So, anyone having used this knows the router has "Forwarding" and you tell it what services are to goto what IP inside your lan, and that works great... but as we've added the second connection, I need to be able forward the ports accessed on that IP to another IP inside the lan as we have a secondary mail server. It currently forwards the ports to the same internal server regardless of the WAN address the port is accessed on, meaning it treats WAN1IP:pORT and WAN2IP:pORT the same and forwards both connections to LANdestIP:pORT, thankfully the responses go back out through the correct WAN interface regardless of where protocol binding is set for that LAN ip...

    Now, I am already using the One-to-One NAT for another application, but it is forwarding to a Linux box, so I'm not concerned about it being 100% exposed to the internet, whereas the secondary mail server is another Windows 2003 Server, and I don't want to just sit that thing open the 'net... I currently am attempting to use another One-to-One NAT pointing to another Linux box to act as a firewall of sorts for the secondary mail server, but the problem I'm running into of course is that now I have a double NAT, and it's not working... Any alternatives to this, or suggestions for solving this problem would be excellent...

    In my head, I imagine that there MUST be a way to have the router do it's port forwarding bound to specific IPs, as if this were any basic Linux box, it would be a simple matter of being more specific in the iptables rules, but I don't know enough about the internals of the RV042 yet, so I'm hoping anyone here might be able to help.
  2. pablito

    pablito Network Guru Member

    I agree that port forwarding should allow you to specify which inbound IP to apply it to. But since it doesn't you can't do two forwards for the same port. The forward applies to both WANs and in your case only the first one is having any effect.

    Off the top of my head I would suggest using One-One NAT. If you create a series of firewall rules you won't have to worry about exposing the Win server. Put a rule to allow the desired port and then rules to deny everything else. That effectively creates a port forward. Initially, 1-1 creates hidden allow all rules but you can override them with your own.

    FYI, the UPnP rules (with the UPnP turned off) are almost the same as port forward except you can create firewall rules that won't apply if using port forward. Port forward creates rules that allow everyone to that port.
  3. gavinostlund

    gavinostlund LI Guru Member

    I understand hoe the 1-1 works, I'm already using it for two machines, but I can't just firewall off the ports as I still need to be able to have other machines on the lan be able to access it... I'll look into the UPnP more, but I don't think that'll work the way I need it to either.
  4. d__l

    d__l Network Guru Member

    If the secondary server has a public IP, can't you set up an access rule for WAN2 to allow traffic on that port from any source IP through the firewall to the IP of the mail server? Also you might have to set up a rule to allow that port's traffic to it for IPs from your LAN too.

    Then again, maybe I'm just not understanding your problem.
  5. gavinostlund

    gavinostlund LI Guru Member

    It doesn't have a public IP though, that's part of the issue, the RV042 is aliasing the public IP and then passing the NAT'd packets back to the other server...
  6. d__l

    d__l Network Guru Member

    OK then I take it that the access to the primary and secondary servers must be through the same standardized port/protocol and that both mail servers are on private IPs and you only have the two public IPs.

    So if that is so, can you not set up three access rules? Mail access through WAN1:port from any source IP accesses private IP primary server, mail access through WAN2:port from any source IP accesses private IP secondary server, and mail access through LAN:port accesses private IP whichever server.
  7. pablito

    pablito Network Guru Member

    ok. then you know that 1-1 can be setup so that the internal IP isn't exposed to anything more than the desired service while avoiding any blocking of the other machines as needed. If you had enough pub IPs I'd go that route.

    If we're talking about something like SMTP then why not have your linux server (that's the other SMTP server?) deliver that mail to the win box? If the email has a way to distinguish one from the other (domain etc) than you can have a single SMTP exposed and do the other server from there.
  8. gavinostlund

    gavinostlund LI Guru Member

    Are we talking about the same 1-1 screen? I don't see any options for services there, just start and end IPs for internal and external ranges and length of the range...

    We have several public IPs, but I'm having trouble getting the 1-1 NAT to work properly... I'll try and draw a diagram here...

    ISP1 ----- RV042 ----- ISP2
     IP1.1 --/   |   \-- IP2.1
     IP1.2 -/    |    \- IP2.2
     SRVR1 ----/ | \---- SRVR2
                 |     /
               SRVR3 -/
    ISP1 = Cable Modem
    ISP2 = DSL Modem
    IP1.1 = IP1 from ISP1
    IP1.2 = IP2 from ISP1
    IP2.1 = IP1 from ISP2
    IP2.2 = IP2 from ISP2

    SRVR1 = Server A
    SRVR2 = Server B
    SRVR3 = Firewall

    SRVR1, SRVR2, and SRVR3 all are on the same private address space as the LAN port on the RV042, additionally, SRVR2 & SRVR3 basically have a crossover between them so they have a separate private range between themselves.

    Under 'Forwarding'
    Ports 25, 53, 80, 110, 443, etc are set to forward to SRVR1, any inbound connections on those ports to IP1.1 or IP2.1 are NAT'd and directed to SRVR1.

    Under 'One-to-One NAT'
    IP1.2 is directed to another server entirely and it works perfectly, thus I know the 1-1 functions as intended.
    IP2.2 is directed to SRVR3, thus any inbound connections on IP2.2 are NAT'd and directed to SRVR3

    SRVR3 runs IPcop, and is supposed to be forwarding the desired ports on it to SRVR2 over their closed connection, I'm currently still trying to make this work, but with little success.

    Double NAT hell is going to be the death of me, anyone have any suggestions or clues as to how I can meddle with the internals of the RV042 to bend it to my will? (How can I finish Linksys' job and do separate port forwarding for each WAN port?)

    Note: Not that it matters, but the hub is actually a switch, I just used 'HUB' for the sake of ascii balance...
  9. pablito

    pablito Network Guru Member

    With 4 IPs to use for 1-1 you can do 4 internal servers without any special back flips. You do the services control in the firewall section. Setup 1-1 for each unique internal destination and then create a set of rules to allow and deny what you require.

    Any port forward, 1-1, DMZ, etc will automatically setup a simple allow all rule. You can't see it but it is there. For 1-1 and UPnP rules ( UPnP Function turned off) you can control access with firewall rules. Put in the allow rules that you need followed by deny all rules. You can avoid doing any port forwards, use 1-1 and matching firewall rules.

    Double NAT isn't desirable of course but is no problem for the normal internet cruising duties of users and wireless guests. That internal NAT firewall is a good place to put caching proxy servers and other routing/control duties. Could also run a reverse proxy for servers behind it. Setup this way you are not actually doing double NAT for the important tasks.
  10. gavinostlund

    gavinostlund LI Guru Member

    So, following your directions here, I've gone to 'Firewall' and then to 'Access Rules' and added two new rules,
    1 Allow  HTTP [80]       WAN2 Any IP2.2 ~ IP2.2 Always
    2 Deny   All Traffic [0] WAN2 Any IP2.2 ~ IP2.2 Always
    Yet if I try to SSH to IP2.2 from outside, it still gets through... am I doing something wrong here? I understood from your post that even though this is one-to-one NAT, it would still follow those firewall rules. Should I be specifying the LAN IP instead of the WAN IP in this rule?
  11. pablito

    pablito Network Guru Member

    You want to specify the internal IPs for the allow rules. Same for the deny rule except that you can specify Any (*) which is even better.

    Also make sure you don't also have port forwards setup if you intend on limiting access vs allow all for that service. PF sets up an allow rule that you can't override. 1-1 and UPnP rules allow an override.

    hope that helps

    1 Allow  HTTP [80]       WAN2 Any Internal_IP(s) Always
    2 Deny   All Traffic [0] WAN2 Any Any Always
  12. gavinostlund

    gavinostlund LI Guru Member

    Brilliant! Thanks mate! I appreciate your time and patience with me.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice