Virtual Server/Port Forwarding

[MXM]

Hello,

I have a RT-AC3200 running Merlin's 380.58. I have a Port Fowarding rule setup to forward Ports 8089,8190 to the local IP 192.168.64.4, no internal port specified, and BOTH TCP/UDP.

However, in the router log, I see numerous inbound connection attempts being dropped.

kernel: DROP IN=eth0 OUT= MAC=78:24:af:8f:8f:46:00:01:5c:62:a6:46:08:00 SRC=x.x.x.x DST=x.x.x.x LEN=52 TOS=0x00 PREC=0x20 TTL=50 ID=35673 DF PROTO=TCP SPT=8190 DPT=41102 SEQ=2517585459 ACK=3429397618 WINDOW=114 RES=0x00 ACK URGP=0 OPT (0101080AA06380380008DE12)

So, am I doing something wrong, or is the Virtual Server/Port Forwarding option not working?

Thanks,
MM

 

[MXM]

I left the Local Port field blank when I setup the rule but looks like the system defaulted to the same port on the local address...

 

[MXM]

Merlin,

I was using your NAT Loopback when I ran into this problem. After switching to the ASUS NAT Loopback, everything worked fine.

I know similar issues have been brought up in the past. But are you aware this problem still persists?

Thanks,
MM

 

[RMerlin]

Merlin,

I was using your NAT Loopback when I ran into this problem. After switching to the ASUS NAT Loopback, everything worked fine.

I know similar issues have been brought up in the past. But are you aware this problem still persists?

Thanks,
MM

Both NAT loopbacks suffer from different issues. My loopback for instance will run into trouble whenever you use any of the Trend Micro-related features. Asus' loopback, by NAT'ing everything, can cause issues with some devices trying to talk to one another accross interfaces but while still within the LAN (it was preventing, for instance, SplashID from properly syncing between my phone and my desktop back in the day). That's why I offer both loopback methods and not just one.

One thing to note in your log, 8190 is the source while 41102 is the destination. This is the opposite of what your port forward rules do, where they are meant to use 8190 as a destination port.

 

[MXM]

Both NAT loopbacks suffer from different issues. My loopback for instance will run into trouble whenever you use any of the Trend Micro-related features. Asus' loopback, by NAT'ing everything, can cause issues with some devices trying to talk to one another accross interfaces but while still within the LAN (it was preventing, for instance, SplashID from properly syncing between my phone and my desktop back in the day). That's why I offer both loopback methods and not just one.

One thing to note in your log, 8190 is the source while 41102 is the destination. This is the opposite of what your port forward rules do, where they are meant to use 8190 as a destination port.

OK, based on the syslog message, the Source Port is 8190... But on the router Port Range, I also specified port 8190... But you are saying that on the router Port Range it is looking as the destination port, not the source port, and that is creating the mismatch... Is that correct?

In that case, port forwarding is not going to work for me since the way messages are coming to me is by always originating from source port 8190, and a variable destination port. But the originating IP address is always the same.

So, what is the best way to tackle this? My goal is to allow all traffic from a given source IP address and source Port to always be routed to an internal LAN address?

Thanks Merlin.

 

[MXM]

Merlin,

I trying to put together an IPTABLE script to be used with NAT-START... But I'm not sure how to do it... My goal is to accept all internet inbound traffic from a particular IP address and port, and then forward it to a LAN ip address.

Can someone please help me with that?

I tried this below but it did not work...
iptables -t nat -I VSERVER 3 -p tcp -m tcp -s x.x.x.x --sport 8190 -j DNAT --to 192.168.1.100

thanks,
MM

 

[RMerlin]

Fixed source ports rarely make sense, as the vast majority of net applications will use an ephemeral source port, to connect to a specific destination port.

You are dealing with NAT and a statefull firewall, which means the source and the destination ports are those used at connection time, not during traffic flow.

Can you be more specific as to what you are setting up exactly? What is the server port, and where is that server located?