SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0004129: PortForward form Red IP to computer in the Green Interface does not work - MantisBT Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0004129Endian FirewallFirewall (iptables)public2011-08-24 17:552011-11-04 16:43
Reporterrodrigodc01 
Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
StatusfeedbackResolutionopen 
PlatformOSOS Version
Product Version2.4.1 
Target VersionFixed in Version 
Summary0004129: PortForward form Red IP to computer in the Green Interface does not work
DescriptionCreating portforward rules to on any port to any ip in the network simply does not work at all

Situation

# Incoming IP Service Policy Translate to Remark Actions
1 189.90.55.66 (Uplink main) TCP/80 ALLOW with IPS 172.16.1.81 : 80 SERVIDOR WEB

The outgoing firewall is working fine, just the portforward with nat that is not working.



TagsNo tags attached.
Attached Filesjpg file icon Snap1.jpg [^] (129,111 bytes) 2011-08-24 17:55

- Relationships

-  Notes
(0007336)
baldy (reporter)
2011-08-24 17:59

Hi rodrigo,

Just tested with the IP you have on the external site and I get a html page with It works!

If you are trying to access the webserver from green thru red and back to green again, this does not work.

Regards,

Klaas-Jan
(0007337)
rodrigodc01 (reporter)
2011-08-24 18:17

Ahhh got it !! Just a little something is there any way to erase the ip from my post ? Dont wanna leave there cause of security concerns
(0007338)
rodrigodc01 (reporter)
2011-08-24 18:22
edited on: 2011-08-24 18:27

Well since u got the ip already, i got say its quite strange i tried to access from 3G on my cell and it does not work, then i tried a vpn and still no luck....

Im loosing my mind over this...

(0007339)
baldy (reporter)
2011-08-24 18:33

Just checked again from the system it worked from and now I can't connect to the webserver.
Same from my phone.

Can you setup the firewall without IPS ?

Regards,

Klaas-Jan
(0007340)
rodrigodc01 (reporter)
2011-08-24 18:36

Well i tried again using a external vpn with no luck, i just disabled the IPS on the rule, lets see if it works now for u at least
(0007341)
baldy (reporter)
2011-08-24 18:52

Still no go.

Can you recreate the rule with <ANY Uplink> ?

Can you also create a rule for TCP port 81 to your internal IP port 80 ?

This may help determining the source of the problem.

I am supporting around 15 EFW's and have no problems whatsoever with forwarding port 80, also no issues on the bug forum.

Regards,

Klaas-Jan
(0007342)
rodrigodc01 (reporter)
2011-08-24 18:55

Hey thanks for the help ! so here are the new rules

# Incoming IP Service Policy Translate to Remark Actions
1 Uplink ANY TCP/80 ALLOW 172.16.1.81 : 80 SERVIDOR WEB
      ALLOW from: <ANY>
2 Uplink ANY TCP+UDP/81 ALLOW 172.16.1.81 : 81 WEB2
      ALLOW from: <ANY>
(0007343)
baldy (reporter)
2011-08-24 18:59

Can you modify the second rule so the internal port is 80 ?
(0007344)
rodrigodc01 (reporter)
2011-08-24 19:01

Done,

# Incoming IP Service Policy Translate to Remark Actions
1 Uplink ANY TCP/80 ALLOW 172.16.1.81 : 80 SERVIDOR WEB
      ALLOW from: <ANY>
2 Uplink ANY TCP+UDP/81 ALLOW 172.16.1.81 : 80 WEB2
      ALLOW from: <ANY>

Still no luck here
(0007345)
baldy (reporter)
2011-08-24 19:05

Can you temporarily disable the outgoing firewall ?
(0007346)
rodrigodc01 (reporter)
2011-08-24 19:15

Yes, just did that, but it seen to have no effect
(0007347)
baldy (reporter)
2011-08-24 19:23

Can you internally access the server ?

Also please enable logging on the firewall rule and check for traffic from 77.251.247.241 and what happens to the packets.

If you see activity from my IP copy and paste the firewall log entries.

Logs can be viewed using the logs option on the right.
Do not use the Live log viewer, just use the normal one.

Regards,

Klaas-Jan
(0007348)
rodrigodc01 (reporter)
2011-08-24 19:28

Yes the server is available for the internal network, heres the log

Aug 24 16:20:36 PORTFWACCESS:ACCEPT:1 eth1 TCP
77.251.247.241
    5724 e4:1f:13:93:44:94
172.16.1.81
    80
Aug 24 16:20:35 PORTFWACCESS:ACCEPT:1 eth1 TCP
77.251.247.241
    5721 e4:1f:13:93:44:94
172.16.1.81
    80
Aug 24 16:20:35 PORTFWACCESS:ACCEPT:1 eth1 TCP
77.251.247.241
    5722 e4:1f:13:93:44:94
172.16.1.81
    80
Aug 24 16:20:29 PORTFWACCESS:ACCEPT:1 eth1 TCP
77.251.247.241
    5724 e4:1f:13:93:44:94
172.16.1.81
    80
Aug 24 16:20:29 PORTFWACCESS:ACCEPT:1 eth1 TCP
77.251.247.241
    5721 e4:1f:13:93:44:94
172.16.1.81
    80
Aug 24 16:20:29 PORTFWACCESS:ACCEPT:1 eth1 TCP
77.251.247.241
    5722 e4:1f:13:93:44:94
172.16.1.81
    80
Aug 24 16:20:27 PORTFWACCESS:ACCEPT:1 eth1 TCP
77.251.247.241
    5724 e4:1f:13:93:44:94
172.16.1.81
    80
Aug 24 16:20:27 PORTFWACCESS:ACCEPT:1 eth1 TCP
77.251.247.241
    5722 e4:1f:13:93:44:94
172.16.1.81
    80
Aug 24 16:20:27 PORTFWACCESS:ACCEPT:1 eth1 TCP
77.251.247.241
    5721 e4:1f:13:93:44:94
172.16.1.81
    80
Aug 24 16:17:23 PORTFWACCESS:ACCEPT:1 eth1 TCP
77.251.247.241
    54295 e4:1f:13:93:44:94
172.16.1.81
    80
Aug 24 16:17:23 PORTFWACCESS:ACCEPT:1 eth1 TCP
77.251.247.241
    54294 e4:1f:13:93:44:94
172.16.1.81
    80
(0007349)
baldy (reporter)
2011-08-24 19:34

Hi Rodrigo,

The logs show that the packets are acccepted and forwarded.

Any ip restrictions on the webserver ?
Also are there logs on the webserver you can check ?

Is the webserver itself also using the EFW box as gateway ?

Regards,

Klaas-Jan
(0007350)
rodrigodc01 (reporter)
2011-08-24 19:38

Hello, so theres no restrictions on the webserver, but the portfw also does not work with RDP ( port 3389 to a server 2008 in the nerwork)

Gonna check the webserver logs .

And the webserver is using the EFW box as a gateway indeed.
(0007351)
baldy (reporter)
2011-08-24 19:59

have you changed anything ?

I can connect from 2 different ip's and my android phone.

Regards,

Klaas-Jan
(0007352)
rodrigodc01 (reporter)
2011-08-24 23:23

Hey Klass-Jan, sorry i had to go for some time, well i deleted all the portfw rules and created a new one

# Incoming IP Service Policy Translate to Remark Actions
1 Uplink ANY TCP+UDP/80 ALLOW with IPS 172.16.1.81 : 80 WEB
      ALLOW with IPS from: <ANY>

Its the same thing as the ones we had before but now it seens to work, i made no changes to the outgoing firewall or anything else

Gonna try other rules to see with it still works, thanks a lot for all you help !!!

* On a note this portfw problem seen to happen only when your turn on the proxy, cause on another endian box i got portfw working without a problem
(0007383)
baldy (reporter)
2011-09-05 11:49

Hi rodrigo,

Are you using the transparent proxy ?

Regards,

Klaas-Jan
(0007528)
rodrigodc01 (reporter)
2011-11-04 16:43

Hello, I had to redo everything and then I forgot to check back here, anyways out of nothing the portforward started working again.

But im still trying to find a relation with the activation of the proxy.

Thanks for everything.

- Issue History
Date Modified Username Field Change
2011-08-24 17:55 rodrigodc01 New Issue
2011-08-24 17:55 rodrigodc01 File Added: Snap1.jpg
2011-08-24 17:59 baldy Note Added: 0007336
2011-08-24 18:17 rodrigodc01 Note Added: 0007337
2011-08-24 18:17 rodrigodc01 Status new => feedback
2011-08-24 18:22 rodrigodc01 Note Added: 0007338
2011-08-24 18:27 rodrigodc01 Note Edited: 0007338
2011-08-24 18:33 baldy Note Added: 0007339
2011-08-24 18:36 rodrigodc01 Note Added: 0007340
2011-08-24 18:52 baldy Note Added: 0007341
2011-08-24 18:55 rodrigodc01 Note Added: 0007342
2011-08-24 18:59 baldy Note Added: 0007343
2011-08-24 19:01 rodrigodc01 Note Added: 0007344
2011-08-24 19:05 baldy Note Added: 0007345
2011-08-24 19:15 rodrigodc01 Note Added: 0007346
2011-08-24 19:23 baldy Note Added: 0007347
2011-08-24 19:28 rodrigodc01 Note Added: 0007348
2011-08-24 19:34 baldy Note Added: 0007349
2011-08-24 19:38 rodrigodc01 Note Added: 0007350
2011-08-24 19:59 baldy Note Added: 0007351
2011-08-24 23:23 rodrigodc01 Note Added: 0007352
2011-09-05 11:49 baldy Note Added: 0007383
2011-11-04 16:43 rodrigodc01 Note Added: 0007528

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker