D-Link Forums

The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: andrew.keating on June 17, 2010, 08:57:00 AM

Title: dfl800 port forwarding -but can only get to sites from the internet not from lan
Post by: andrew.keating on June 17, 2010, 08:57:00 AM

i have set up 2 port forwarding configs to web servers, this is working fine - from the internet - but not from the lan

i have sat, nat and allow action


1      site1_sat      SAT      any      all-nets      core      site1-ext_ip      https
2     site1_nat       NAT     lan              lannet     any             all-nets            https
3     site1_allow     Allow     any         all-nets     core     site1-ext_ip     https

1      site2_sat      SAT      any      all-nets      any      site2-ext_ip     https
2     site2_nat       NAT     lan             lannet     any             all-nets         https
3     site2_allow     Allow     any             all-nets     any             site2ext_ip    https

any ideas what i got wrong in my config

Title: Re: dfl800 port forwarding -but can only get to sites from the internet not from lan
Post by: Fatman on June 17, 2010, 09:11:45 AM

I don't think this is our problem, but let's try to be more selective with our IP rules.

WAN_LAN_Group/all-nets/core/site1-ext_IP
lan/lannet/core/site1-ext_ip

would have been sufficient.

Do we have any relevant log entries?

If we turn on logging on all of these rules do we get relevant log entries?

Does your server see the SYN inbound, and if so from/to what address and port?

Title: Re: dfl800 port forwarding -but can only get to sites from the internet not from lan
Post by: andrew.keating on June 17, 2010, 10:49:27 AM

in the logging i see conn_open_natsat from my source ip - desktop on the lan - to the external facing ip
then nothing

Title: Re: dfl800 port forwarding -but can only get to sites from the internet not from lan
Post by: andrew.keating on June 17, 2010, 10:59:29 AM

ok, then a    conn_close_natsat a little later

what i did notice was that the site2 request logs a site1_nat rule in the log - so something is messed up, site1 request also logs site1_nat

Title: Re: dfl800 port forwarding -but can only get to sites from the internet not from lan
Post by: andrew.keating on June 17, 2010, 01:11:14 PM

but neither site1 nor site2 work

Title: Re: dfl800 port forwarding -but can only get to sites from the internet not from lan
Post by: danilovav on June 17, 2010, 01:18:57 PM

Forget using of "any" in IP rules.

Correct port mapping (work from inside too) seems like below

# external
SAT wan/all-nets core/wan_ip yourservice (SAT: new destination = yourprivatehost)
Allow wan/all-nets core/wan_ip yourservice
# internal
SAT lan/lannet core/wan_ip yourservice (SAT: new destination = yourprivatehost)
NAT lan/lannet core/wan_ip yourservice

Title: Re: dfl800 port forwarding -but can only get to sites from the internet not from lan
Post by: andrew.keating on June 17, 2010, 02:25:10 PM

I just tried you recommendation - but it stopped working from the inside and the outside with that configuration!

Title: Re: dfl800 port forwarding -but can only get to sites from the internet not from lan
Post by: danilovav on June 17, 2010, 10:03:47 PM

Does DFL specified as default gateway on private host?

Title: Re: dfl800 port forwarding -but can only get to sites from the internet not from lan
Post by: andrew.keating on June 21, 2010, 06:15:32 AM

yes - dfl is the gateway on the lan.

Title: Re: dfl800 port forwarding -but can only get to sites from the internet not from lan
Post by: andrew.keating on June 21, 2010, 11:16:19 AM

Is that an issue?  It is the default gateway for the LAN, we don't have another one.

Title: Re: dfl800 port forwarding -but can only get to sites from the internet not from lan
Post by: danilovav on June 21, 2010, 11:47:30 AM

To find out the reason of problem, enable logging of rules created - it will show you if it's working. Next, see Status > Connections and Status > Logging during test accessing.