Astaro User Bulletin Board
Go Back   Astaro User Bulletin Board > Astaro Gateway Products > Network Security: Firewall, NAT, QoS, IPS and more
Reload this Page Trying to get traffic through Astaro 220
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Welcome to the Astaro User Bulletin Board.
If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 07-02-2009, 09:16 PM
Junior Member
  
Join Date: Jul 2009
Posts: 2
Default Trying to get traffic through Astaro 220
I am trying to allow traffic to pass through port 5100 to an internal IP address. I have created a packet filter rule as follows: External >> Service (port 5100) >> Device.

Internal traffic passes over the port without issue. However, external traffic can't get through. I have placed the rule at the top of the list in an effort to bypass all others, but it still won't work.

Any insight would be greatly appreciated.
Reply With Quote
  #2 (permalink)  
Old 07-02-2009, 09:29 PM
Senior Schall und Rauch Member
  
Join Date: Nov 2008
Posts: 259
Default
Is the internal IP in a private range? If yes, you must already have Masquerading activated. To directly pass specific external traffic to an internal host, you must create a DNAT rule.
__________________
"Datenautobahn: Einrichtung zur schnellen Übertragung großer Datenmengen (z.B. über das Telefonnetz)" (DUDEN, 21. Auflage)

Mario Schmidt
QA Engineer
Astaro AG
Reply With Quote
  #3 (permalink)  
Old 07-02-2009, 10:59 PM
BAlfson's Avatar
Moderator
  
Join Date: Mar 2007
Location: Oklahoma City
Posts: 5,391
Default
You should search for this information here and on the Astaro KnowledgeBase.

I would eliminate the PF rule and create a DNAT rule:
Traffic Source: Any
Traffic Service: [Port 5100 service]
Traffic Destination: External (Address)

NAT mode: DNAT (Destination)

Destination: [Host definition Device]
Destination Service: [leave blank]

Automatic packet filter rule: checked
Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!
Reply With Quote
  #4 (permalink)  
Old 07-04-2009, 05:25 PM
khardeveld's Avatar
Member
  
Join Date: Dec 2008
Posts: 58
Default
Quote:
Originally Posted by BAlfson View Post
Automatic packet filter rule: checked
I've had some discussions about this. Big advantage is that you don't have to create separate packet filters, and you define everything for this particular port in one place. Disadvantage is that you cannot log taffic, and you will always have to look in two separate places to see what ports are enabled for the outside world.

Given the latter two reasons, we don't check this in DNAT, but create a separate rule. What's the general opinion here?
Reply With Quote
  #5 (permalink)  
Old 07-08-2009, 04:53 PM
Junior Member
  
Join Date: Jul 2009
Posts: 2
Default
Thanks for the information, it helped me resolve the issue. I am relatively new to the Astaro, so I apologize for asking a seemingly simple question.
Reply With Quote
  #6 (permalink)  
Old 07-08-2009, 09:31 PM
BAlfson's Avatar
Moderator
  
Join Date: Mar 2007
Location: Oklahoma City
Posts: 5,391
Default
khardeveld, I agree to some extent. I just this year began using the auto rules. Now I prefer them, but will uncheck one and replace it with a rule at the top of the packet filter rules when I need to debug. I keep an inactive rule there all the time so the rule numbers don't change, and Rule #1 in the PF log is always my debugging rule.

Version 7.5, now in beta, allows you to log auto rules.

I like using auto rules now because it cuts down on the clutter in the explicit PF rule list.

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT. The time now is 10:33 AM.

 
Contact Us - Astaro User Bulletin Board - Archive - Top

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.


These pages are specifically maintained for the discussion of firewall issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases. issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases.