3 NAT not working

[Julien]

Hi guys,
i hope someone can help i cannot seems to get it working.
the situation is we have 2 servers needs to be accessed externally and we have one external IP.
we have a rule on the WAN to access this firewall on our port and from only IP ( Office IP ) which is working fine.
so i can access the firewall with it external IP without any issues.
when i enable the NAT rule internetally to the server 1 ( port 4505) the external access to the firewall stops.
when i enable second NAT only the one on the top works but the firewall access is still not working.

when i disable the NAT accessing the firewall start working.
ourooutboud is  "Automatic outbound NAT rule generation"

do i have to change it to hybrid and create the rules manually ?


i appreciate any feed back

[lilsense]

there are so many issues... where to begin!

you don't need 600NATs. you only need one and you may want to look into proxy server to convert your ports from (example 5530 to 4505)...

why would anyone allow external access to the firewall? It makes ZERO sense.

[Julien]

acceessing the fierwall is allowed only from one IP i dont see the risk here.
when you say one NAT, what do you mean? we have two servers which needs a NAT....

443 server 1
4050 server 2

do i have to NAT them or a rule on the WAN interface.

[Vilhonator]

Using simple NAT and 1 public IP, you need either proxy, add SRV record to DNS records or manually type :4050 at the end of the address to connect to server using port 4050.

Web browsers try to connect web servers etc. using HTTPS by default if you don't type :port number to the end of address and you can't host more than 1 server using same source and destination ports at the same time (if you setup NAT rule using either same source port but different destination port or both the same, then you get connected to first one that responds).

https://en.wikipedia.org/wiki/SRV_record <--- there's bit of info about SRV records.

Just keep in mind, that you have to add dns records to DNS server you are hosting your domain, usually domain providers also allow you to add and remove dns records on your management panel, but it isn't required.

You can just create portforwarding rules as you would normally, and just type :4050 at the end of your domain name whenever you need to connect to server 2.

[lilsense]

acceessing the fierwall is allowed only from one IP i dont see the risk here.
when you say one NAT, what do you mean? we have two servers which needs a NAT....

443 server 1
4050 server 2

do i have to NAT them or a rule on the WAN interface.

when routing traffic with one WAN IP, you can point the port 443 to server 1 and port 4050 to server 2.

[Julien]

acceessing the fierwall is allowed only from one IP i dont see the risk here.
when you say one NAT, what do you mean? we have two servers which needs a NAT....

443 server 1
4050 server 2

do i have to NAT them or a rule on the WAN interface.

when routing traffic with one WAN IP, you can point the port 443 to server 1 and port 4050 to server 2.

when i do this only one rules works, and the second one doesn't.
we have put sophos back untill we get this sorted out.

i hope someone can point me to the right directions.

[Vilhonator]

acceessing the fierwall is allowed only from one IP i dont see the risk here.
when you say one NAT, what do you mean? we have two servers which needs a NAT....

443 server 1
4050 server 2

do i have to NAT them or a rule on the WAN interface.

when routing traffic with one WAN IP, you can point the port 443 to server 1 and port 4050 to server 2.

when i do this only one rules works, and the second one doesn't.
we have put sophos back untill we get this sorted out.

i hope someone can point me to the right directions.

The method in question requires you to manually type :4050 to the end of the address to work.

Simply put, if you have 1 public IP address (WAN = Wide Area Network = Internet), 2 servers, domain called mypuppycollection.com and you want to both servers to be open to public, then without any complicated DNS stuff, you forward TCP port 443 to server 1 local IP address and TCP port 8443 to server 2 local ip.

Whenever you open web browser and type the address www.mypuppycollection.com, if Public DNS records of the domain are correctly done, you will be connected to server 1.

To connect server 2, you have to manually type address https://www.mypuppycollection.com:8443, that's because, for simplicity, public DNS records for each domain and sub domain must have different public IP addresses.

There is a way to separate servers on within same network, but it is almost never worth the effort, until you're hosting more than just 2 or 3 servers.

[Ladeschale]

Hello,

for your case to map specific ports from an external IP to internal IPs and ports with NAT you will define Port Forward and Firewall Rules for WAN.
Settings for outbound NAT mostly fine with "Automatic outbound..." or "Hybrid outbound...", last one is used when you want also define specific outbound rules, like mapping internal IPs to different external IPs. These two sets should already created some automatic rules for mapping your internal networks with your WAN Interface and Address. This should be fine and you should be able to communicate from internal network to the world wide web.

To let the world wide web reach your two servers behind this NAT we need define port forwarding rules next.
Go to Firewall -> Port Forward and add a new rules for your server.
Set an interface - mostly WAN
IP Version - v4
Protocol - TCP or UDP or both
Source - leave as it is for the whole world or define IP or net ranges from where packets could come
Destination - your external IP
Destination port range - a port or range you want to provide outside
Redirect target IP - choose Single host or Network and than internal IP of your server
Redirect target port - a port or range your server internal provides
Description - name it

save it and do the same for the second one
after all don`t forget to apply

Now under Firewall -> Rules there should be automatically added two new pass rules for your WAN interface
like, inbound packets on WAN interface from anywhere (or specific sources/ports) to internal server IP on port allowed.
If not you have to create them manually.
Same for your webconfig this should be defined here too, add an allow/pass rule for this interface.
But think about that you can not have port 443 on your external IP providing to two services, you have to change either the port from one server or your webconfig service.

greets, ladeschale