NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
FVS318N not port forwarding, nothing being allowed inbound.
I have purchased an configured a FVS318N as the firewall to our failover Internet connection but I am having problems getting anything in from the outside world. I have configured many FVS338 firewalls so I am quite familiar with setting up inbound rules.
I originally mirrored our current FVS338 configuration but as of now all I have is 2 HTTPS rules, one goes to our Sonicwall SSL VPN and another goes to our server for webmail.
At first I thought it was the DG834 router but if I look at the logs of the FVS318N I can see that the traffic is getting past the router and is hitting the firewall as an Accepted Packet.
Here is an example of the log:
Mon Nov 19 16:28:14 2012(GMT+0000) [FVS318N][Kernel][KERNEL] WAN_LAN[ACCEPT]IN=eth1 OUT=bdg1 SRC=109.158.121.186 DST=192.168.0.252 LEN=48 TOS=0x00 PREC=0x80 TTL=113 ID=51806 DF PROTO=TCP SPT=2622 DPT=443 WINDOW=16384 RES=0x00 SYN URGP=0
According to this it is accepting the packet but the browser just gives the usual Cannot display webpage.
I have tried all different ports, as well as 'any', as well as different web browsers, this shows that I am clutching at straws with this.
It had the latest firmware but I have downgraded 4.1.1-14 just to see if this was the issue as well.
Can anybody shed any light as to why I cannot get this to port forward and allow traffic into my LAN.
Many Thanks
Neal.
I originally mirrored our current FVS338 configuration but as of now all I have is 2 HTTPS rules, one goes to our Sonicwall SSL VPN and another goes to our server for webmail.
At first I thought it was the DG834 router but if I look at the logs of the FVS318N I can see that the traffic is getting past the router and is hitting the firewall as an Accepted Packet.
Here is an example of the log:
Mon Nov 19 16:28:14 2012(GMT+0000) [FVS318N][Kernel][KERNEL] WAN_LAN[ACCEPT]IN=eth1 OUT=bdg1 SRC=109.158.121.186 DST=192.168.0.252 LEN=48 TOS=0x00 PREC=0x80 TTL=113 ID=51806 DF PROTO=TCP SPT=2622 DPT=443 WINDOW=16384 RES=0x00 SYN URGP=0
According to this it is accepting the packet but the browser just gives the usual Cannot display webpage.
I have tried all different ports, as well as 'any', as well as different web browsers, this shows that I am clutching at straws with this.
It had the latest firmware but I have downgraded 4.1.1-14 just to see if this was the issue as well.
Can anybody shed any light as to why I cannot get this to port forward and allow traffic into my LAN.
Many Thanks
Neal.
15 Replies
- netgear router uses 443 as default GUI access.
did you change it? - Hi jmizoguchi
Thanks for replying, yes I have change the default port to another number, also the second rule that I have configured uses one of our other public IP Addresses so that I could check that it wasn't something strange with the default public address set on the firewall.
As a test I have set also tried setting a rule of one kind or another using all of the 5 usable IP addresses and none of the rules make it through to the LAN device even though the log shows that they have been accepted inbound.
Many Thanks
Neal. - You said you use two of 443 forwarded?
First rule in forwarding will have priority over 2nd one - Hi jmizoguchi
Yes there are 2 rules using 443 but they are both using different public IP addresses. We have a block of 6 IP addresses, 1 for the router and 5 usable. The router is setup in pass through mode, or NO NAT depending on what you want to call it. This means for example that we have 81.228.91.113 - 81.228.91.118. The router is on 81.228.91.113 the firewall WAN IP is 81.228.91.114 and the LAN IP is 192.168.0.254.
I have setup one rule that allows the Broadband IP, in this case it will be 81.228.91.114, on port 443(HTTPS) to port forward to a LAN server IP of 192,168.0.253 (The internal Exchange Server)
I have also setup a second rule that allows 81.228.91.115, Other Public IP, again using port 443 (HTTPS) but going to a LAN server of 192.168.0.250 (Sonicwall SSL VPN Appliance).
From a browser https://81.228.91.114/exchange should get me webmail and https://81.228.91.115 should get me the login page of the SSL VPN appliance.
I have an FVS338 setup with many rules like this and it works like a dream.
Unfortunately this FVS318N doesn't seem to forwarding the traffic to the internal LAN server even though the log is saying that it has been Accepted Inbound.
Mon Nov 19 16:28:14 2012(GMT+0000) [FVS318N][Kernel][KERNEL] WAN_LAN[ACCEPT]IN=eth1 OUT=bdg1 SRC=109.158.121.186 DST=192.168.0.252 LEN=48 TOS=0x00 PREC=0x80 TTL=113 ID=51806 DF PROTO=TCP SPT=2622 DPT=443 WINDOW=16384 RES=0x00 SYN URGP=0
Hope you now understand my setup and what the problem is.
Many Thanks
Neal. - Use paragraph .... makes more sense in reading the thread .
make me dizzy - Oops sorry, hope this makes better reading.
Yes there are 2 rules using 443 but they are both using different public IP addresses. We have a block of 6 IP addresses, 1 for the router and 5 usable.
The router is setup in pass through mode, or NO NAT depending on what you want to call it. This means for example that we have 81.228.91.113 - 81.228.91.118. The router is on 81.228.91.113 the firewall WAN IP is 81.228.91.114 and the LAN IP is 192.168.0.254.
I have setup one rule that allows the Broadband IP, in this case it will be 81.228.91.114, on port 443(HTTPS) to port forward to a LAN server IP of 192,168.0.253 (The internal Exchange Server)
I have also setup a second rule that allows 81.228.91.115, Other Public IP, again using port 443 (HTTPS) but going to a LAN server of 192.168.0.250 (Sonicwall SSL VPN Appliance).
From a browser https://81.228.91.114/exchange should get me webmail and https://81.228.91.115 should get me the login page of the SSL VPN appliance.
I have an FVS338 setup with many rules like this and it works like a dream.
Unfortunately this FVS318N doesn't seem to forwarding the traffic to the internal LAN server even though the log is saying that it has been Accepted Inbound.
Mon Nov 19 16:28:14 2012(GMT+0000) [FVS318N][Kernel][KERNEL] WAN_LAN[ACCEPT]IN=eth1 OUT=bdg1 SRC=109.158.121.186 DST=192.168.0.252 LEN=48 TOS=0x00 PREC=0x80 TTL=113 ID=51806 DF PROTO=TCP SPT=2622 DPT=443 WINDOW=16384 RES=0x00 SYN URGP=0
Hope you now understand my setup and what the problem is.
Many Thanks
Neal. - Did you use classical routing?
The log indicates you are forwarding to .252 ???nlewis65 wrote: Mon Nov 19 16:28:14 2012(GMT+0000) [FVS318N][Kernel][KERNEL] WAN_LAN[ACCEPT]IN=eth1 OUT=bdg1 SRC=109.158.121.186 DST=192.168.0.252 LEN=48 TOS=0x00 PREC=0x80 TTL=113 ID=51806 DF PROTO=TCP SPT=2622 DPT=443 WINDOW=16384 RES=0x00 SYN URGP=0 - Thanks for the responses.
jmizoguchi
No it is setup for NAT routing just as the FVS338 is on our main connection.
Sorry adit
I was not using my real IP addresses as I was just trying to show an example of how it is setup and what I should be expecting to happen but isn't, the log screenshot shows the actual LAN IP the rule is set to.
Hope that clarifies things.
Many Thanks
Neal. - if you remove the 2nd rules of 443 , just using single 443 service works?
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
