[ previous ] [ next ] [ threads ]
 
 From:  Lyle Giese <lyle at lcrcomputer dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  NAT - port forwarding from the non-WAN subnet
 Date:  Thu, 04 Jun 2009 21:45:50 -0500 
I have an unusual setup and trying to figure it out.  I have a working
system on a full Linux system using IPTables.

I am trying to make the config work on a Soekris NET4801.  I have most
of it figured out, but hit one block.

I have a small hosting operation here.  I have two T1's coming in with a
Class C subnet assigned to it.  I have a private IP subnet for the
office and home PC's with a DSL connection for their Internet
bandwidth.  I did not want the office/home PC's to use any of the T1
bandwidth, reserving that bandwidth for our paying customers.

I built a machine using IPTables so that the private subnet uses the DSL
for Internet via NAT.  While still having direct access to the public IP
servers without going to the Internet.  I have a printer on the private
subnet.  With IPTables, I was able to forward ports 515 and 9100 to the
printer(HP LJ ip), so I could print config files from the hosting servers.

On the Soekris NET4801, I have the DSL(sis0) and private subnet(sis1)
setup along with access to the hosting subnet(sis2).  I have NAT working
between the private subnet and the other two subnets.  But I can not
seem to get forwarding of ports 515 and 9100 working from the hosting
subnet(sis2 to sis1).

It would appear that the Soekris does try to forward the packets hitting
it's port 515 and 9100:

Jun  4 19:57:18 <router ip> ipmon[89]: 19:57:18.086181 sis2 @300:1 p
<hosting ip>,49916 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN
Jun  4 19:57:44 <router ip> ipmon[89]: 19:57:43.987645 sis2 @300:1 p
<hosting ip>,50432 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN
Jun  4 20:02:17 <router ip> ipmon[89]: 20:02:17.377468 sis2 @300:1 p
<hosting ip>,50514 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN
Jun  4 20:06:35 <router ip> ipmon[89]: 20:06:35.418212 sis2 @300:1 p
<hosting ip>,44627 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN
Jun  4 20:09:21 <router ip> ipmon[89]: 20:09:20.795669 sis2 @300:1 p
<hosting ip>,49848 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN

But I don't get any response back.  At this point I am not 100% certain
where the issue is and how to correct it.  Nothing I have tried seems to
work.  I have the DSL on SIS0, the private subnet on SIS1 and the
hosting subnet on SIS2.  The hosting subnet does not use the DSL, I only
want access to the printer on the private subnet.

It almost seems that the port forwarding from sis2(hosting) to sis1(LAN)
does not work.  It appears to work only from the WAN(sis0) port to the
private subnet.

Any suggestions?

Lyle Giese
LCR Computer Services, Inc.