[ previous ] [ next ] [ threads ]
 From:  David Burgess <apt dot get at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] NAT - port forwarding from the non-WAN subnet
 Date:  Fri, 5 Jun 2009 16:10:18 -0600
On Thu, Jun 4, 2009 at 8:45 PM, Lyle Giese <lyle at lcrcomputer dot net> wrote:
> I have an unusual setup and trying to figure it out.  I have a working
> system on a full Linux system using IPTables.
> I am trying to make the config work on a Soekris NET4801.  I have most
> of it figured out, but hit one block.
> I have a small hosting operation here.  I have two T1's coming in with a
> Class C subnet assigned to it.  I have a private IP subnet for the
> office and home PC's with a DSL connection for their Internet
> bandwidth.  I did not want the office/home PC's to use any of the T1
> bandwidth, reserving that bandwidth for our paying customers.
> I built a machine using IPTables so that the private subnet uses the DSL
> for Internet via NAT.  While still having direct access to the public IP
> servers without going to the Internet.  I have a printer on the private
> subnet.  With IPTables, I was able to forward ports 515 and 9100 to the
> printer(HP LJ ip), so I could print config files from the hosting servers.
> On the Soekris NET4801, I have the DSL(sis0) and private subnet(sis1)
> setup along with access to the hosting subnet(sis2).  I have NAT working
> between the private subnet and the other two subnets.  But I can not
> seem to get forwarding of ports 515 and 9100 working from the hosting
> subnet(sis2 to sis1).
> It would appear that the Soekris does try to forward the packets hitting
> it's port 515 and 9100:
> Jun  4 19:57:18 <router ip> ipmon[89]: 19:57:18.086181 sis2 @300:1 p
> <hosting ip>,49916 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN
> Jun  4 19:57:44 <router ip> ipmon[89]: 19:57:43.987645 sis2 @300:1 p
> <hosting ip>,50432 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN
> Jun  4 20:02:17 <router ip> ipmon[89]: 20:02:17.377468 sis2 @300:1 p
> <hosting ip>,50514 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN
> Jun  4 20:06:35 <router ip> ipmon[89]: 20:06:35.418212 sis2 @300:1 p
> <hosting ip>,44627 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN
> Jun  4 20:09:21 <router ip> ipmon[89]: 20:09:20.795669 sis2 @300:1 p
> <hosting ip>,49848 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN
> But I don't get any response back.  At this point I am not 100% certain
> where the issue is and how to correct it.  Nothing I have tried seems to
> work.  I have the DSL on SIS0, the private subnet on SIS1 and the
> hosting subnet on SIS2.  The hosting subnet does not use the DSL, I only
> want access to the printer on the private subnet.
> It almost seems that the port forwarding from sis2(hosting) to sis1(LAN)
> does not work.  It appears to work only from the WAN(sis0) port to the
> private subnet.
> Any suggestions?

Normally you wouldn't use NAT between two LANs, so port-forwarding, or
masquerading is moot. If your router is aware of the subnet on sis1
and that on sis2, then packets should naturally flow between the two
without translation, assuming you have allowed traffic sis1<>sis2 in
iptables. Unless your sis2 machines are trying to reach sis1 machines
via the WAN (sis0) adress, in which case it would probably be simpler
to add entries in your host files for local machines so trans-LAN DNS
queries are redirected to local addresses. Or use a DNS proxy that
will reference host entries on your router and keep an entry for the
LJ IP in there.