[ previous ] [ next ] [ threads ]
 From:  Olivier Nibart <olivier at naya dash tec dot com>
 To:  Manuel Kasper <mk at neon1 dot net>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] NAT with port change
 Date:  Mon, 17 May 2004 18:55:00 +0200
Hi Manuel, thanks for your answer :)

>>I'm trying to acces 2 ssh servers on my LAN, let's say S1 and S2,
>>like this :
>>WAN port 22 <------------>M0n0wall<--------------->LAN S1 port 22
>>WAN port 2222 <------------>M0n0wall<--------------->LAN S2 port 22
>>I've added a NAT from WAN:22 to S1:22 on LAN
>>I did the same for S2 except that I've put 2222 on the external
>>I have one rule that permit port WAN:22 to access S1 and another
>>one that permit WAN:22 to access S2 also.
>Hint: don't create the filter rules by hand, use the auto-add option
>when you add a new NAT rule. Filter rules are processed after NATing
>for incoming packets, and the SSH client is free to choose any value
>for the source port. You just need two rules to permit traffic -
>[interface WAN, source any, destination S1 port 22] and [interface
>WAN, source any, destination S2 port 22].
>- Manuel

That's what I did actually.
And that the reason why I'm so surprised it doesn't work...

Here is a copy of the related rules and NAT I have :

Filter rules:
WAN interface 
  Proto Source Port Destination Port Description 
  TCP  *  *  S1  22 (SSH)  SSH NAT     
  TCP  *  *  S2  22 (SSH)  NAT   

Proto Ext. port range NAT IP
(ext. IP) Int. port range Description 
TCP  22 (SSH)  S1  22 (SSH)       
TCP  2222  S2  22 (SSH)      

It seems ok to me... but I can't connect to S2 via WAN:2222....

Last News :

I just changed port 2222 to port 23 and... it now works ! Why ?

Then I tried to map port 81 to port 80 of S2, auto-adding the rule. Guess what ? It doesn't work...
The I tried to map port 23 to port 80 on S2 and ... it works !

So it seems that on my configuration, the only external port that can be 'mapped' (I mean, which can
be different of) to an internal port is port 23...

any idea on why ?

olivier at naya dash tec dot com (Olivier Nibart)
gsm: +32 472 514 103