My usecase is pretty simple. I have an internal network onnected to XF-51 and an external network connected to XF-10
The internal is subnet 192.168.2.0/24 This network has devices with a web interface
The external subnet 192.168.100.0/24
I try to configure the firewall to port forward tcp (http) traffic from the external to the internal network. For instance incomming to the IP of XF-10 on port 8443 needs to be forwarded to 192.168.2.2 port 443
The confusion already starts from port naming shoudl it be XF-10, ETH0 or XF10. I think the latter is correct beacuse this is the name Linux reports.
I understand have to enable packet forwarding for both XF-10 & XF-51 which I did.
According the this diagram I need to configurer Dnat, forwarding and SNAT rules
Which seems to be a lot since I only have a few coonfiguration parameters to play with:
- Incomming interface XF10(??)
- Incomming protocol TCP
- Incomming port: 8443
- Destination interface XF51
- Destination IP: 192.68.2.2
- Destination port: 443
Al that information can go into the destination NAT
Is this correct? And if yes what should I put in the forwarding dan SNAT entries?
An example which uses OS 1.20 (new port names) is appriciated
@Sgilk Thank you for your reply. I have seen the post you mentioned but thought this is not exactly what I want since it is using the firwall as router while I want to use it as a NAT firewall. The diffrence is that for the client accesing the Webpage of a device behind the ctrlX it should simply think it comunicates to the ctrlx core IP address
Therefore this step should not be needed since this will not work in our usecase many diffrent PC will need to use this connection
Hi @Marc_Smaak ,
I believe at this point, you also need a SNAT rule to direct the response message.
As an example, if I had a device on the internal subnet at 192.168.2.100 and the internal subnet adapter IP is 192.168.2.1, I would use the following rules.
@Sgilk Thank you this indeed works.
So for testing this is my setup
And these are my firewall rules:
Destination NAT
Which I beleive can even be simplified to
But I suspect this only works beacuse the traffic is https so defaults to port 443. If it would be another port I need to add the port info somewhere
Source NAT
Also after a reboot (saving the firwall first) this all still works
Thanks at lot!!!
If you can explain better wat the Source net rule does this would be ewelcomed. I already worked with it but I thought it was intended for the return path to replace the source address of the device on my internal network (172.20.0.2) into the IP of the CtrlX core on the external network (192.168.2.137) This did not work.
Tested again with only a DNAT rule and correct default gateway config and can confirm it is working. (I had a type in my default gateway)
So this is the only rule needed to make the conif of my picture working
This is how I started initially 😖
Just some clear examples for diffrent usecases would for sure help.
I thought I would also share my use case here and what worked for me for anyone trying to do something similiar.
I have a local network with multiple XM control. I am using the ctrlX as a NAT. I want to assign one IP address that is publicly available to a local address. In this case, when I login at 192.168.3.6 I should login to 192.168.1.2 and if I login at 192.168.3.7 then I should login to 192.168.1.5.
I am using the firewall app with rules set for DNAT and SNAT. Here I have no ports configured so that the address should act just as if the device was on the same network.
Here is the DNAT configuration:
and here is the SNAT configuration:
XM at 192.168.3.6:
XM at 192.168.3.7:
