[Firehol-support] NAT on vlan

Costa Tsaousis costa at tsaousis.gr
Wed Feb 18 22:30:00 GMT 2009

Guy wrote:
> Hi guys,
> I've run into a little problem. I'm using firehol to successfully NAT
> traffic to a machine on our hosting company's LAN.
> I'm trying to do the same thing again, but there's a difference in the
> networks this time.
> The setup that works looks like this:
> ===
> masquerade eth1
> dnat to proto tcp dport 8000 inface eth1
> dnat to proto tcp dport 80 inface eth1
> dnat to proto tcp dport 22 inface eth1
> dnat to proto tcp dport 25 inface eth1
> router internet2lan inface eth1 outface eth0
>         server bhttp1   accept  dst
>         server http     accept  dst
>         server ssh      accept  dst
>         server smtp     accept  dst
>         client all accept
> ===
> The LAN ip for the firehol server is
> On the new setup that is failing, the LAN only server is
> while the firehol server's LAN ip is
> can still ping though. Is this something odd
> with VLANs or is there something obvious I'm not aware of?
> Thanks
> Guy
> can ping probably because of 'client all accept'.
We don't have enough info to trace this down.

I suggest adding 'log DNAT' to each dnat roule and 'log ROUTE' to each 
server statement in the router and then just make a request and check 
you logs.

There should be both DNAT and ROUTE logs (this means firehol worked fine).

If you get only DNAT, without ROUTE, check the routing on the firehol host.

If you get both, but still it does not work, check the parameters logged 
together (IN= OUT= SRC= DST=, etc) to find out your routing issue.

If it works right you should get, for each connection, one DNAT and many 
ROUTE matching both ways of communication.
If you get one DNAT and only one ROUTE, the replies from your server to 
your client do not go back the same way they came in.


More information about the Firehol-support mailing list