[Firehol-support] access from WAN to LAN

Tony Peña emperor.cu at gmail.com
Wed Aug 3 14:34:06 BST 2016 

Hi Costa,

I still can't hit the NAS on the lan with the DNAT/SNAT . Maybe was wrong
but i can see the logs "logical literally ok" but not works. maybe missing
something
the logs output

Aug  3 15:28:22 server kernel: [23867.655752] PASS-unknown:IN=ens160
OUT=ens192 MAC=00:0c:29:81:73:a9:00:30:4
8:42:58:a3:08:00 SRC=my.ip.public.home DST=192.168.111.100 LEN=60 TOS=0x00
PREC=0x00 TTL=47 ID=59457 DF PROTO=TCP SP
T=42356 DPT=5000 WINDOW=29200 RES=0x00 SYN URGP=0

Aug  3 15:28:22 server kernel: [23867.655752] PASS-unknown:IN=ens160
OUT=ens192 MAC=00:0c:29:81:73:a9:00:30:4
8:42:58:a3:08:00 SRC=my.ip.public.home DST=192.168.111.100 LEN=60 TOS=0x00
PREC=0x00 TTL=47 ID=59457 DF PROTO=TCP SP
T=42356 DPT=5001 WINDOW=29200 RES=0x00 SYN URGP=0

this is my settings iface

ens160  my.ip.public

ens192    Link encap:Ethernet  HWaddr 00:0c:29:81:73:b3
          inet addr:192.168.111.120  Bcast:192.168.111.255
Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe81:73b3/64 Scope:Link


the nas is 192.168.111.100 open on 5000-5001 ports
the gateway of NAS is 120 (the lan ip of the server) and from the nas i can
update and upgrade the firmware so i can hit internet fine from the nas...
by routing on the firehol config.

and the firewall is

version 6
ipv4 dnat to 192.168.111.100 inface any proto tcp dport "5000 5001"

interface ens160 wan src not "$UNROUTABLE_IPS"
        policy drop
        protection strong 10/sec 10
        server ident reject with tcp-reset
        ipv4 server "http ssh" accept src "$HOME"
        client all accept

interface ens192 lan
        policy drop
        protection strong 10/sec 10
        ipv4 server ident reject with tcp-reset
        client all accept

router lan-to-wan inface ens192 outface ens160
        masquerade
        route all accept

thanks

2016-07-28 21:00 GMT+02:00 Tsaousis, Costa <costa at tsaousis.gr>:

> Hi Tony,
>
> You need to DNAT traffic coming from the internet to the NAS box.
> The replies will work automatically.
>
> Keep in mind you also need to allow the traffic to flow in a router.
>
> Costa
>
>
> On Thu, Jul 28, 2016 at 7:28 PM, Tony Peña <emperor.cu at gmail.com> wrote:
>
>> Hi,
>>
>> How can I get a NAS on the LAN from internet?
>>
>> SNAT rule?
>>
>> i test
>>
>> snat to the.ip.public inface eth0 src any outface eth1 dst 192.168.111.100
>> proto tcp dport 5001
>>
>> but not works. :/
>>
>> any idea to fix the rule..
>> i'm still using firehol 1.297-1
>>
>> is an old server ... i know must to be upgrade but need fix this first to
>> migrate in another step after.
>>
>> thanxs
>> --
>> perl -le 's ffSfs.s fSf\x54\x6F\x6E\x79 \x50\x65\x6e\x61f.print'
>>
>> Secure email with PGP 0x8B021001 available at https://pgp.mit.edu
>> <
>> https://pgp.mit.edu/pks/lookup?search=0x8B021001&op=index&fingerprint=on&exact=on
>> >
>> Fingerprint: 74E6 2974 B090 366D CE71  7BB2 6476 FA09 8B02 1001
>> _______________________________________________
>> Firehol-support mailing list
>> Firehol-support at lists.firehol.org
>> http://lists.firehol.org/mailman/listinfo/firehol-support
>
>
>


-- 
perl -le 's ffSfs.s fSf\x54\x6F\x6E\x79 \x50\x65\x6e\x61f.print'

Secure email with PGP 0x8B021001 available at https://pgp.mit.edu
<https://pgp.mit.edu/pks/lookup?search=0x8B021001&op=index&fingerprint=on&exact=on>
Fingerprint: 74E6 2974 B090 366D CE71  7BB2 6476 FA09 8B02 1001

More information about the Firehol-support mailing list