Traffic not flowing for hosts behind NAT - Edge Router Lite
-
I have a few firewall groups setup
-
The only LAN firewall rules are to block SMTP.
-
For anything you are going to NAT in to something other than the first IP address on the default masquerade, you have to have both firewall rules and NAT destination rules.
For anything that you want to go out something other than the default masquerade, you have to have a NAT source rule.
This is the WAN_IN and is likely part of your problem.
This is the NAT (source and destination) rules that are the other part of your problem.
-
For the screenshots above, the default NAT traffic will show a "What is my IP" as
12.XXX.XXX.42
as that is the first IP listed in the config of theeth0
port.All traffic goes out through the default NAT masquerade (shown as order 4 in the Source NAT section) unless there is a Source NAT rule to override it.
As I have more than one thing happening here, we will just focus on the Nginx ones as the stuff not going through the default masquerade.
A
Source NAT
is used for outbound traffic. You are the source of the traffic.
ADestination NAT
is used for inbound traffic. You are the destination of the traffic.So to send traffic from the server with an internal IP address of
10.202.1.16
out the external IP address of12.XXX.XXX.43
instead of the default masquerade external IP of12.XXX.XXX.42
we need to make aSource NAT
rule.Make a rule and fill it out like this. Obviously, there are a lot more options here than I am going over. If you have multiple machines that you need to use this IP outbound, then create a firewall group and select the
Src Address Group
drop down instead of specifying the IP address as I did here.
Now if you check your
What is my IP
from the specified server, it should return the12.XX.XXX.43
-
The inbound is harder because you have to setup both a
Destination NAT
rule as well as allow it on the firewall'sWAN_IN
rule.First make the
Destination NAT
rule as you are already on this screen from making theSource NAT
rule.As you can see you simply reverse what you did in the
Source NAT
rule. This time the local IP goes in the Translation and the WAN IP goes in theDest Address
field. Anything coming in on this destination IP will be translated to this local IP.As you can also see, I further restricted this translation to only be TCP/UDP and only ports included in a firewall port group.
In case you are curious, here are the ports in that firewall port group.
-
Now make a firewall rule in the policy assigned to the
IN
direction of yourWAN
interface.The wizards name this rule
WAN_IN
by default.You want to make the settings match when it comes to the protocol and port settings. But the destination is now the internal IP address as the translation has already happened by the NAT rules before the firewall rules see it.
-
Now you should have traffic properly flowing to and from your alternate IP addresses.
And yes, I noticed..
-
Well done Jared.
-
When I tried this last night, my new NAT rules were all below the default masquerade one. I tried moving (click and drag) above but it wouldn't actually move.
I then added a third rule (just some fake crap), then upon having three rules I was able to move my desired rule above the default one.
I'm on firmware v1.9.7-hotfix.4
-
@jaredbusch said in Traffic not flowing for hosts behind NAT - Edge Router Lite:
Now you should have traffic properly flowing to and from your alternate IP addresses.
Thanks for the above. I'm comparing that to my configuration now.
And yes, I noticed..
Ah, then you know the commercials.
-
@dashrender said in Traffic not flowing for hosts behind NAT - Edge Router Lite:
When I tried this last night, my new NAT rules were all below the default masquerade one. I tried moving (click and drag) above but it wouldn't actually move.
I then added a third rule (just some fake crap), then upon having three rules I was able to move my desired rule above the default one.
I'm on firmware v1.9.7-hotfix.4
Even though it didn't move, did the rule order number change?
-
@eddiejennings said in Traffic not flowing for hosts behind NAT - Edge Router Lite:
@dashrender said in Traffic not flowing for hosts behind NAT - Edge Router Lite:
When I tried this last night, my new NAT rules were all below the default masquerade one. I tried moving (click and drag) above but it wouldn't actually move.
I then added a third rule (just some fake crap), then upon having three rules I was able to move my desired rule above the default one.
I'm on firmware v1.9.7-hotfix.4
Even though it didn't move, did the rule order number change?
good question - I don't recall. I did see the issue where when making firewall Ruleset changes, when I would drag and drop them, the order on screen would change to some jumble, but the actual numerical value would be the desired change. Saving the rule order would fix the display to display them in numerical order.
-
I just tried it again now
https://i.imgur.com/ZmoxUun.pngThis is what is normally looks like
https://i.imgur.com/yi1wL5G.pngAs you can see in the top image, I can't even see the other line item to move it above or below. I've zoomed the page in and out, no option there allows me to see where I'm placing it.
Additionally, after dropping it somewhere, the numerical order does not change.As mentioned above, creating a third entry allowed me to work around this.
-
Below is the GUI for the ERL. I'm going to some firewall groups, as that seems to be a cleaner way to do that.
There are the differences I see in Jared's configuration and mine.
- Jared's NAT rules include port matching, rather than just matching all traffic
- Jared's WAN_IN firewall rules have the "Accept Established / Related" and "Drop invalid" at the the top
- Jared's firewall rule example explicitly allows the New state
Perhaps I'm being thick, but I'm failing to see the smoking gun as to why my configuration failed.
Dashboard
NAT Rules
IIS Source NAT rule details
IIS Destination NAT rule details
Firewall Rules
IIS HTTPS Rule detail (all other rules follow this pattern)
-
-
@eddiejennings said in Traffic not flowing for hosts behind NAT - Edge Router Lite:
Below is the GUI for the ERL. I'm going to some firewall groups, as that seems to be a cleaner way to do that.
There are the differences I see in Jared's configuration and mine.Jared's NAT rules include port matching, rather than just matching all traffic
Jared's WAN_IN firewall rules have the "Accept Established / Related" and "Drop invalid" at the the top
Jared's firewall rule example explicitly allows the New statePerhaps I'm being thick, but I'm failing to see the smoking gun as to why my configuration failed.
You always want the most hit firewall rules to be first.
Always. This is not an Ubiquiti thing, this is an always thing.
Firewall rules are processed sequentially and processing stops once a match is made.
Thus you always want the thing that is gong to match the most to be checked first.
In all cases, for standard NAT traffic hitting the inbound firewall, the most hit rule will always be the Established/Related.
Next, you drop in valid because well, it is invalid. This comes second, because most traffic is still Established/Related.
Then you add in your rules.
-
@jaredbusch That make sense, as if I specify nothing, then nothing would match.
It's curious though that the exact same rules (with state unspecified) worked flawlessly with the other ERL.
-
@eddiejennings said in Traffic not flowing for hosts behind NAT - Edge Router Lite:
@jaredbusch That make sense, as if I specify nothing, then nothing would match.
It's curious though that the exact same rules (with state unspecified) worked flawlessly with the other ERL.
No they don't. Something would be different.
-
@jaredbusch I agree. The question is finding what's different.
Toying around, if I were to add a new rule, by default, there is no state specified.
-
@eddiejennings said in Traffic not flowing for hosts behind NAT - Edge Router Lite:
@jaredbusch I agree. The question is finding what's different.
Toying around, if I were to add a new rule, by default, there is no state specified.
Yes, because they don't know what you are trying to allow.