NAT issue

[Jaffa Cakes!]

Hey,

So I have a network behind an MS Forefront box that's working fine and dandy... until I want to port forward on a secondary router I've added.

So I installed a Draytek 2830n to present an ADSL connection in our comms cab (for VPN, to keep it off MS Forefront for now) and have it straight on the network with DHCP off, static IP set etc but I can't seem to get port forwarding working on it.

The router is on 10.0.0.220 and the Ubuntu box is on 10.0.0.245 (one of our Hyper-V VMs) so naturally I go onto our router and forward port 80 TCP to 10.0.0.245... but then it doesn't work. I go to one of our WAN IPs for that ADSL line and get nothing at all (and the port appears closed when I scan it), now if I enable Internet management on the router it seems to open it's own ports up fine...

I've contacted Draytek support and they want me to reflash the firmware and config it from scratch but that's a little difficult when I'm an hour and a half away and can't get there until Christmas. I've also tried forwarding other ports like RDP and 80 to a windows box of ours running RDP/IIS but that didn't work either, so that rules out Ubuntu.

Any ideas?

EDIT: I can also see the incoming connections on the router on port 80... there isn't any sort of firewall between the router and the Ubuntu box so I'm stumped as to what is happening here...

EDIT2: I can see this in the NAT sessions table if it helps at all... Edited out my IP.

-------------------------------------------------------------------------------
     Private IP :Port #Pseudo Port         Peer IP :Port  Interface
-------------------------------------------------------------------------------
     10.0.0.245    80           80 EXTERNAL-CLIENT-IP 49689    WAN1
     10.0.0.245    80           80 EXTERNAL-CLIENT-IP 49690    WAN1

 

[jadams]

Your description seems a little unclear to me.

Are the machines you're trying to forward to behind 2 routers?

 

[gimp]

what jadams said.

Is the MS Forefront box also doing NAT?

If so, you need to port forward from that box to the router, then from the router to the VM, and cross your fingers since double-NAT can cause issues.

 

[Jaffa Cakes!]

Here's a map, I want the Draytek to handle the NAT so services are only appearing on ISP TWO, but for some reason it wont work.

 

[jadams]

Work backwards....

You can verify the port is open on the Ubuntu box?

From inside your LAN you can punch the IP address of the Ubuntu box into a browser and the web site displays? (assuming you're talking about a webserver on port 80 from your original post)

 

[Jaffa Cakes!]

Yep, all that works fine internally... there isn't any sort of firewall on Ubuntu yet.

 

[jadams]

Yep, all that works fine internally... there isn't any sort of firewall on Ubuntu yet.

LOL didnt know that.

Sorry, wouldnt begin to know how to troubleshoot a Draytec. Never worked with one.

 

[SJConsultant]

Is your Ubuntu server using Forefront or the Draytek for the default gateway to get out to the internet?

 

[jadams]

Is your Ubuntu server using Forefront or the Draytek for the default gateway to get out to the internet?

You would think this wouldnt matter. I can port forward to machines that dont have gateways at all.

 

[SJConsultant]

You would think this wouldnt matter. I can port forward to machines that dont have gateways at all.

It can matter a great deal depending upon the configuration of the firewall and/or proxy devices being used

 

[Jaffa Cakes!]

Yeah, everything on our network is using Forefront as their gateway...

I thought this might be the issue, hence why I mentioned Forefront in the first place, I'll point it at the Draytek tomorrow and see what happens.

 

[Jaffa Cakes!]

Well, changing the gateway fixed it... that'll teach me.

I added eth0:1 on a second IP with a different gateway and it's working great, thanks guys.