i am at my wits end! before i installed IPFire my system was working, as a preface.
now that i installed the IPFire i am constantly getting DROP_FORWARD on my connection. i am trying to get an external connection on port 3400 from the internet all the way to a desired server on my green network.
So my ISP has to have a modem / router mixed. so no way around that.
I have included a picture of my Error Firewall Logs
then my Fire Wall Rules
then a pic of my current set up. any help will be appreciated!
Note this is running on a Raspberry Pi 4. if that matters at all
Welcome aboard
Are you sure you want UDP?
Perhaps this sould be TCP
I have know Idea what service you are trying to reach.
So I have know idea what ports are required.
Hey Shaun,
my VPN is on this port on the Green Network.
So my understanding is that i need to open the UPD port 3400. and i already have the TCP 443 open.
im running OpenVPN on its own static IP on the Green Network on its own Raspberry pi.
i think the problem is that i went from a double NAT with the ISP pool and the WiFi pool. to a Triple NAT with the ISP pool, IPFire pool, and router pool.
so i know my ISP router can be a DMZ, but im thinking maybe i need to make my IPFire DMZ as well. i have no idea.
I would also check the log box for the rule you use so that it will also log the correct execution of the rule. Otherwise you will only see in the logs the things that fail. Once everything is working correctly then you can go back and uncheck the log box for thge port forward rule.
Triple NAT makes things very complicated.
You have made sure that the IP subnet for each router does not overlap any of the other routers subnets?
i added logs for the rules but im not seeing them under firewall Logs. so maybe im not hitting the rules?
i have made sure that all of my subnets are different.
my ISP is 192.168.2.* with the IPFire given a static IP with DMZ and port forwarding on 3400.
my IPFIRE is 192.168.80.* with the home router given a static IP and im appointing to forward 3400 to the home router who also has a static IP on IPFIre.
the home router has a IP pool of 192.168.86.*
so they are all different and ive attempted to make it as consistent as possible
From your screenshot rule 2 is enabled and that does not have NAT selected. Rule 1 is not enabled but that does have NAT selected but with Firewall Green rather than Firewall Automatic.
I am not totally sure if that last bit makes a difference but Firewall Automatic is what is specified in the wiki page on Port Forward and is what I have set on my Port Forward rules.
As @bonnietwin has already said, Rule 1 is not a DNAT rule. That rule will tell the firewall to allow the traffic but it won’t deliver it to the destination, as it is not instructing the firewall to add port 3400 to the NAT table with 192.168.80.21 as the destination. As Adolf said, you need to use rule 1 of OP screenshot, but you need to change it to “Firewall Automatic”, and you should not use rule 1 of message #9 as it is not useful for what you want to do.
No problem. It can be difficult to find where things are linked from and historically there have been pages that were orphaned and could only be found by searching in the search bar.
There are probably still some pages hidden away somewhere waiting to be found by someone.
which i assume is the first right step? here is what i see on the export:20:05:53 IN=red0 OUT= SRC=142.169.16.164 DST=169.1.1.1 LEN=82 TOS=0x00 PREC=0x00 TTL=49 ID=19880 DF PROTO=UDP SPT=2678 DPT=3400 LEN=62
I’m concerned that the OUT is blanks.
Now i want to forward this traffic through to 192.168.80.21:3400. ive made rules like this (all with DNAT checked):
DNAT is confusing and I think it is not intended to be used this way (referring to the first screenshot you showed). You are basically saying: “all the incoming traffic with destination port 3400 should go at this IP address”. I do not think you can have as destination “any”. You need to set a specific IP address. It can be another router, but it has to be one IP address. That’s it. You need just one rule that forward all the traffic to port 3400 to another machine that then decides what to do with that traffic.
As @cfusco says you need to specify the IP that you want to send it to. Trying to send it to “any” means that the iptables rule has no idea which IP in the whole of your network to send it to. If you literally want to send a message to all machines in a subnet that is what the broadcast address is for.
Once you have the Port Forward rule with a specific IP defined then you don’t need to do the forwarding as the Port Forward Rule will do the DNAT followed by a Port Forward.
See these log messages from a port forward that I have defined.
