June 6, 2007 at 10:03 am #40642
Hi, does anyone know if it is possible to set up NAT reflection rules with zeroshell (how ? 😀 )
Also has anyone successfully abused this router ? i mean to the length of 50 new connections (or more) per second… how does it handle that?June 6, 2007 at 8:01 pm #45398
What do you mean with “NAT Reflection”?
I found with Google that pfSense and m0n0wall have implemented this feature. I suppose that the NAT reflection looks like the Destination NAT with which Zeroshell implements the Virtual Server feature, but I am not sure. Please, correct me if I am wrong.
FulvioJune 7, 2007 at 5:27 am #45399
yes, pfsense and monowall have those features, maybe they ended up naming it like that
behaviour: when you are on the lan side and you try to make a connection to one of your wan ip’s … you will get squat…
nat reflection fixes this, now i don’t really remember if zeroshell behaved like this or not…
one thing though… even with this, the source ip of the connection is still your lan ip, this would be a pain in the a.. if you are hosting a bittorrent tracker 🙂June 11, 2007 at 11:59 am #45400
pfSense and m0n0wall uses ipfilter, zeroshell uses iptables, so you don’t need a workaround like them. You can use a rule like this one to get it working.
iptables -t nat -A prerouting_rule -d WAN_IP -p tcp --dport 80 -j DNAT --to 192.168.0.10
iptables -A forwarding_rule -p tcp --dport 80 -d 192.168.0.10 -j ACCEPT
iptables -t nat -A postrouting_rule -s 192.168.0.0/24 -p tcp --dport 80 -d 192.168.0.10 -j MASQUERADE
All traffic on port 80 from LAN (192.168.0.0/24) to WAN (WAN_IP) will be redirected to the internal webserver (192.168.0.10).June 14, 2007 at 4:21 pm #45401
yes of course you can do that if you know iptables.. it’s just a matter of checkbox versus 3 lines and years of using iptables. i’m sure you have time for it if you’re a net admin.June 16, 2007 at 12:26 am #45402
This is standard in most linux firewalls. You just have to forward a port, and you’ll be able to reach the natted server through the WAN port. I have not installed zeroshell yet, but I think its time to do that now.January 13, 2009 at 12:49 am #45403
Well, first things first, so: fluvio, thanks for this great product! I’ve been using zeroshell after trying both pfsense and monowall and this seems to be the best and most complete product for my needs.
Now that the tanks are taken care of, I’m going to bring this topic back from the dead.
NAT Reflection is one “feature” that allows you to access to servers behind PAT through your WAN ip. For example, you have a public name that has a public address… If you try to access this inside your local network, your packets are going to be directed to your firewall and don’t go through the WAN interface… So, if you have PAT defined with interface instead of the public ip, it doesn’t get done. I know that in beta11 we can define PAT through ip address but the previous scenario is especially necessary in cases where you have a dynamic public ip address…
I’ve been exploring the guts of zeroshell and i think it can be done with two changes:
1. Add the following line to the script router_patconfig: “iptables -t nat -A PREROUTING $IP -p $PROTOCOL –dport $LOCALPORT -j DNAT –to $REMOTEIP:$REMOTEPORT” where $IP=-d WAN_IP. This ip should be the WAN_IP address when it is defined to dhcp.
2. Using the hooks of the dhclient-script, refresh the ip in the nat table whenever dhclient updates WAN_IP.
Maybe step 2 can be the only one, I think the initial setup may be unnecessary…
What do you think? Can this be done? If so, in time for beta12? If not, how do you recommend me to solve this problem? In my opinion this is very important, especially in SOHO market, where most companies keep the internet connection behind a dynamic IP…
Thanks!January 13, 2009 at 5:12 pm #45404
What is NAT Reflection?
What exactly does it allow me to do?January 14, 2009 at 12:25 pm #45405
When configuring PAT, you have two options (at least in beta11 from what I read in this forums):
1. Apply PAT rule to the WAN interface;
2. Apply the PAT rule to the WAN IP.
If you choose option 1, when inside the local network, if you try to access to the WAN IP, you connect directly to the firewall and not to the server you wanted, because your traffic doesn’t go through the WAN interface.
Option 2 is only a real option if you have a static ip in your WAN interface. If you have a dynamic ip address, as the configuration for option 2 requires an IP address and you don’t know it, you can’t use it.
NAT reflection is a feature of several other products that allows you to have the behaviour of option 2 when using option 1.
In zeroshell you don’t have a possibility to configure that behaviour. Maybe a checkbox in option 1 could define a rule that did this through the hooks of dhcp (to refresh the rules on dhcp renewall)January 14, 2009 at 2:23 pm #45406
I am trying to do the same thing. I have dsl and static ips. I want to be able to reach my webserver with its domain name from within my lan.
I am not sure if I followed this topic correctly, but has this been solved?
Do I need to implement Borage’s solution?
Any help would be very appreciated.
thanksJanuary 14, 2009 at 2:33 pm #45407
If you have the latest release of zeroshell the problem (yours) is solved I think. Just configure PAT through IP instead of interface…
For those with dynamic IP the problem remains unsolved…January 14, 2009 at 2:50 pm #45408
thanks thund3rman for the reply. Just one thing 😳 , I don’t know what PAT is or where in zeroshell you configure it.
Could you point me to it?
thanks alot for your help.January 14, 2009 at 4:54 pm #45409
PAT = Port Address Translation (http://en.wikipedia.org/wiki/Port_address_translation).
In zeroshell: router -> Virtual Servers
One virtual server is one PAT entry in the firewall.
Don’t forget to user IP instead of interface…January 14, 2009 at 5:16 pm #45410
thanks! Your the man!
really appreciate the helpJanuary 14, 2009 at 5:24 pm #45411
Can I use PAT / Virtual Servers to forward all packets from a particular Interface or IP Address to another Zeroshell router on the other end of my VPN connection. I want to user the other Zeroshell router at the Internet Access.
I tried forwarding port 80 through the VPN, but when I check IPCHICKEN.COM for the ISP IP Address being used, it showing source router ISP address.
Is it possible, or is my though process completely incorrect?
What am I missing?
You must be logged in to reply to this topic.