nat reflection

Home Page Forums Network Management ZeroShell nat reflection

This topic contains 37 replies, has 0 voices, and was last updated by  endre 3 years ago.

Viewing 15 posts - 1 through 15 (of 39 total)
  • Author
    Posts
  • #40642

    endre
    Member

    Hi, does anyone know if it is possible to set up NAT reflection rules with zeroshell (how ? 😀 )

    Also has anyone successfully abused this router ? i mean to the length of 50 new connections (or more) per second… how does it handle that?

    #45398

    imported_fulvio
    Participant

    What do you mean with “NAT Reflection”?
    I found with Google that pfSense and m0n0wall have implemented this feature. I suppose that the NAT reflection looks like the Destination NAT with which Zeroshell implements the Virtual Server feature, but I am not sure. Please, correct me if I am wrong.

    Regards
    Fulvio

    #45399

    endre
    Member

    yes, pfsense and monowall have those features, maybe they ended up naming it like that

    behaviour: when you are on the lan side and you try to make a connection to one of your wan ip’s … you will get squat…
    nat reflection fixes this, now i don’t really remember if zeroshell behaved like this or not…

    one thing though… even with this, the source ip of the connection is still your lan ip, this would be a pain in the a.. if you are hosting a bittorrent tracker 🙂

    nonetheless it is still a good thing to be able to open for example, the webserver on your pc by opening http://wan.ip.wan.ip/ instead of http://localhost

    #45400

    Borage
    Member

    pfSense and m0n0wall uses ipfilter, zeroshell uses iptables, so you don’t need a workaround like them. You can use a rule like this one to get it working.

    iptables -t nat -A prerouting_rule -d WAN_IP -p tcp --dport 80 -j DNAT --to 192.168.0.10
    iptables -A forwarding_rule -p tcp --dport 80 -d 192.168.0.10 -j ACCEPT
    iptables -t nat -A postrouting_rule -s 192.168.0.0/24 -p tcp --dport 80 -d 192.168.0.10 -j MASQUERADE

    All traffic on port 80 from LAN (192.168.0.0/24) to WAN (WAN_IP) will be redirected to the internal webserver (192.168.0.10).

    #45401

    endre
    Member

    yes of course you can do that if you know iptables.. it’s just a matter of checkbox versus 3 lines and years of using iptables. i’m sure you have time for it if you’re a net admin.

    #45402

    Borage
    Member

    This is standard in most linux firewalls. You just have to forward a port, and you’ll be able to reach the natted server through the WAN port. I have not installed zeroshell yet, but I think its time to do that now.

    #45403

    thund3rman
    Member

    Well, first things first, so: fluvio, thanks for this great product! I’ve been using zeroshell after trying both pfsense and monowall and this seems to be the best and most complete product for my needs.

    Now that the tanks are taken care of, I’m going to bring this topic back from the dead.

    NAT Reflection is one “feature” that allows you to access to servers behind PAT through your WAN ip. For example, you have a public name that has a public address… If you try to access this inside your local network, your packets are going to be directed to your firewall and don’t go through the WAN interface… So, if you have PAT defined with interface instead of the public ip, it doesn’t get done. I know that in beta11 we can define PAT through ip address but the previous scenario is especially necessary in cases where you have a dynamic public ip address…

    I’ve been exploring the guts of zeroshell and i think it can be done with two changes:
    1. Add the following line to the script router_patconfig: “iptables -t nat -A PREROUTING $IP -p $PROTOCOL –dport $LOCALPORT -j DNAT –to $REMOTEIP:$REMOTEPORT” where $IP=-d WAN_IP. This ip should be the WAN_IP address when it is defined to dhcp.
    2. Using the hooks of the dhclient-script, refresh the ip in the nat table whenever dhclient updates WAN_IP.

    Maybe step 2 can be the only one, I think the initial setup may be unnecessary…
    What do you think? Can this be done? If so, in time for beta12? If not, how do you recommend me to solve this problem? In my opinion this is very important, especially in SOHO market, where most companies keep the internet connection behind a dynamic IP…

    Thanks!

    #45404

    What is NAT Reflection?

    What exactly does it allow me to do?

    #45405

    thund3rman
    Member

    When configuring PAT, you have two options (at least in beta11 from what I read in this forums):
    1. Apply PAT rule to the WAN interface;
    2. Apply the PAT rule to the WAN IP.

    If you choose option 1, when inside the local network, if you try to access to the WAN IP, you connect directly to the firewall and not to the server you wanted, because your traffic doesn’t go through the WAN interface.

    Option 2 is only a real option if you have a static ip in your WAN interface. If you have a dynamic ip address, as the configuration for option 2 requires an IP address and you don’t know it, you can’t use it.

    NAT reflection is a feature of several other products that allows you to have the behaviour of option 2 when using option 1.
    In zeroshell you don’t have a possibility to configure that behaviour. Maybe a checkbox in option 1 could define a rule that did this through the hooks of dhcp (to refresh the rules on dhcp renewall)

    #45406

    baboo
    Member

    I am trying to do the same thing. I have dsl and static ips. I want to be able to reach my webserver with its domain name from within my lan.

    I am not sure if I followed this topic correctly, but has this been solved?

    Do I need to implement Borage’s solution?

    Any help would be very appreciated.

    thanks

    #45407

    thund3rman
    Member

    If you have the latest release of zeroshell the problem (yours) is solved I think. Just configure PAT through IP instead of interface…

    For those with dynamic IP the problem remains unsolved…

    #45408

    baboo
    Member

    thanks thund3rman for the reply. Just one thing 😳 , I don’t know what PAT is or where in zeroshell you configure it.

    Could you point me to it?

    thanks alot for your help.

    #45409

    thund3rman
    Member

    Sorry…
    PAT = Port Address Translation (http://en.wikipedia.org/wiki/Port_address_translation).

    In zeroshell: router -> Virtual Servers
    One virtual server is one PAT entry in the firewall.

    Don’t forget to user IP instead of interface…

    #45410

    baboo
    Member

    thanks! Your the man!

    really appreciate the help

    #45411

    Can I use PAT / Virtual Servers to forward all packets from a particular Interface or IP Address to another Zeroshell router on the other end of my VPN connection. I want to user the other Zeroshell router at the Internet Access.

    I tried forwarding port 80 through the VPN, but when I check IPCHICKEN.COM for the ISP IP Address being used, it showing source router ISP address.

    Is it possible, or is my though process completely incorrect?

    What am I missing?

Viewing 15 posts - 1 through 15 (of 39 total)

You must be logged in to reply to this topic.