thund3rman

Forum Replies Created

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • in reply to: nat reflection #45416

    thund3rman
    Member

    Any development on this patch you mention?

    in reply to: nat reflection #45413

    thund3rman
    Member

    Any news on this?

    Maybe it would be a good thing to run on dhcp time (after getting the ip) for solutions with dynamic ip address.

    in reply to: nat reflection #45409

    thund3rman
    Member

    Sorry…
    PAT = Port Address Translation (http://en.wikipedia.org/wiki/Port_address_translation).

    In zeroshell: router -> Virtual Servers
    One virtual server is one PAT entry in the firewall.

    Don’t forget to user IP instead of interface…

    in reply to: nat reflection #45407

    thund3rman
    Member

    If you have the latest release of zeroshell the problem (yours) is solved I think. Just configure PAT through IP instead of interface…

    For those with dynamic IP the problem remains unsolved…

    in reply to: nat reflection #45405

    thund3rman
    Member

    When configuring PAT, you have two options (at least in beta11 from what I read in this forums):
    1. Apply PAT rule to the WAN interface;
    2. Apply the PAT rule to the WAN IP.

    If you choose option 1, when inside the local network, if you try to access to the WAN IP, you connect directly to the firewall and not to the server you wanted, because your traffic doesn’t go through the WAN interface.

    Option 2 is only a real option if you have a static ip in your WAN interface. If you have a dynamic ip address, as the configuration for option 2 requires an IP address and you don’t know it, you can’t use it.

    NAT reflection is a feature of several other products that allows you to have the behaviour of option 2 when using option 1.
    In zeroshell you don’t have a possibility to configure that behaviour. Maybe a checkbox in option 1 could define a rule that did this through the hooks of dhcp (to refresh the rules on dhcp renewall)

    in reply to: nat reflection #45403

    thund3rman
    Member

    Well, first things first, so: fluvio, thanks for this great product! I’ve been using zeroshell after trying both pfsense and monowall and this seems to be the best and most complete product for my needs.

    Now that the tanks are taken care of, I’m going to bring this topic back from the dead.

    NAT Reflection is one “feature” that allows you to access to servers behind PAT through your WAN ip. For example, you have a public name that has a public address… If you try to access this inside your local network, your packets are going to be directed to your firewall and don’t go through the WAN interface… So, if you have PAT defined with interface instead of the public ip, it doesn’t get done. I know that in beta11 we can define PAT through ip address but the previous scenario is especially necessary in cases where you have a dynamic public ip address…

    I’ve been exploring the guts of zeroshell and i think it can be done with two changes:
    1. Add the following line to the script router_patconfig: “iptables -t nat -A PREROUTING $IP -p $PROTOCOL –dport $LOCALPORT -j DNAT –to $REMOTEIP:$REMOTEPORT” where $IP=-d WAN_IP. This ip should be the WAN_IP address when it is defined to dhcp.
    2. Using the hooks of the dhclient-script, refresh the ip in the nat table whenever dhclient updates WAN_IP.

    Maybe step 2 can be the only one, I think the initial setup may be unnecessary…
    What do you think? Can this be done? If so, in time for beta12? If not, how do you recommend me to solve this problem? In my opinion this is very important, especially in SOHO market, where most companies keep the internet connection behind a dynamic IP…

    Thanks!

    in reply to: time syncronisation on boot #47275

    thund3rman
    Member

    As fluvio himself already said somewhere in this forum (I think I’m not mistaken) another solution to that problem is to solder a battery to the alix board (or the battery support as I already did). This way the RTC retains thhe value upon reboot or powerloss…

    The battery placement exists in the board, but most alix vendors don’t assemble a battery support. If you search the board manuals you would find the necessary info.

    Nevertheless, this could be prevented if the network interfaces where brought up before ntp, then ntp and then any certificate dependant service (ow that the date is correctly setup. Don’t know if this is possible though.

Viewing 7 posts - 1 through 7 (of 7 total)