Solved: RV220W One-to-One NAT only allows a single service?

kevinjmorse · ‎09-17-2012

Hi there,

Just purchased an RV220W for a customer to replace a WRVS4400N that had no support for One-to-One NAT and have found the One-to-one NAT for this router is only marginally better.

I have three WAN addresses and three devices to map them to. With the RV0xx I've used the following configuration over a dozen times.

WAN Address 1 - the router's public address

Port forward HTTP, HTTPS, and SMTP to Windows Small Business Server 2011

Email and Remote Web Access are accessible at remote.company.com

WAN Address 2

One-to-one NAT to private IP address of Ubuntu Server

Add the following access rules:

Deny all
Allow HTTP from any to private IP address of server
Allow SSH from my company's static IP to private IP
Allow FTP from my company's static IP to private IP

Companies website is accessible at company.com and I can update the website with SSH and FTP

WAN Address 3

One-to-one NAT to private IP address of the Hyper-V server's Intel RMM module (Lights out remote management)

Add the following access rules:

Deny all
Allow HTTP, HTTPS, and all RMM ports from my company's static to the RMM modules private IP

I can access server at rmm.company.com from my companies network connection

My problems are as follows:

The One-to-one NAT option now requires you to specify the service you'd like to forward (Note: service, not services)
If you select the Any service which is the only way I can see to have more than one service, there is no way to add any specific Allow or Deny rules because the Destination box is grayed out on the access rules page.
This results in my Ubuntu server only having HTTP forwarded to it and my RMM module having all ports opened up to any IP address.

There must be some way around this! I don't understand why the Destination IP option is greyed out for all Inbound access rules. I have been using this same configuration with the Cisco RV0xx, many Sonicwall firewalls, as well as several Cisco ASAs. Obviously this is not an ASA but this implementation of One-to-one NAT is useless!

Any help is greatly appreciated. Thanks,

Kevin

Te-Kai Liu · ‎09-20-2012

Due to the GUI restricting only one service in the one-to-one NAT page, users have to go to the Firewall>Access Rules page to specify additional services that are allowed.

View solution in original post

juan_diego_rodriguez · ‎09-20-2012

In order tp get an acurate and quick answer, try on the correct forum "small business - wireless". You can move your post using the Actions Panel on the right.

kevinjmorse · ‎09-20-2012

This question is 100% about routing and 0% about wireless. Looking at the posts in the Small Business - Wireless forum I believe this to be in the right place.

Cheers,

Kevin

Te-Kai Liu · ‎09-20-2012

Due to the GUI restricting only one service in the one-to-one NAT page, users have to go to the Firewall>Access Rules page to specify additional services that are allowed.

kevinjmorse · ‎09-20-2012

Thanks tekliu,

That was what I was looking for.

I didn't realize that Access Rules on the RV220W actually enabled you to specify NAT as part of the settings.

The working settings were as follows:

Action: Always Allow

Service: SSH-TCP

Send to Local Server (DNAT IP): IP Address of Ubuntu Server

Use Other WAN (Internet) IP Address: Enable

WAN (Internet) Destination IP: External IP Address that is being One-to-One NATted to the server.

Te-Kai Liu · ‎09-20-2012

Kevin, thank you for sharing the detailed config example with the community.