06-13-2013 05:30 AM
Using an SRP251W-U firmware 1.2.5
I have two ports forwarded, one is a straight forward for port 22 to the local LAN server. The other is a port forward for external port 81 to internal port 80 on the same LAN server.
Using Network Setup -> Firewall -> IPV4 -> Advanced Firewall Settings
I wish to only allow a certain source ip access to the two port forwardings. I have the following rules:
Priority 1 - Source: x,x,x,x - Dest 0.0.0.0 - Proto ANY - Source Port ANY - Dest Port 81 - PERMIT
Priority 2 - Source: x.x.x.x - Dest 0.0.0.0 - Proto ANY - Source Port ANY - Dest Port 22 - PERMIT
Priority 3 - Source: 0.0.0.0 - Dest 0.0.0.0 - Proto ANY - Source Port ANY - Dest Port 22 - DENY
Priority 4 - Source: 0.0.0.0 - Dest 0.0.0.0 - Proto ANY - Source Port ANY - Dest Port 81 - DENY
The above rules work fine to block port 22. Only the IP of x.x.x.x can reach port 22 - perfect.
The issue is, the rule for port 81 is not working. Every IP can reach port 81.
Is there a bug in the advanced firewall rules or NAT rules that makes it so if you translate an external port that is different from an internal port that the advanced firewall doesn't work?
I need the ability to NAT port forward external port 81 to internal port 80, AND only allow certain source IPs to be able to access external port 81.
Solved! Go to Solution.
06-13-2013 06:10 AM
Hi Dan,
This can be a little confusing, but the thing you have to remember with advanced firewall rules is that they are applied after the NAT translation.
If you change your first rule to reflect the internal server address for destination and use port 80 as the destination port, you should find that it works.
The port 22 rule just happened to work as you are not converting that one.
Although this might seems a little backwards, it actually offers more flexibility as it allows you to create different rules for internal hosts that sit behind a common public IP address.
HTH,
Andy
06-13-2013 06:10 AM
Hi Dan,
This can be a little confusing, but the thing you have to remember with advanced firewall rules is that they are applied after the NAT translation.
If you change your first rule to reflect the internal server address for destination and use port 80 as the destination port, you should find that it works.
The port 22 rule just happened to work as you are not converting that one.
Although this might seems a little backwards, it actually offers more flexibility as it allows you to create different rules for internal hosts that sit behind a common public IP address.
HTH,
Andy
06-13-2013 07:24 AM
The same symptoms seem to exist when I change the first rule as you suggested.
Here's just the rules I have now:
Priority 1 - Source: x,x,x,x - Dest 192.168.0.253/255.255.255.0 - Proto ANY - Source Port ANY - Dest Port 80 - PERMIT
Priority 2 - Source: 0.0.0.0 - Dest 0.0.0.0 - Proto ANY - Source Port ANY - Dest Port 81 - DENY
Maybe I misunderstood your suggestion and did something wrong?
06-13-2013 08:19 AM
Got it working, I had to change the other rule as well.
Thanks a lot Andrew!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide