I have a Balance 20 with a main vlan 192.168.3.x and another vlan 192.168.61.x
I want to forward a specific port request from the wan1 interface to a device on the second vlan 192.168.61.10. I have set everything on port forwarding and firewall yet it does not work.
Why?
thanks…
Kevin, please post your port forwarding, nat and firewall screenshots so we can try to understand the problem.
The port forwarding rules look OK to me.
There are typos on the address for outbound and internal rules, 162.168.61.10 I assume you meant that to be 192.168.61.10? Either way it is a bit of a moot point as those rules do nothing given your default action is to permit everything in and out so the traffic would hit them anyway. Likewise the internal network rules list is for traffic between VLANs, not relevant to the traffic flowing from the WAN to the LAN - pro tip, those blue question marks explain quite clearly what traffic each list acts on.
On your inbound firewall rules I would enable the logging action, you can then see traffic matching this in the system/event logs. I’d check that the traffic is actually hitting the WAN interface like you expect. Again, the default action is set to permit any/any so those rules are somewhat pointless but I’d enable the logging to get the debug info.
If it does then a couple of things I suppose - does the device you are forwarding to have a firewall of its own that might need to be told to accept connections?
If you replace /manga/index.cgi with /manga/support.cgi you can do packet captures, might be worth grabbing a capture of what happens when you are making connection attempts, ideally doing this from something outside of the Balanace 20 WAN so you can simulate traffic really coming in from the WAN side.
For what it’s worth I would also suggest once you get the forwarding working that down the line you change the default inbound and internal actions to deny and then making explicit rules for what you need.
Thank you for your response and noticing the typo.
There still seems to be a problem; even from the main vlan locally (192.168.3.20) I am trying to access 192.168.61.10 via 3389 / rdp and cannot connect. However, if I add a vlan ip address to the network adapter ie 192.168.61.200 I can access that vlan.
Does that help at all? Shouldnt I be able to do this without adding a vlan address?
If you go to the LAN config is “inter VLAN routing” ticked?
That will allow all traffic between the two VLANs - this is where you’d maybe want to consider the internal firewall rules to restrict just what is permitted between them.
Yes, it is checked … inter vlan routing, yet it does not work. that is what i do not understand. do all three vlans need to be checked? i only want to .3 and .61 to be interconnected.
No, you should only need it ticked for the ones you want to permit traffic between.
I think you need to do some more basic testing to see where the problem lies, I’d start by checking that a host in vlan1 can ping the gateway for vlan6, then a host in vlan6. I’d test this the other way around too, i.e. a host in vlan6 can it ping the gateway for vlan1, and a host in vlan1. You can also use the Balance to test this and source traffic from the balance itself on different interfaces.
Have you checked there are no host firewalls in place here, it sounds a bit odd that the machine in vlan6 will accept connections from something in the same subnet but not from something outside of its subnet.
vlan6 is not using dhcp; is that a factor?
No, however you say that it works when you are within the same subnet which leads me to want to check that the machine in vlan6 has a gateway configured correctly.
This should be set to the 192.168.61.1 address of the Balance.
Without that configured it won’t be able to send traffic to another subnet, or to the internet which might also explain why your port forwarding is not working if that is the case.
The server at 192.168.61.10 has 192.168.61.1 as the gateway. However, pinging from 61.10 to 61.1 does not return success. Pinging 3.1 from 61.10 has no success either. 61.10 cannot reach the internet.
