Problems Port Forwarding from WAN Over PepVPN

I have a Balance 20 and a Balance One Core. They are linked via PepVPN. I have created a port forwarding rule fort Port 80 (HTTP) from WAN1 on the Balance 20 to a web server on the Balance One. The port forwarding is not working even when the internal access rules on both routers are set to “any to any”.

I cannot ping any addresses on the opposite side of the PepVPN from either side except for a router address. I can from the PepVPN to the addresses on the opposite side and I can do that from both sides.

I would appreciate any assistance including remote access.

Thanks!

Often when a pepVPN tunnel is up and the only remote device that can be pinged is the LAN of the remote Peplink router the cause is the remote devices are not using the remote peplink as their gateway - is this the case?

1 Like

Thanks for the prompt reply.

That is correct. They are using their local Peplink router as their gateway, not the router on the other end of the PepVPN.

That said, we still have the issue of not being able to port forward from the WAN on one router to a server on the other router via the PepVPN.

Update: The primary issue appeared to be that I had RIPv2 settings enabled. I deleted those and that solved one of the problems. Now the issue is down to internal access rules.

When I suspend the internal access rules by adding a rule at the top allowing “any to any”, the WAN successfully port forwards to the server across the PepVPN. I have tried suspending the “deny” internal access rules one by one for debugging purposes and no success with the bottom default rule being “deny”. Obviously I don’t have the correct “allow” rule. I have tried allowing the external IP address from the WAN to access the server IP address (across the PepVPN), but no success.

I am guessing that I don’t quite have the information correct for the “allow” rule from the WAN on Router 1 to forward to the server on Router 2 across the PepVPN, so I could use some help here. I’m sure you will find it quite obvious once you log in, but for the life of me I cannot figure it out and I cannot leave the “any to any” internal access rule be my standard configuration.

I assume you will need to remotely access my router. If I am correct, would you please send me the link to open a trouble ticket?

Update number 2: It appears it could be a bug. Here is what I found:

  • On Router 1, WAN 1 I forwarded port 80 (HTTP) to my web server’s port 80 on Router 2, meaning it port forwards across the PepVPN.

  • On Router 2, when I set the top internal access rule to “any to any”, it works and I can see the web server from the WAN 1 external IP address (i.e. it works).

  • On Router 2 internal access, when I disable the “any to any” rule and create a rule at the top that permits Any Address Single Port 80 to access Port 80 at the address of my web server on Router 2, it does not work.

  • On Router 2 internal access, when I modify the above rule to allow Any Address Any Port to access Port 80 at the address of my web server on Router 2, it works.

I need someone at Peplink to explain to me the following:

  1. Why does this rule work for Any Address Any Port to access my web server address Port 80, but Any Address Single Port 80 to access my web server address Port 80 does not work?
  2. For security purposes, I want to limit the Any Address Any Port for the source to be just the address of my WAN 1 IP Address and just a single port, in this case Port 80. How do I accomplish this?

Thanks!

Bump…is anyone at Peplink going to respond?

Regarding the firewall rules if you specify the “source” port 80 and you are testing from behind a NAT router with port 80 already in use, the source port will become a random port number. A packet capture will reveal this and it should work when you specify a single source IP address but leave the source port to any.

1 Like