Tested with firmware 8.1 beta 4, but I am pretty sure this has been true for a long time.
If, I forward port 1111 (for example) to port 2222 (for example) and then create an inbound firewall rule that logs all incoming requests to the target LAN side server, the firewall log only reports one of the two ports.
I do this all the time because I use a remote control program that needs an open port and the inbound firewall rule is an audit log for me.
Below is a sample log entry. That the WAN side request came in on port 1111 is not mentioned.
[ 5301.837118] Firewall: Allowed CONN=WAN1 MAC=00:1a:dd:f9:8a:a1:f4:92:34:10:d7:9e:07:00:41:00:00:24
SRC=[wan IP] DST=192.168.50.50
LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=16544 DF
PROTO=TCP SPT=21463 DPT=2222
WINDOW=64240 RES=0x00 SYN URGP=0 MARK=0xa
So, can I confirm showing DPT=1111 in the firewall event log will be acceptable?
1 Like
Can I suggest:
Source Port: SPT=21463
Dstination Port: DPT = 1111
Then also
NAT Port: NPT=2222
1 Like
To be clear, I was suggesting showing both ports in the log, not switching which of the two ports is logged.
Since port forwarding with mapping has two destination ports, I don’t think DPT should be used at all. It is unnecessarily confusing. It would be clearer to use two new terms.
Maybe WAN port and LAN port (WDPT and LDPT)
Maybe Initial Port and Mapped port (IDPT and MDPT)
Maybe Outer port and Inner port (ODPT and IDPT)
Maybe something else.
I don’t like the term NAT port because it strikes me as vague, much like midnight. Is it part of the day just ended or day just beginning?
Actually neither do I since its technically PAT for Port Address Translation. Sp PAT =2222 would be better.
Changing the field names for DPT and SPT will upset anyone using off the shelf log engines since they are pretty standard abbreviations of the names used for the fields/flags of the IPv4, TCP, and UDP headers.
1 Like
Mis-understanding. I was not saying anything about the source port.
If DPT is locked in stone, fine. My new feature request was simply to add a new field showing the other port. Since DPT is currently post-translation, maybe ODPT (original destination port) or WDPT (WAN destination port).
1 Like
Let me poke engineering team on this. Thanks for the suggestion.
1 Like