Port Forwarding

[TurboSam]

I wonder if someone can help me with port forwarding for the M1XEP.

My router/firewall, CheckPoint's UTM-1 Edge W, offers me "allow and forwarding" or simply "allow" from a connection source to a destination source. I can designate the specific TCP port(s), but I can't figure out whether I need two rules for each of the four ports (2601, 21, 26, and 80) to allow both incoming and outgoing or whether the ports only need to allow incoming traffic. I've been assuming the router needs to "allow and forward" the connection from the WAN (internet) input on the router (other options include ANY source, "this gateway," or individual network objects or static IP addresses) to the ELK M1XEP network object which has a static IP (rather than to "this gateway" or LAN or something else). Does that sound right? I've absorbed as much as I could from portforward.com, but that site does not have my router or any details for the Edge.

I've set up a DDNS on dynDNS, but I can't get that to work either, and I don't know if the problems are related or not. I'm on comcast, and nslookup returns the correct outside IP but I can't access the outside IP address from outside the network, and when I try it from inside the network, it pulls up the login page for the router.

Thanks for any suggestions.

 

[pete_c]

I am not an expert but can offer some suggestions.

External interface rules -

Typically a firewall can be set up to allow in and forward to any or allow in and forward to one TCP or UDP.

Internal interface rules-

Another set of rules from the inside of the firewall to the network or specific network device and can be TCP or UDP.

You can play with these rules allow one open port from the external interface and changing the port on the internal interface.

You can also do similar "stuff" with your Dynamic DNS port forwarding from one DNS name to another.

Depending on your firewall and configuration you could therefore have two sets of rules for the same port numbers - one for the red interface (externally facing to WAN) and another set for the internal interface (green internal network).
You can also specify specific devices on your network to be totally open to the external interface of the firewall (another set of rules).

A quick test is to first open up your internal device no filters to the WAN. Test your device with your DDNS name. If it works then you have validated your DDNS name. Then do one port or port range at a time on the external interface matching it with the internal rule for the internal interface. (IE just port 80 first). Another test is to remove your firewall and connect the device to the comcast modem directly. Test your DDNS, validate its connection then reconnect your firewall.

 

[KentDub]

Most typical (home) routers by default allow all outgoing traffic. Your ISP will bock some ports (if it's a good ISP they only block data to prevent leaks from your local intranet onto the internet). Most likely you won't need to create outgoing rules, only incomming. If you have a business-class firewall, your rules can become very complex.

The Windows Firewall on the otherhand can block outgoing communication by default -- you'll usually be aware when this happens because you'll get a popup.

When in doubt, start simple and build up. Connect your WAN line (from cable/dsl modem, bypassing the router) directly into your computer. You can then make sure everything is OK. Then add the router back into the mix.

To validate your DDNS name (which has nothing to do with port forwarding btw) all you need to do is open up a command prompt and type 'nslookup <hostname>' (substituting <hostname> for your DDNS address). If you get a Non-authoritative answer with an Address, compare the Address to your public IP. If they match, your DDNS is setup correctly.

A picture is worth a thousand words - try grabbing a screenshot of the port forwarding configuration and posting it.

Kent

 

[KentDub]

Oh - I forgot to add.

More likely than not you will NOT be able to validate port forwarding from within your own network. You'll need someone who has a laptop tied to the cell network (not WiFi) or a neighbor to validate it for you.

Most routers are stupid and won't "loopback" into your own network. This is because they need seperate physical connections to route between (i.e. can't route a single connection in AND out on the same physical link).

<HOST A> -> <ROUTER> -> <INTERNET> works
<HOST B> -> <ROUTER> -> <INTERNET> works
<HOST A> -> <ROUTER> -> <HOST B> dosn't work -- the router wants to route from your WAN interface, not your LAN interface when using the public IP address; of course, using yoru internal IP addresses this scenerio works great.

 

[pete_c]

Attached are pictures of the Smoothwall interface - Checkpoint's interface is a bit different combining a bit. If you have a PDA telephone you can tether your laptop to it to test your home WAN connection.
Port 21, 80, 26 are done in the same manner.

A little different on the CP. Your rules page (when completed it will be populated with your rules)

Allow and forward

Service == > Custom service ==> TCP and port

Destination and source = = > if connection source is: = = > named above then forward connection to you M1 IP

Done = = > save the rule and you will see it on the list. Looks like you have to create one per port unless you have the option to create multiple for one rule (doesn't look like it though).

 

[TurboSam]

Kent and Pete, thanks for the input.

Kent, I like the idea of starting simple and will take the router out of the picture. I guess the best way to test this is to take the WAN output from the cable modem and run it directly into the configured M1XEP (or, probably easier, into a two-node network with just the M1XEP and one computer so as not expose too much during testing) and then try and address the M1XEP from outside the network. I have been using my iPhone (with WiFi disabled and only 3G active) as the "outside the network" test, but it seems to time out before the DDNS name can find anything and even before the actual outside IP address finds anything. Nslookup gives me the correct external IP as a "non-authoritative" answer, so I assume that means DDNs vis dynDNS works and there is some other problem. I'm hoping the conneciton problem is iPhone/Safari or 3G related, and will try with a "real"outside connection today.

Pete, you are right--I have to use one rule for each port. I noticed in the step 2 screen shot above, you have "any service" checked. I had been using the "custom service" with the TCP protocol specified for each of the four ports and then forwarding, as you do above, to the specified IP for the M1XEP. So I guess I need to change the connection source to ANY and see if that works. Does that sound right?

Thanks again, guys. I'll play around today and see what happens. The ELk programing and setup is a snap compared to the networking hoops one has to go through!

 

[pete_c]

I just took the examples from the manual. What you have to put in for step 2 is the actual service (Custom service) you created in step one. I believe that will be in the drop down box. It will be a "custom service". Any service sounds like it just opens up the firewall. You can try it to see what happens.

In order to ping your DDNS name there needs to be a pingable device on the other side of the modem. Best way is as you described. Just disconnect the firewall and plug the device to the ethernet port of the Comcast modem.

You should see a response back from your DDNS name and that will be your WAN IP address. BTW I can ping my DDNS name from the inside of my firewall and do get a response. I always test though with my tethered 3G phone.

Typically I also utilize odd ports and port forward the odd ports to regularly used ports with the port forwarding features that no-ip and dyndns offer. One of the features on the firewall that I am using is the ability to block ping responses so sometimes I keep it off or when I test I keep it on.

You can also do port scans from the internet to check if the ports are open on your firewall. There are also "test" unix boxes out on the internet where you can do extended pings and validate a port by pinging with a port number via a Unix box.

 

[TurboSam]

Thanks again.

I'm almost there (I think).

I forwarded and allowed all the relevant ports, and the dynDNS now pulls up the java app on the XEP. But it takes about 15 seconds to get the coffee cup (is that too long?), and then the progress circle around the coffee cup spins and spins without any further action. I purposefully (and temorarily) removed passwords from the XEP to see if that was the problem, but I can't get to the XEP.

Any thoughts?

Thanks

 

[KentDub]

I'm almost there (I think).

I forwarded and allowed all the relevant ports, and the dynDNS now pulls up the java app on the XEP. But it takes about 15 seconds to get the coffee cup (is that too long?), and then the progress circle around the coffee cup spins and spins without any further action. I purposefully (and temorarily) removed passwords from the XEP to see if that was the problem, but I can't get to the XEP.

Sounds like you're almost there too! The java app on the XEP may be trying to use ports other than 80, this might be where you are running into issues. However, it could also be a browser issue. If you go to the internal IP of the XEP from your own network, does the java app work? If so, then take that same device and connect it to a different network and try to access your XEP thru your dyndns name.

Kent

 

[TurboSam]

Got it!

The last problem was that I was trying to log into the XEP from inside the network rather than out. Once I used my neighbor's guest access WiFi, I was able to get all the way in.

Thanks Pete and Kent for all the help.

On to the XSP now....!

 

[pete_c]

Good news TurboSam!