Reach web server in DMZ from intranet

Dear all,
I'm here still fighting with an ideal openwrt set up for an intranet and a let say DMZ with web server hosting a FQDN (private cloud use with no-ip...nothing too fancy, let's call it mycloud.org)

Actually I have problem tracking packets in openwrt through the firewall to investigate the issue.

ISSUE: when I'm in the intranet I can't browse www.mycloud.org nor the client sw can reach it . From the intranet I can't sync my data.
If I plug my laptop in the DMZ i can browse www.mycloud.org and the cloud client can sync

I've little experience with iptables and normally using log instructions I can track where the connection goes and where it stop.

I'm not too sure from where I can start the investigation. One option is to set to ACCEPT all firewall rules an restrict it one step at the time. I'm not even sure it is going to work if this turn to be a local DNS or routing setting

Does anybody have some hints or leads for me to follow?

Cheers

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

Clarify the IP of the server and where is the DMZ and the lan you are trying to access from.

3 Likes

Hi Trendy,

thanks for your quick reply. I have been away from home to gather all the info you required.

My home configuration is a little more complicated then I explained. the actual situation is made by 3 sub network, a generic LAN for local/wifi use, a DMZ for the web server and a DMZ-like, GAMING, for a gaming machine

there is also a vpn server and the LAN is routed via VPN but not DMZ nor GAMING (Gaming not at the moment at least)

I've masked some information and I hope I left everything which is necessary for the investigation.

lan ip: 192.168.1.0/24
DMZ ip: 192.168.2.0/24
gaming ip: 192.168.3.0/24

I'm trying to reach Cloud server in DMZ IP 192.169.2.2 from networks lan and gaming

I thank in advance for the help of this forum

Below the content of the file and command requested

Cheers

ubus call system board

{
	"kernel": "4.9.211",
	"hostname": "OpenWrt",
	"system": "xRX200 rev 1.2",
	"model": "TP-LINK TD-W8970",
	"board_name": "tplink,tdw8970",
	"release": {
		"distribution": "OpenWrt",
		"version": "18.06.7",
		"revision": "r7976-ca47026b7d",
		"target": "lantiq\/xrx200",
		"description": "OpenWrt 18.06.7 r7976-ca47026b7d"
	}
}

uci export network

package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd54:c576:2f5a::/48'

config atm-bridge 'xx'
	option encaps 'xx'
	option payload 'xxx'
	option nameprefix 'xxx'
	option vci 'xx'
	option vpi 'xx'

config dsl 'dsl'
	option tone 'xx'
	option ds_snr_offset '0'
	option annex 'xx'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option dns '208.67.222.222 208.67.220.220'

config interface 'wan'
	option ifname 'dsl0'
	option proto 'pppoe'
	option ipv6 '1'
	option username 'xxxx'
	option password 'xxxx'
	option mtu '1492'

config device 'wan_dev'
	option name 'dsl0'
	option macaddr 'xxxx'

config interface 'wan6'
	option ifname '@wan'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '5 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '10'
	option ports '2 4 6t'

config interface 'DMZ'
	option ifname 'eth0.10'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option dns '208.67.222.222 208.67.220.220'

config interface 'surfsharktun'
	option ifname 'tun0'
	option proto 'dhcp'
	option metric '10'
	option defaultroute '0'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '11'
	option ports '0 6t'

config interface 'gaming'
	option proto 'static'
	option ifname 'eth0.11'
	option dns '208.67.222.222 208.67.220.220'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option delegate '0'

uci export dhcp

package dhcp

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dnsmasq 'lan_dns'
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases.lan'
	option resolvfile '/etc/resolv.conf.lan'
	option nonwildcard '1'
	list interface 'lan'
	option localservice '0'
	list server '208.67.222.222'
	list server '208.67.220.220'

config dhcp 'lan'
	option interface 'lan'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	list dhcp_option '6,192.168.1.1,208.67.222.222,208.67.220.220'
	option start '50'

config dnsmasq 'DMZ_dns'
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/DMZ/'
	option domain 'DMZ'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases.DMZ'
	option resolvfile '/etc/resolv.conf.DMZ'
	option nonwildcard '1'
	list interface 'DMZ'
	list notinterface 'loopback'
	option localservice '0'
	list server '208.67.222.222'
	list server '208.67.220.220'

config dhcp 'DMZ'
	option instance 'DMZ_dns'
	option interface 'DMZ'
	option leasetime '12h'
	option start '226'
	option limit '6'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'


config host
	option name 'cloud'
	option dns '1'
	option mac '00:0D:B9:4E:C1:38'
	option ip '192.168.2.2'


config dnsmasq 'gaminging_dns'
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases.lan'
	option resolvfile '/etc/resolv.conf.lan'
	option nonwildcard '1'
	list interface 'gaming'
	option localservice '0'
	option local '/gaming/'
	option domain 'gaming'
	list server '208.67.222.222'
	list server '208.67.220.220'

config dhcp 'gaming'
	option interface 'gaming'
	option start '2'
	option limit '3'
	option leasetime '24h'
	list dhcp_option '6,208.67.222.222,208.67.220.220'

uci export firewall

package firewall

config defaults
	option syn_flood '1'
	option output 'ACCEPT'
	option drop_invalid '1'
	option input 'REJECT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'
	option log '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option log '1'
	option network 'wan wan6'
	option forward 'REJECT'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option output 'ACCEPT'
	option name 'dmz'
	option network 'DMZ'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option dest 'wan'
	option src 'dmz'


config redirect
	option target 'DNAT'
	option src 'wan'
	option proto 'tcp'
	option name 'http'
	option dest_port 'xxx'
	option src_dport 'xxx'
	option dest 'dmz'
	option dest_ip '192.168.2.2'

config redirect
	option target 'DNAT'
	option src 'wan'
	option proto 'tcp'
	option src_dport 'xxx'
	option dest_port 'xxx'
	option name 'https'
	option dest 'dmz'
	option dest_ip '192.168.2.2'

config zone
	option name 'vpnfirewall'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option log '1'
	option network 'surfsharktun'


config forwarding
	option dest 'vpnfirewall'
	option src 'lan'

config forwarding
	option dest 'wan'
	option src 'lan'

config zone
	option name 'game'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option network 'gaming'
	option input 'ACCEPT'

config forwarding
	option dest 'wan'
	option src 'game'
option src 'wan'
	option proto 'tcp udp'
	option

head -n -0 /etc/firewall.user (no extra rule)

ip -4 addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 182.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
6: eth0.10@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global eth0.10
       valid_lft forever preferred_lft forever
7: eth0.11@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.3.1/24 brd 192.168.3.255 scope global eth0.11
       valid_lft forever preferred_lft forever
10: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 3
    inet xxxxx peer xxxxx scope global pppoe-wan
       valid_lft forever preferred_lft forever
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet xxxxxx brd xxxxx scope global tun0
       valid_lft forever preferred_lft forever

ip -4 ro li tab all

default via ISP_IP dev pppoe-wan table 201 
192.168.2.0/24 dev eth0.10 table 201 proto kernel scope link src 192.168.2.1 
192.168.3.0/24 dev eth0.11 table 201 proto kernel scope link src 192.168.3.1 
default via VPN_IP dev tun0 table 202 
192.168.2.0/24 dev eth0.10 table 202 proto kernel scope link src 192.168.2.1 
192.168.3.0/24 dev eth0.11 table 202 proto kernel scope link src 192.168.3.1 
0.0.0.0/1 via VPN_IP dev tun0 
default via ISP_IP dev pppoe-wan proto static 
ISP_IP dev pppoe-wan proto kernel scope link src ISP_IP 
VPN_IP dev tun0 proto kernel scope link src VPN_SRC 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.2.0/24 dev eth0.10 proto kernel scope link src 192.168.2.1 
192.168.3.0/24 dev eth0.11 proto kernel scope link src 192.168.3.1 
128.0.0.0/1 via VPN_IP dev tun0 
WAN via ISP_IP dev pppoe-wan 
local ISP_IP dev pppoe-wan table local proto kernel scope host src ISP_SRC 
broadcast VPN dev tun0 table local proto kernel scope link src VPN_SRC 
local VPN_SRC dev tun0 table local proto kernel scope host src VPN_SRC 
broadcast VPN dev tun0 table local proto kernel scope link src VPN_SRC 
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1 
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1 
broadcast 192.168.2.255 dev eth0.10 table local proto kernel scope link src 192.168.2.1 
local 192.168.2.1 dev eth0.10 table local proto kernel scope host src 192.168.2.1 
broadcast 192.168.2.255 dev eth0.10 table local proto kernel scope link src 192.168.2.1 
broadcast 192.168.3.0 dev eth0.11 table local proto kernel scope link src 192.168.3.1 
local 192.168.3.1 dev eth0.11 table local proto kernel scope host src 192.168.3.1 
broadcast 192.168.3.255 dev eth0.11 table local proto kernel scope link src 192.168.3.1 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1

ip -4 ru

0:	from all lookup local 
32764:	from all fwmark 0x20000/0xff0000 lookup 202 
32765:	from all fwmark 0x10000/0xff0000 lookup 201 
32766:	from all lookup main 
32767:	from all lookup default 

ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv./

lrwxrwxrwx    1 root     root            16 Jan 29  2020 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root             0 May 21  2020 /etc/resolv.conf.DMZ
-rw-r--r--    1 root     root             0 May 21  2020 /etc/resolv.conf.lan
lrwxrwxrwx    1 root     root            21 Dec 11 22:45 /tmp/resolv.conf -> /tmp/resolv.conf.auto
-rw-r--r--    1 root     root           272 Dec 11 22:47 /tmp/resolv.conf.auto
-rw-r--r--    1 root     root            48 Dec 11 22:47 /tmp/resolv.conf.ppp

head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv./

==> /etc/resolv.conf <==
# Interface DMZ
nameserver 208.67.222.222
nameserver 208.67.220.220
# Interface lan
nameserver 208.67.222.222
nameserver 208.67.220.220
# Interface trading
nameserver 208.67.222.222
nameserver 208.67.220.220
# Interface wan
nameserver 91.80.35.166
nameserver 91.80.35.133

==> /etc/resolv.conf.DMZ <==

==> /etc/resolv.conf.lan <==

==> /tmp/resolv.conf <==
# Interface DMZ
nameserver 208.67.222.222
nameserver 208.67.220.220
# Interface lan
nameserver 208.67.222.222
nameserver 208.67.220.220
# Interface trading
nameserver 208.67.222.222
nameserver 208.67.220.220
# Interface wan
nameserver 91.80.35.166
nameserver 91.80.35.133

==> /tmp/resolv.conf.auto <==
# Interface DMZ
nameserver 208.67.222.222
nameserver 208.67.220.220
# Interface lan
nameserver 208.67.222.222
nameserver 208.67.220.220
# Interface trading
nameserver 208.67.222.222
nameserver 208.67.220.220
# Interface wan
nameserver 91.80.35.166
nameserver 91.80.35.133

==> /tmp/resolv.conf.ppp <==
nameserver 91.80.35.166
nameserver 91.80.35.133
head: /tmp/resolv.: No such file or directory

Add a firewall forwarding from LAN to DMZ and rebind your domain with a private IP.
Or add a firewall redirect from LAN to DMZ.

2 Likes

Hi vgaetera,

thanks for yoru suggestions and I'm working on these at the moment.

After a first study of your links I have the following consideration:

  • firewall redirect (port forward) I made a quick port forwarding of port 443 from gaming to the DMZ which messed up the browsing behaviour. I though afterward that what I did was actually redirect all call to secured website to the DMZ which was wrong. I can still assign a port forward for a specific lan.IP I think. in the web server, beside major cloud site there are few virtual domain and I won't be able to reach these if I only use the ip/port forwarding unless I also set hosts file (correct?)

  • please correct if I'm wrong but if I open intercommunication between dmz and the other network, the whole concept of DMZ fall into pieces. In other terms Im trying to keep DMZ network separated from lan and gaming.

What I'd like to achieve and I can't get my head around it is how to reach mycloud going from the lan to the public net and then via DDNS get back to my router and redirect to the DMZ. In graphical terms:
LAN => vpn =>public DNS/internet =>redirect to my public IP from ISP with DDNS => DMZ
and in other terms ignore the server is sitting in the rack next to my desk and try to reach it as if I where from the other side of the world

Troubleshooting. If I can't reach any of the subdomain of my FQDN from LAN and gaming, it seams to me the request is stripped by the router before redirect to the VPN (for lan) or via WAN for gaming. To me looks like the router act as DNS server before checking public ones and packets are blocked when forwarded to dmz.

this is the output using traceroute

#traceroute facebook.com
traceroute to facebook.com (157.240.196.35), 30 hops max, 60 byte packets
 1  OpenWrt.lan (192.168.1.1)  1.452 ms  2.210 ms  2.175 ms
 2  VPN_IP (VPN_IP)  58.510 ms  61.667 ms  65.555 ms
 3  unn-212-102-54-190.cdn77.com (212.102.54.190)  67.033 ms  71.311 ms  73.820 ms
 4  ae3.milano52.mil.seabone.net (195.22.192.217)  82.433 ms  97.299 ms  96.000 ms
 5  ae21.marsiglia3.mar.seabone.net (213.144.176.168)  96.459 ms  101.458 ms  102.479 ms
 6  facebook.marsiglia3.mar.seabone.net (213.144.170.51)  107.322 ms  103.116 ms  107.548 ms
 7  po101.psw03.mrs2.tfbnw.net (129.134.36.121)  109.466 ms  59.415 ms po101.psw02.mrs2.tfbnw.net (129.134.36.113)  64.647 ms
 8  157.240.36.11 (157.240.36.11)  66.694 ms 157.240.36.19 (157.240.36.19)  68.899 ms 157.240.39.69 (157.240.39.69)  69.323 ms
 9  edge-star-mini-shv-02-mrs2.facebook.com (157.240.196.35)  72.504 ms  59.992 ms  58.902 ms

first hop is the router...

if I do the same with my FQDN

traceroute mycloud
traceroute to mycloud (my ISP IP) 30 hops max, 60 byte packets
 1  ISP (my ISP_IP)  1.221 ms  1.294 ms  1.536 ms

this might create a short ciruite and stop me to reach the web server. How to prevent it?

I hope I add info more than confusion

Cheers

This shouldn't happen unless you missed the destination zone.
It's best to check the resulting firewall config for problems.

It should be fine, as each firewall forwarding is direction-specific.
That is only LAN can initiate traffic to DMZ, and DMZ can only reply to LAN queries.

Ensure that you are using dnsmasq as the only DNS server.
Verify that DoT and DoH is disabled in the OS and browser.

1 Like

Hi @vgaetera
I tried your suggestion of:

  • firewall forwarding LAN => DMZ (and DMZ => LAN)

  • rebind the FQDN in Luci: Network->hostname
    with no luck :frowning:
    I also rebooted the router in case some service needed a reboot but still same situation

I also tried port forward from port lan:12345 ->DMZ:443 again with no success

Ihave no idea waht is wrong and how to troubleshoot it...
Any further hint?
Does anybody know if there is a way I can track the hops from my request including internal router ones? May be with logging in the firewall?

I gae nmap a try. What I see is that any scan I do for mycloud it still show the public IP (from ISP) and not the private one as I'd expect after hostname configuration

wishing you all a merry Xmas I thank the community for this great work!!!

cheers

Let's have one more look at the configs after the fixes you applied.

uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

Ciao @trendy I'll post the info again soon.
before going any further I wanted to make sure nothing else along the line between LAN and webserver would cause problem. I took a simple ethernet switch to manage the DMZ network and modify the webserver firewall to ACCEPT in all tables in Filter.

Still no access from Lan.

At this stage I believe I messed up somewhere in Openwrt...

I'm happy to backup actual configuration, reset the router and start from scratch if I have some key point to follow and avoid reiterate same error over and over

By all mean, I hope everybody had a great Xmas!!!!

cheers

If you start from scratch:

  1. Create the dmz interface and assign it to new dmz zone.
  2. Allow forwarding from lan zone to dmz zone in firewall.
  3. Try to access the server from lan with its IP.
  4. If it works properly, create the domain name for the server in dmz.

Hi @trendy, it makes sense and worth a try.

Can you please clarify a doubt I have with zone forwarding?
Enable a zone forwarding does it only allow 'new' connection toward the destination zone leaving the 'established and related' connection being bidirectional by default?

If I'm wrong, I have to enable LAN => DMZ and DMZ=>LAN, correct?
The online documentation mentions both directions need to be enabled. I don't know and this confuse me which kind of connection can work only with one direction enabled...

I'll keep you posted

It is only for the new connections. The established/related are allowed anyway.
If you notice, there is by default only one forwarding, the lan->wan. We allow from lan to the internet, the responses are allowed, but we don't let from the internet ingress to the lan.

Hi @trendy and @vgaetera,

thanks for yoru support. I reset the router and now it works!!!
I set up an hostname to my cloud under network menu.
I figured out if I forward LAN=>DMZ it works for all ports (defaults are accept for INPUT, OUTPUT and FORWARD) that I potentially like to avoid. My workaround has been using port-forwarding from non standard ports in LAN to 443 in DMZ. Is this the correct way of doing it or there is a "nicer" way of doing it?

Thanks you reallu much

1 Like

Yes, delete the lan->dmz forwarding, also delete the port forwardings.
Then create rules to allow the traffic you wish from lan to dmz.

1 Like

Hi everybody,

happy and healthy 2021!!!

Ciao @trendy I followed your suggestions which are working well. Finally I can reach the FQDN also from Lan. It is something I left behind for years but has always annoied me a lot.
At this stage I got a little consufed only on the use and differences between port forwarding and traffic rules. I smell it has something to do on different IP level and iptables tables.
At the moment for the incoming WAN packages looking for mycloud I have a Port forward

  • WAN dest=DDNS_IP:80 => DMZ_SERVER:80

  • WAN dest=DDNS_IP:443 => DMZ_SERVER:443
    Is this correct or I should/could use traffic rules?

By any mean, up to now I have fixed my main issue and if the lattest is outside this topic we can continue on a separate thread

thanks @trendy and @vgaetera for your valuable support!!!

cheers

2 Likes

it is correct, redirect or port forward is a DNAT, rewriting the destination IP and/or port of the packet.
A traffic rule will allow or deny traffic.

1 Like