Question

Hi to all, I'm working on a RUT230 with updated firmware to RUT2XX_R_00.01.11.3.

I can't understand how NAT and firewall works.
I'm working from static public IP: let's say 92.145.15.15

My firewall rules (traffic rules) are:

1) "allow myself input":
- protocol = ALL
- source = from IP 92.145.15.15 in wan
- destination = To any router IP on this device
- action = accept input
- status = enabled

2) "allow myself forward":
- protocol = ALL
- source = from IP 92.145.15.15 in wan
- destination = To any host in any zone
- action: accept forward
- status = enabled

3) "drop all input":
- protocol = ALL
- source =From any host in wan
- destination = To any router IP on this device
- action = discard input
- status = enabled

3) "drop all forward":
- protocol = ALL
- source =From any host in wan
- destination = To any host in any zone
- action = discard forward
- status = enabled

In this case I can access to RUT230 only from my IP.

I set port forwarding to access to device behind RUT230
1) "SSH 2222":
- protocol = ALL
- source = From any host in wan
- via  = To any router IP at port 2222
- destination = Forward to IP 192.168.1.10, port 22 in lan
- status = enabled

The only way to access on device behind RUT230 is to disable firewall rule "drop all forward".
Why if I already allow forward traffic through rule  "allow myself forward"?
I also added following rule before all others:
"Forward 2222":
- protocol = ALL
- source = from IP 92.145.15.15 in wan
- destination = To any host, port 2222 in lan
- action = accept forward
- status = enabled

with no success.
What's wrong? Thanks.

Answer 1

Hi elberto,

Can you tell me the end result of the solution?
You want, only with specific IP through WAN side reach device behind router via LAN interface, correct?

Will be waiting for your response.
Regards

Answer 2

Hi to all, back to use my RUT230....

Ok, let's say:

basically I need to give access only from specific network (let's say 92.145.15.15/24) to RUT230 (input) and to LAN devices (forward).
I need to access to RUT230 (let's say on port 22 for SSH), so rules are;

1) "allow myself input":
- protocol = ALL
- source = from IP 92.145.15.0/24 in wan
- destination = To any router IP on this device
- action = accept input
- status = enabled

2) "allow myself forward":
- protocol = ALL
- source = from IP 92.145.15.0/24 in wan
- destination = To any host in any zone
- action: accept forward
- status = enabled

3) "drop all input":
- protocol = ALL
- source =From any host in wan
- destination = To any router IP on this device
- action = discard input
- status = enabled

3) "drop all forward":
- protocol = ALL
- source =From any host in wan
- destination = To any host in any zone
- action = discard forward
- status = enabled

This configuration is working, ok.

Now I add devices on LAN (let's say 192.168.1.2/24 and 192.168.1.3/24), so I add NAT rule to access on web interface:
Public port 84 -> 192.168.1.2:80
Public port 85 -> 192.168.1.3:80
In this case I don't need to add firewall rule due I can access to device from 92.145.15.0/24.

If I need to give access (but ONLY to 192.168.1.2)  to everyone (let's say for maintenance), while keep 192.168.1.3 available ONLY from 92.145.15.0/24.

So I added firewall rule before "drop all forward":

"allow 84":
- protocol = ALL
- source = From any host in wan
- destination zone = To any zone (forward) or LAN
- destination = 192.168.1.2
- port = 80

I supposed to write firewall rule only for port 84 (forward chain), not for specific IP and specific PORT.
It looks such if firewall rules are behind NAT rules: is this from Teltonika or from OpenWRT?

By the way, this rule works for both "To any zone" and "Lan" settings, are there differences?
Thanks.