Hi John,
Thanks for the thought and checking the information. I can imagine using a phone for this would be frustrating (especially an iPhone).
So, yeah… this is a long one (sorry).
No matter what I do and regardless of any rules I enter in any group within the Exceptional Rule Group, I cannot get any of this to work with the group isolation enabled and LAN side firewall disabled (as connections will timeout). I have also tried this before a couple of days ago without success. The only way I can get this working at all is by using a combination of group isolation and LAN side firewall, and making an IP filtering rule to allow one IP access to the router interface (as the LAN side firewall drops packets to the router when enabled).
Your example is, in theory, correct. Though in practice there is something else that seems to be preventing the routing working in a way which is expected (or at least to myself, which I could be wrong about). I have it setup with both valid IP addresses both internally and globally, and I have used the correct interface; this is evident as it does work externally and internally (the latter conditionally – only if the LAN side firewall is enabled alongside group isolation).
Let’s talk about the Exceptional Rule Group.
As in the manual:
Exceptional Rule is dedicated to giving or blocking NAT/DMZ access to some specific IP or IPs(range). Users are allowed to set 8 different exceptional rule groups at most. In each group, user can add specific IP or IP range.
By default, the rule in Exceptional Rule Group is set to blocking mode (default action is allow), which implies that any specified addresses will be blocked. So, in theory, if I just simply apply Exceptional Rule Group to the one-to-one NAT rule then it should allow me (or any other device) to connect to the external IP address from my internal network. And, to my surprise, I can connect to something, but it seems that instead of connecting to my VM, it connects me to my router. Let’s try and delve into this.
Let’s assume the following information, for sake of example:
The ISP has supplied an IP range from 123.1.1.2 to 123.1.1.3
The main PPP is connected with an IP address of 123.1.1.2
My PC is behind the NAT, in Group 1 (10.0.0.0/24) with an internal IP address of 10.0.0.1
My VM is configured in one-to-one NAT within Group 2 (10.0.1.0/24) with an internal IP address of 10.0.1.1 and global of 123.1.1.3
We have already established that if group isolation is on and LAN side firewall is enabled, I can connect from the PC (10.0.0.1) in Group 1 to the VM (10.0.1.1) in Group 2 using external IP address 123.1.1.3. Without the LAN side firewall enabled this connection cannot happen while group isolation is on (which is required), so let’s keep the firewall off and try and configure an Exception Rule Group.
As mentioned above, with the default mode being in blocking I can just select the rule in the one-to-one NAT settings and all IPs should be allowed. And while it does allow me to connect to the IP address via SSH or the browser, it simply responds with the router SSH server and web interface. So, technically, it is allowing access to the public IP address from my PC, but it looks like it is only going to the gateway. I did do a traceroute, and it completed after one hop (which would be two, if the LAN side firewall and group isolation was enabled together) – it was something like:
1 <1 ms <1 ms <1 ms host.blah-blah-blah.net [123.1.1.2]
I made a couple of changes to my VM so services were running on different ports and, unsurprisingly, my fears were confirmed – attempting to connect to the services on the VM using its public IP address from my PC was unsuccessful even considering the ports were different from what the router’s services were listening on; my PC was not even reaching the VM and the connection was being refused.
I did try and setup a rule in allowing mode, which would block any other IP address not specified. I put my own PC IP address in (10.0.0.1) and it resulted in the same as above. I also tried allowing the gateways from both Group 1 (10.0.0.254) and Group 2 (10.0.1.254) in there to see if that made any difference as the gateway does all the translation (as mentioned in a previous post, the source port from an internal connection from another group always shows as the gateway from the destination group). But none of this made any difference and I could only connect to the router and not the VM through the public IP address.
All in all, what I’ve discovered so far is that if I want to connect to any of my one-to-one NAT devices which are isolated in different groups via their public IP address then I need to have the LAN side firewall enabled alongside group isolation, and have the Exceptional Rule Group set to none because if:
- The LAN side firewall is disabled, a local connection will timeout to the VM
- A rule is setup in the Exceptional Rule Group, regardless of what changes I make, any local connections to the public IP address associated with the VM will only connect to the gateway (so attempting to connect to the ports in use with the VM’s services will be refused)
I could be doing something completely wrong in my configuration. But perhaps the Exceptional Rule Group was never intended to be used across different groups with group isolation enabled? Either way, I am grateful that people have looked into this, given their opinions on the situation and shared their ideas with me. I think the configuration I currently have in play is probably the best for my usage scenario, and I am limited by my knowledge and hardware implementation to make any further and worthwhile changes.
Of course, if anyone can see something wrong with what I have done, I would certainly be appreciative if they let me know.
re0