Port Forwarding operational issues

Comments

11 comments

  • Avatar
    Firewalla

    Are these two devices using the Firewalla DHCP mode IP address or they are using the old router address?  If they are using the old router address then at least now I don't see any obvious reason of not reaching out using the both DDNS address.  The only feature I know of in NAT is called hairpining, likely that's broken in the router. 

    0
    Comment actions Permalink
  • Avatar
    Saurabh Shah

    They are both using fixed IP addresses on the routers network, not on the Firewalla DHCP.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    The feature in question is definitely netgear nat loopback (or in my world, hairpinning).  This is the feature where the NAT module knows that it shouldn't nat and should just turn around the traffic.    So, in theory, the arrangement you have should be no issue at all.  Do this simple experiment, connect your phone (or what ever you used to access those devices) to the main router network (using static IP) and see if the router turns around the traffic. 

    0
    Comment actions Permalink
  • Avatar
    Saurabh Shah

    So prior to installing Firewalla, this was working fine.  I just tested by setting a fixed IP on my iPhone and everything was working normally again.  I believe there was a NAT loopback issue when the router was first released, its been fixed since.  I think the issue now is the double NAT.  I don't think the router is capable of completing the loopback through a double layer of NAT.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    If the two devices are using UDP then it is a single NAT problem. If your phone is under Firewalla 218 network, we don't proxy any UPNP to the main router, which means, unless your gadget (not the phone) speaks TCP directly, the packets will not come back. I'll open a ticket internally, and see if we can add a upnp proxy for dhcp mode only. Our original intention was to make the 218 network much more secure than the outside network. (given, we believe UPnP .. is not a secure protocol)

    0
    Comment actions Permalink
  • Avatar
    Saurabh Shah

    Ok, thanks for the response.  So it looks like this can only be resolved from the Firewalla side.  I'm probably at my limit of networking knowledge here but I'm assuming this cannot be fixed from the R7500 side to the 218 network with some static routes?

    0
    Comment actions Permalink
  • Avatar
    matt sandonato

    I think I am running into a similar problem. I am running Firewalla in DHCP mode as my router does not support the ARP mode. My port forwarding from the outside in does not work since setting up Firewalla. 

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    When Firewalla is in DHCP mode, it sort of created another network within your existing network.  Not sure if your network look like this, just an example

    [internet] <-----> router <-----> Firewalla <---> deviceA

    For the internet to reach deviceA, you will need to do the following

    1.  Port forward to Firewalla
    2. On Firewalla, you will need to port forward again
    3.     a. Tap on devices
    4.     b. Tap on the device you wish to forward to
    5.     c. Tap on the device name, tap on port forward, tap on +

     

    0
    Comment actions Permalink
  • Avatar
    Saurabh Shah

    So that's great if the device is migrated over to the Firewalla network.  If the device is on the router network are there any options?  Part of my concern is that when I run the Firewalla port scan the open ports on the router don't show up.  Is that an accurate representation.  The only open ports are on the Firewalla network.

    0
    Comment actions Permalink
  • Avatar
    Massimiliano

    Hi,

    i've a similar problem. Before Firewalla i had a device with a satin ip in my lan, a static ip with my provider and an open port to redirect access from wan. After installing Firewalla i'm unable to see the open port .

    What can i do?

     

    Regards

    Massimiliano

    0
    Comment actions Permalink
  • Avatar
    Saurabh Shah

    The method described by Firewalla above works for those addresses on the Firewalla network. For addresses not on the Firewalla network, I can still access the port forwarded IPs as long as I am coming from outside the network.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Powered by Zendesk