Port Forwarding operational issues
Here is my current setup:
Router: Nighthawk X4 R7500
Firmware: V1.0.0.118
Firewalla is in DHCP mode
So I have two fixed IP devices that I have port forwarding rules on. Prior to installing Firewalla I could access both of these both externally and internally using an existing DDNS and port numbers. Both of these rule were configured in the router. Both have monitoring turned off.
Since getting firewalla up and running and stable, I can only access the devices externally using the DDNS and internally using the IP address. For the moment, I'm hesitant to switch to using the reserved firewalla range, only becasue when firewalla loses contact with the internet, i'm not sure I'll be able to access those devices.
Any thoughts on what's causing the problem?
-
Are these two devices using the Firewalla DHCP mode IP address or they are using the old router address? If they are using the old router address then at least now I don't see any obvious reason of not reaching out using the both DDNS address. The only feature I know of in NAT is called hairpining, likely that's broken in the router.
-
The feature in question is definitely netgear nat loopback (or in my world, hairpinning). This is the feature where the NAT module knows that it shouldn't nat and should just turn around the traffic. So, in theory, the arrangement you have should be no issue at all. Do this simple experiment, connect your phone (or what ever you used to access those devices) to the main router network (using static IP) and see if the router turns around the traffic.
-
So prior to installing Firewalla, this was working fine. I just tested by setting a fixed IP on my iPhone and everything was working normally again. I believe there was a NAT loopback issue when the router was first released, its been fixed since. I think the issue now is the double NAT. I don't think the router is capable of completing the loopback through a double layer of NAT.
-
If the two devices are using UDP then it is a single NAT problem. If your phone is under Firewalla 218 network, we don't proxy any UPNP to the main router, which means, unless your gadget (not the phone) speaks TCP directly, the packets will not come back. I'll open a ticket internally, and see if we can add a upnp proxy for dhcp mode only. Our original intention was to make the 218 network much more secure than the outside network. (given, we believe UPnP .. is not a secure protocol)
-
When Firewalla is in DHCP mode, it sort of created another network within your existing network. Not sure if your network look like this, just an example
[internet] <-----> router <-----> Firewalla <---> deviceA
For the internet to reach deviceA, you will need to do the following
- Port forward to Firewalla
- On Firewalla, you will need to port forward again
- a. Tap on devices
- b. Tap on the device you wish to forward to
- c. Tap on the device name, tap on port forward, tap on +
-
So that's great if the device is migrated over to the Firewalla network. If the device is on the router network are there any options? Part of my concern is that when I run the Firewalla port scan the open ports on the router don't show up. Is that an accurate representation. The only open ports are on the Firewalla network.
Please sign in to leave a comment.
Comments
11 comments