njuskalonjusko 0 Posted ... Sorry if this has already been discussed or solved but just couldn't find the relevant info and possible solution. The scenario is following: I have 2 devices that use same internal port, and to be accessed from outside they require different external port. The internal ports of these devices cannot be changed at all. I.E. first device ext. 65500 - int. 8899 / 192.168.1.100second device ext. 65501 - int. 8899 / 192.168.1.101 So is it possible to forward 65500 to 8899 but only to 192.168.1.100 and then forward 65501 to 8899 but only to 192.168.1.101 ? I'm using R7000 with tomato, already using iptables for port forwarding, but couldn't solve the above. Thank you very much in advance ! Quote Share this post Link to post
zhang888 1066 Posted ... So is it possible to forward 65500 to 8899 but only to 192.168.1.100 and then forward 65501 to 8899 but only to 192.168.1.101 ? Yes it is.What part of this is not working for you?Can you post us some info from the port forwarding configuration page, or the iptables rules you are using? Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
njuskalonjusko 0 Posted ... So is it possible to forward 65500 to 8899 but only to 192.168.1.100 and then forward 65501 to 8899 but only to 192.168.1.101 ? Yes it is.What part of this is not working for you?Can you post us some info from the port forwarding configuration page, or the iptables rules you are using?Thank you for your reply. Here are firewall rules for *100 and *101 iptables -I FORWARD -i tun11 -p udp -d 192.168.1.100 --dport 8899 -j ACCEPTiptables -I FORWARD -i tun11 -p tcp -d 192.168.1.100 --dport 8899 -j ACCEPTiptables -t nat -I PREROUTING -i tun11 -p tcp --dport 8899 -j DNAT --to-destination 192.168.1.100iptables -t nat -I PREROUTING -i tun11 -p udp --dport 8899 -j DNAT --to-destination 192.168.1.100 iptables -I FORWARD -i tun11 -p udp -d 192.168.1.101 --dport 8899 -j ACCEPTiptables -I FORWARD -i tun11 -p tcp -d 192.168.1.101 --dport 8899 -j ACCEPTiptables -t nat -I PREROUTING -i tun11 -p tcp --dport 8899 -j DNAT --to-destination 192.168.1.101iptables -t nat -I PREROUTING -i tun11 -p udp --dport 8899 -j DNAT --to-destination 192.168.1.101 On airvpn port forward page I can only forward to port 8899 and not to a specific ip. So forwarding 65500 to 8899 and 65501 to 8899 makes no use as they are basically forwarded to 8899 internally but without specific ip. Quote Share this post Link to post
zhang888 1066 Posted ... On airvpn port forward page I can only forward to port 8899 and not to a specific ip. So forwarding 65500 to 8899 and 65501 to 8899 makes no use as they are basically forwarded to 8899 internally but without specific ip. That's part of the misconfiguration that you have.On the Air port-forwarding page, you should only forward all your external ports to your OpenVPN IP (The one that starts with 10.xx).Then in your router, you should "catch" the incoming connections and throw them to your NATted 192.168.xx.xx clients using the iptables rules.So obviously 8899 is only part of the rules you need, the others that you need are for the external ports. Does this make sense to you, or you want the iptables pseudo-rules? Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
njuskalonjusko 0 Posted ... On airvpn port forward page I can only forward to port 8899 and not to a specific ip. So forwarding 65500 to 8899 and 65501 to 8899 makes no use as they are basically forwarded to 8899 internally but without specific ip.That's part of the misconfiguration that you have.On the Air port-forwarding page, you should only forward all your external ports to your OpenVPN IP (The one that starts with 10.xx).Then in your router, you should "catch" the incoming connections and throw them to your NATted 192.168.xx.xx clients using the iptables rules.So obviously 8899 is only part of the rules you need, the others that you need are for the external ports. Does this make sense to you, or you want the iptables pseudo-rules?Thanks, this makes sense, but please help with router config part, regarding airvpn-port-forward config, everything is as you noted, port xxxxx local port 8899 mapped to 10.xx I have no idea how to configure the router though Quote Share this post Link to post
zhang888 1066 Posted ... iptables -I FORWARD -i tun11 -p udp -d 192.168.1.100 --dport XXXXX -j ACCEPTiptables -I FORWARD -i tun11 -p tcp -d 192.168.1.100 --dport XXXXX -j ACCEPTiptables -t nat -I PREROUTING -i tun11 -p tcp --dport XXXXX -j DNAT --to-destination 192.168.1.100:8899iptables -t nat -I PREROUTING -i tun11 -p udp --dport XXXXX -j DNAT --to-destination 192.168.1.100:8899 iptables -I FORWARD -i tun11 -p udp -d 192.168.1.101 --dport YYYYY -j ACCEPTiptables -I FORWARD -i tun11 -p tcp -d 192.168.1.101 --dport YYYYY -j ACCEPTiptables -t nat -I PREROUTING -i tun11 -p tcp --dport YYYYY -j DNAT --to-destination 192.168.1.101:8899iptables -t nat -I PREROUTING -i tun11 -p udp --dport YYYYY -j DNAT --to-destination 192.168.1.101:8899 Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
Staff 10016 Posted ... On airvpn port forward page I can only forward to port 8899 and not to a specific ip. So forwarding 65500 to 8899 and 65501 to 8899 makes no use as they are basically forwarded to 8899 internally but without specific ip. Hello, it makes no difference. Your rules as well as zhang888 rules look fine and everything should be working: the router will forward everything for both services. In case you need further discernment, configure the services to listen to two different ports and configure your Air ports panel and your router iptables accordingly. Kind regards Quote Share this post Link to post
njuskalonjusko 0 Posted ... iptables -I FORWARD -i tun11 -p udp -d 192.168.1.100 --dport XXXXX -j ACCEPTiptables -I FORWARD -i tun11 -p tcp -d 192.168.1.100 --dport XXXXX -j ACCEPTiptables -t nat -I PREROUTING -i tun11 -p tcp --dport XXXXX -j DNAT --to-destination 192.168.1.100:8899iptables -t nat -I PREROUTING -i tun11 -p udp --dport XXXXX -j DNAT --to-destination 192.168.1.100:8899 iptables -I FORWARD -i tun11 -p udp -d 192.168.1.101 --dport YYYYY -j ACCEPTiptables -I FORWARD -i tun11 -p tcp -d 192.168.1.101 --dport YYYYY -j ACCEPTiptables -t nat -I PREROUTING -i tun11 -p tcp --dport YYYYY -j DNAT --to-destination 192.168.1.101:8899iptables -t nat -I PREROUTING -i tun11 -p udp --dport YYYYY -j DNAT --to-destination 192.168.1.101:8899 Thanks, XXXXX and YYYYY I assume you refer to airvpn forwarded ports / airvpn config ? If so, it doesn't work though On airvpn-config forwarded XXXXX to 8899 and YYYYY to 8899, error 111 - connection refused when using check EDIT: works now, I stupidly replaced your rules over mine, just figured yours were an addition, not a replacement ! EDIT: doesn't work as it should: both XXXXX and YYYYY are forwarded to 192.168.1.100, rather than XXXXX only to *.100 and YYYYY only to *.101 Any ideas ? Thanks Quote Share this post Link to post
njuskalonjusko 0 Posted ... EDIT: seems to be solved by forwarding XXXXX from Airvpn to XXXXX in iptables, rather than XXXXX to 8899. Quote Share this post Link to post