This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Opening Inbound Ports to More Than One Private IP Address

Hi Guys,

I was hoping someone could answer a questions regarding port forwarding for me. I understand how to setup a DNAT to a single private IP address from an external IP address but I'm wondering how I would DNAT to a whole subnet? I'm trying to open ports inbound for a Vonage Cloud pbx and they require multiple ports to be open for their IP phones (172.16.99.0/24)

I've created a service definition group with the required ports and under Network Protection --> Firewall --> Rule:

Source: Data Lan (Network)

Service: Vonage Service Definition Group

Destination: Any IPv4

 

How can I open the ports for inbound to more than one private IP address?

 

Thanks for any help!



This thread was automatically locked due to age.
  • I am pretty sure that you want a masquerading rule, not a DNAT.   The phones will be the source, client connections use a randomly-assigned source port.   The destination will be a specific port on a Vonage server. 

    The point of their requirement is that you need to allow outbound connections to their designated port.   Many configurations will allow all outbound traffic by default.  More cautious configurations will block unneeded ports until a specific reason is given to open them up.   The more restrictive configuration strategy makes an infection less able to connect to a bot controller for instructions.

  • Thank you for the quick reply Douglas! They have a masquerading rule setup so that the phones and PCs (All in the same LAN) use their public IP for internet access and they're able to register the phones. Would that masquerading rule suffice and the firewall rule in my first post suffice?

    I'm new to the world of firewalls and was hoping you could answer one more question for me, please? If I have a device such as an IP phone register to a sip server with a public IP address and I allow outbound traffic to that public IP address do I need to setup any DNAT or something to allow inbound traffic back to the IP phones? My understanding of DNAT was for uninitiated connections from outside traffic into the firewall. I.e. I have a domain controller sitting in my house and I've opened a specific port for RDP traffic to my WAN interface and then translated to the private IP address of the domain controller using port 3389.

     

    Any help would be greatly appreciated and thanks again!

     

     

     

  • Modern firewalls, including UTM, are "stateful", which means that they keep track of the state of each connection.   Most of the enforcement applies to the initial connection.   When a properly constructed reply is received on an open connection, the packet is accepted.   So you only need a one-way rule.   Replies to non-existent conversations and replies with an invalid sequence number will be identified as rogue packets and will be blocked.

    How IP connections work:

    Initiation:  A process asks for the operating system for an unused port number, which is assigned from a pool of high-numbered ports.   This port number and the IP address of the outbound NIC provide a unique identification of the sender.    The sending process has to know the target system and IP address, which is also part of the outbound packet.   A lot of processes use "well known" port numbers to make things easy, such as http on port 80 and https on port 443.    Of course, DNS can be used to obtain an IP address from a known host name.

    How Masquerading works:

    The internal system initiates a connection.   Assume the source is 10.10.10.10:50000 and the destination is 1.1.1.1:53   The firewall receives the outbound packet, then replaces the source IP and port with one of its own, such as a.b.c.d:42106.   The destination address remains unchanged.  When the reply is received to the correct firewall IP address and port, the destination information is replaced with the original value of 10.10.10.10:50000 and the packet is retransmitted.

    Masquerading is a type of NAT, where the destination is chosen from a pool.   Because many devices share the pool, it can only work for initiating outbound connections.

    The other types of NAT withing UTM are one-to-one mappings.   As a result, they can be used for either incoming or outgoing connections, but they cannot tolerate ambiguity.  DNAT replaces the Destination side of the packet, so it is usually used to allow inbound connections, translating a destination address-port owned by the firewall into a private IP address-port on your internal or DMZ network.    SNAT replaces the source address-port.   This is most often used to force the firewall to use a specific source address for outbound traffic from a specific server.  Full NAT replaces both source and destination addresses.    It is used mostly in VPN tunnels to resolve conflicts between the private IP address used on either side of the tunnel.

    Closing a connecton:

    Connection termination involves two packets:   one end says "good bye" and the other end says "got it".   UTM drops the connection as soon as it sees the "good bye" packet, so the "got it" packet is blocked because UTM has forgotten that the connection already exists.   The blocked "got it" packet will appear in the firewall log.   This is noise and can be ignored.   The packets will have TCPflags of "RST" or "FIN".