Port Forwarding on RED

Can you show a screenshot of your DNAT rule?

How is your RED tunnel configured (standard unified or any of the split settings)?

Hello apijnappels,

The RED is configured in split mode. I would like to point out that I have configured the RED with a static IP of 192.168.1.3 and GW of 192.168.1.1 (which is my ADSL router) in RED Client Management. Like I mentioned earlier, DMZ is enabled on the router with the WAN IP of the RED (i.e. 192.168.1.3).

Here is the screenshot of the DNAT rule:

Vasu 01 (50.50.50.1) is my RED network and Vasu DVR_Basement is my CCTV DVR (50.50.50.233).

Your help is much appreciated.

Thanks!

I think your problem is the split tunneling feature in combination with DNAT. Traffic from the DNAT rule will still come from an external IP-address which your RED network would most likely route directly to the internet (and not back to your UTM).

It might work if you change the DNAT rule to a Full-NAT rule, but I haven't tried such thing. You could try it like this:

For traffic from: any (or Internet IPv4)
Using service: 90 (as in your screenshot)
Going to: External WAN (Address) (this must be the public interface of the UTM where the traffic arrives).

Change destination to: VASU DVR_Basement
And the service: <leave blank if service is also 90>

Change source to: UTM Internal (Address)
And the service: <leave blank>

This way you tell the UTM that traffic arriving on the correct interface on port 90 should be routed to the vasu dvr_basement destination but (important!) change the source to be your own UTM (or any other device inside your UTM network that is also in the RED tunnel's split network).

Your destination network will then see traffic coming from UTM and send back replies.

Like I said, I haven't done anything like this, so I'm not sure that it works, but it might just work with a Full NAT rule.

I think your problem is the split tunneling feature in combination with DNAT. Traffic from the DNAT rule will still come from an external IP-address which your RED network would most likely route directly to the internet (and not back to your UTM).

It might work if you change the DNAT rule to a Full-NAT rule, but I haven't tried such thing. You could try it like this:

For traffic from: any (or Internet IPv4)
Using service: 90 (as in your screenshot)
Going to: External WAN (Address) (this must be the public interface of the UTM where the traffic arrives).

Change destination to: VASU DVR_Basement
And the service: <leave blank if service is also 90>

Change source to: UTM Internal (Address)
And the service: <leave blank>

This way you tell the UTM that traffic arriving on the correct interface on port 90 should be routed to the vasu dvr_basement destination but (important!) change the source to be your own UTM (or any other device inside your UTM network that is also in the RED tunnel's split network).

Your destination network will then see traffic coming from UTM and send back replies.

Like I said, I haven't done anything like this, so I'm not sure that it works, but it might just work with a Full NAT rule.

You were right apijnappels! It worked! Thanks a ton!

Could you, however, kindly explain why you think the previous configuration wasn't working? Logically what I did made sense. For it to not work was quite weird.

Thanks!

I already tried to explain it but I'll try again:

Your DNAT rule did indeed translate and route traffic to the correct device behind your RED but the source of this traffic is then still the public IP-address of the host trying to reach your device (so basically an IP-address somewhere on the internet).

If your device then sends back acknowldegment packages it will send them back to this address on the internet, but because you have split tunneling it will not send it out the same way it came in, but instead it will send it out on the internet connection at the RED location.

Then the original source will get an ack package from your RED's internet location but it never send anything there and thus will discard that package.

Now with the Full-NAT rule in place the UTM will not only change the destination to the device behind your NAT, but also changes the source address to an address that goes into the split-tunnel to your UTM. So your ACK-packages will be sent back to the UTM which has a connection tracker and thus knows that the ACK coming from your device should again be passed on to the original source using the same internet connection as where the traffic was delivered in the first place.

Make sense now?

It completely does. Thanks!

Hello apijnapples,

I have the same situation.

I have configured full-nat as you explain and I can reach my device under red lan throug the pubblic ip of UTM.

How can I reach device under red lan trought pubblic ip pf the remote site where red is connected?  

AlessandroCretti said:

Hello apijnapples,

I have the same situation.

I have configured full-nat as you explain and I can reach my device under red lan throug the pubblic ip of UTM.

How can I reach device under red lan trought pubblic ip pf the remote site where red is connected?  

 

Since you can't manage the RED, RED is not able to do this. However if you have another router between your internet connection and the RED, then maybe it's possible by making the following changes:

1) Make sure to have this router as "default gateway" inside your RED's location's network
2) You must add a routing entry in this router's routing table for all networks in the RED tunnel to be delivered to the RED
3) Configure port forwarding in this router to the device in the LAN.

Beware tough that by doing this, you are not protected in any way by the UTM because all traffic coming in directly will never pass the UTM. Therefore I advice against this setup and stay with the Full-NAT rule which is already working.

Thank you very much for your quick replay.

So I think I'll stay with full-nat configuration like your suggestion