Description:

This document describes which parts of the configuration should be checked and which traces can be performed if port forwarding is not working.


Requirements:


Scenario:

1) The LANCOM router establishes the Internet connection directly:

  • The database server at the headquarters should be accessible via the public IP address or the public DNS name of the headquarters and the TCP port 46509.
  • For this purpose, a port forwarding was set up in the LANCOM router at the headquarters to the local IP address of the database server (192.168.66.109) and the TCP port 46509. 
  • However, after being set up, the database server cannot be reached at the public IP address (81.81.81.81:46509) or at the public DNS name (e.g. headquarters.test.com:46509).


2) The Internet connection is established by another router upstream of the LANCOM router:

  • Upstream from the main router at the headquarters (router 1), another router (router 2) is used to provide the Internet connection.
  • The database server at the headquarters should be accessible via the public IP address or the public DNS name of the headquarters and the TCP port 46509.
  • For this purpose, a port forwarding was set up in router 1 at the headquarters to the local IP address of the database server (192.168.66.109) and the TCP port 46509. 
  • However, after being set up, the database server cannot be reached at the public IP address (81.81.81.81:46509) or at the public DNS name (e.g. headquarters.test.com:46509).


Procedure:

1) Common items (scenario 1 and 2):

1.1) Deactivate hardware NAT:

Some routers feature hardware NAT. This makes it theoretically possible to use a masked internet connection (NAT) at the negotiated port speed.

Because hardware NAT does not work correctly and can be problematic when enabled, LANCOM Systems recommends that hardware NAT should always be deactivated.

The following devices support the hardware NAT feature:

  • 1781EF+
  • 1781EW+
  • 1781VA
  • 1781VAW
  • 1781VA-4G
  • WLC-4006+

This feature is located under Interfaces → LAN.


1.2) Check the default gateway on the forwarding destination:

Check on the forwarding destination device in the network to see whether the correct default gateway has been entered. The default gateway must be set as the LANCOM router at the headquarters (scenario 1) or as router 1 (scenario 2).


1.3) Check that the IP address resolved by the DNS name matches the actual public IP address:

With access based on a DNS name, you should check that the IP address resolved via the DNS name matches the actual public IP address. If this is not the case, check that port forwarding works at all by entering the public IP address.



2) Set up port forwarding on an upstream LANCOM router (scenario 2):

If a further, upstream router is used, the required ports on this device must be forwarded to the main router.

If you are using a router from another manufacturer, approach them for information about the appropriate procedure.

2.1) Open the configuration for router 2 in LANconfig and switch to the menu item IP router → Masq. →  Port forwarding table.

2.2) Create a new entry and adjust the following parameters (this example being the TCP port 46509):

  • First port: Enter the port that should be forwarded.
  • Last port: Enter the port that should be forwarded. If several ports are to be forwarded, you can specify a higher port number here. All of the ports in this range will be forwarded.
  • Intranet address: Specify the WAN address of router 1 (in this example the 10.0.254).
  • Protocol: Select the protocol (TCP, UDP or TCP + UDP) from the drop-down menu.



3) Create a firewall rule to allow incoming communication:

If there is a firewall rule blocking the incoming data traffic on the port used for port forwarding, an exception rule must be created that permits communication.

3.1) Navigate to the menu Firewall/QoS → IPv4 rules → Rules.

3.2) Create a new firewall rule and give it a descriptive name.

3.3) Go to the Actions tab, mark the object REJECT and click on Delete.

3.4) Click on Add and choose the object ACCEPT.

3.5) Go to the Stations tab, select the option Connections from the following stations and click on Add → Add custom station

3.6) Select the option An IP address or range of addresses and use From IP address and To IP address to specify the IP address of the forwarding destination (in this example 192.168.66.109).

3.7) Go to the Services tab, choose the option the following protocols/target services and click Add → Add custom service.

   

3.8) Enter the following parameters:

  • Select the IP protocol(in this example TCP).
  • Enter the Port(s) to be used (in this example the port 46509).

3.9) This concludes the configuration of the firewall rule. Write the configuration back to the router.



4) Disconnect and re-establish the Internet connection:

After setting up port forwarding, it may be necessary to disconnect from the Internet so that the connection is re-established. This may be necessary if a port forwarding through a VPN tunnel is operated.

Proceed as follows to disconnect from the Internet:

Connect to the router with LANmonitor, mark the Internet connection, right-click to open the context menu and click Disconnect.

Alternatively, you can do this from the command-line interface with the command do Other/Manual-Dialing/Disconnect <name of the Internet connection> (e.g. do Other/Manual-Dialing/Disconnect INTERNET).



5) Creating traces for further analysis (scenarios 1 and 2):

For scenario 2 with two LANCOM routers, traces must be created on both devices. 

Using the LANtracer (in LANconfig) or from the command line, perform an IP router trace that filters for the local IP address (in this example 192.168.66.109) and the port (in this example 46509):

Trace configuration for LANtracer:

Port-Forwarding.lcg

The trace configuration contains the IP router and the firewall trace. The filter parameter "port: 46509" filters the results for the port 46509. Use a text editor to make these changes in advance.


The following describes how to create the traces using the CLI:

5.1) Use the CLI to connect and enter the command tr # ip-router @ <IP-address> +"port: <port>" (e.g. tr # ip-router @ 192.168.66.109 +"port: 46509").

In scenario 2, the IP router trace on router 2 has to be filtered for the IP address of router 1 in the intermediate network.

Search parameters separated by a space must be grouped inside quotation marks (e.g. "port: 46509"), otherwise an "OR" operator takes effect and the trace line is output if just one of the parameters is included. 

5.2) Using the Internet, access the public IP address (81.81.81.81:46509) or the public DNS name (e.g. headquarters.test.com:46509).

If the port forwarding is not working, the trace remains empty (see figure).

5.3) Another error may be that although port forwarding takes effect and the router transports packets from the WAN into the LAN, the receiver (e.g. the server) does not respond.

One reason could be that port forwarding was set with the wrong local IP address, or there is an error in the internal structure of your LAN.

In this case, perform an IP router trace with the command tr # ip-router @ "port: <port>" (e.g. tr # ip-router @ "port: 46509"), which would give the following result (see figure).

All we see are SYN packets (as shown by the flag: S), which are being transported from the WAN (remote station NETAACHEN) to the LAN (INTRANET) but are not being answered with a SYN/ACK packet from the receiver.

5.4) If communication is being blocked by a firewall rule, the IP router trace will output the message Filter (port).

In this case, a Firewall trace has to be created to check which firewall rule is blocking the communication.

To do this, execute the command tr # firewall @ "port: <port>" (e.g.  tr # firewall @ "port: 46509").

In this example, communication is being blocked by the DENY-ALL firewall rule.

In this case, the incoming communication must be allowed by means of an exception rule in the firewall (see step 3).

5.5) If port forwarding is functioning properly, the IP router trace shows the TCP handshake taking place, among other things:

  • The requesting client sends a SYN packet (as shown by the flag: S) with a sequence number to the destination port (here: 46509).
  • If the port is open, the server acknowledges receipt of the first SYN packet and approves the connection by responding with a SYN/ACK packet (as shown by the flag: SA).
  • Finally, the client confirms that it received the SYN/ACK packet by returning an ACK packet of its own (as shown by the flag: A) with the sequence number.