I have an router on FreeBSD (13.3-RELEASE-p3) with nat via ipfw
ifconfig
in my LAN I have an wifi router (Keenetic) with WAN ip 172.22.26.1 and LAN ip 192.168.1.1
Beneath of wifi router I have an server with ip 192.168.1.207, listening on tcp/9797
Here is a map
I did port forwarding on wifi router, so I can connect to server from freebsd:
I try to make port forwarding on freebsd, but it doesn't work
/usr/local/etc/ipfw/rc.firewall
tcpdump when trying to connect from internet:
What did I missed?
ifconfig
Code:
age0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=c319b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MCAST,WOL_MAGIC,VLAN_HWTSO,LINKSTATE>
ether 00:1e:8c:b9:79:81
inet 217.151.68.36 netmask 0xfffffff8 broadcast 217.151.68.39
inet 217.151.68.35 netmask 0xfffffff8 broadcast 217.151.68.39
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
rl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=2008<VLAN_MTU,WOL_MAGIC>
ether 00:c0:26:a6:9b:0b
inet 172.22.1.1 netmask 0xffff0000 broadcast 172.22.255.255
inet 172.23.1.1 netmask 0xffff0000 broadcast 172.23.255.255
inet 172.24.1.1 netmask 0xffff0000 broadcast 172.24.255.255
inet 172.25.1.1 netmask 0xffff0000 broadcast 172.25.255.255
inet 172.26.1.1 netmask 0xffff0000 broadcast 172.26.255.255
inet 172.27.1.1 netmask 0xffff0000 broadcast 172.27.255.255
inet 172.28.1.1 netmask 0xffff0000 broadcast 172.28.255.255
inet 172.29.1.1 netmask 0xffff0000 broadcast 172.29.255.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet 127.0.0.1 netmask 0xff000000
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
vlan3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 00:c0:26:a6:9b:0b
inet 172.16.1.1 netmask 0xffff0000 broadcast 172.16.255.255
groups: vlan
vlan: 3 vlanproto: 802.1q vlanpcp: 0 parent interface: rl0
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
vlan4: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 00:c0:26:a6:9b:0b
inet 172.17.1.1 netmask 0xffff0000 broadcast 172.17.255.255
groups: vlan
vlan: 4 vlanproto: 802.1q vlanpcp: 0 parent interface: rl0
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>in my LAN I have an wifi router (Keenetic) with WAN ip 172.22.26.1 and LAN ip 192.168.1.1
Beneath of wifi router I have an server with ip 192.168.1.207, listening on tcp/9797
Here is a map
I did port forwarding on wifi router, so I can connect to server from freebsd:
Code:
root@router2_down:/home/ishayahu # telnet 172.22.26.1 9797
Trying 172.22.26.1...
Connected to 172.22.26.1.
Escape character is '^]'.
a
Connection closed by foreign host.I try to make port forwarding on freebsd, but it doesn't work
/usr/local/etc/ipfw/rc.firewall
Code:
#!/bin/sh
#### Variables ####
wan="age0"
wan_ip="217.151.68.36"
lan="rl0"
lan_ip="172.22.1.1"
cmd="ipfw -q"
#### Rools ####
$cmd -f flush
# Rules for vlans
# vlan 3
$cmd add 00030 deny ip from any to any recv vlan3 xmit rl0 out
$cmd add 00032 deny ip from any to any recv rl0 xmit vlan3 out
$cmd add 00034 deny ip from any to any recv vlan3 xmit vlan4 out
$cmd add 00036 deny ip from any to any recv vlan4 xmit vlan3 out
# vlan 4
$cmd add 00040 deny ip from any to any recv vlan4 xmit rl0 out
$cmd add 00045 deny ip from any to any recv rl0 xmit vlan4 out
# Allow all trafic for local interface
$cmd add 100 allow ip from any to any via lo0
# Deny access from out to local if
$cmd add 200 deny ip from any to 127.0.0.0/8
$cmd add 300 deny ip from 127.0.0.0/8 to any
# Allow ssh
$cmd add 400 allow tcp from any to $wan_ip 4322 in via $wan
$cmd add 410 allow tcp from $wan_ip 4322 to any out via $wan established
$cmd add 420 allow tcp from any to $lan_ip 4322 in via $lan
$cmd add 430 allow tcp from $lan_ip 4322 to any out via $lan established
# allow 1c for restaurant
$cmd add 470 allow tcp from any to $wan_ip 9797 in via $wan
$cmd add 480 allow tcp from $wan_ip 9797 to any out via $wan established
$cmd add 481 allow tcp from any to $lan_ip 9797 in via $lan
$cmd add 482 allow tcp from $lan_ip 9797 to any out via $lan established
# Allow DNS queries
$cmd add 500 allow udp from any to $wan_ip 53 in via $wan
$cmd add 510 allow udp from $wan_ip 53 to any out via $wan established
# Allow UDP (for time sync - 123 port)
$cmd add 600 allow udp from any to $wan_ip 123 in via $wan
$cmd add 610 allow udp from $wan_ip 123 to any out via $wan established
# Allow all connections on lan
$cmd add 900 allow all from any to any via $lan
# Rules for vlans
$cmd add 00903 allow ip from any to any via vlan3
$cmd add 00904 allow ip from any to any via vlan4
# Allow NAT
$cmd nat 1 config log if $wan same_ports unreg_only reset redirect_port tcp 172.22.26.1:9797 9797
$cmd add 1000 nat 1 log ip from any to any via $wan
# Deny all other
$cmd add 65534 deny log all from any to any ipfw show
Code:
00030 650 33800 deny ip from any to any recv vlan3 xmit rl0 out
00032 5547 371705 deny ip from any to any recv rl0 xmit vlan3 out
00034 0 0 deny ip from any to any recv vlan3 xmit vlan4 out
00036 0 0 deny ip from any to any recv vlan4 xmit vlan3 out
00040 0 0 deny ip from any to any recv vlan4 xmit rl0 out
00045 622 36670 deny ip from any to any recv rl0 xmit vlan4 out
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 0 0 allow tcp from any to 217.151.68.36 4322 in via age0
00410 0 0 allow tcp from 217.151.68.36 4322 to any out via age0 established
00420 836 63200 allow tcp from any to 172.22.1.1 4322 in via rl0
00430 592 77104 allow tcp from 172.22.1.1 4322 to any out via rl0 established
00470 6 360 allow tcp from any to 217.151.68.36 9797 in via age0
00480 6 240 allow tcp from 217.151.68.36 9797 to any out via age0 established
00481 0 0 allow tcp from any to 172.22.1.1 9797 in via rl0
00482 0 0 allow tcp from 172.22.1.1 9797 to any out via rl0 established
00500 89 13546 allow udp from any to 217.151.68.36 53 in via age0
00510 0 0 allow udp from 217.151.68.36 53 to any out via age0 established
00600 5068 385804 allow udp from any to 217.151.68.36 123 in via age0
00610 0 0 allow udp from 217.151.68.36 123 to any out via age0 established
00900 60539808 54744438714 allow ip from any to any via rl0
00903 18779104 13914469735 allow ip from any to any via vlan3
00904 0 0 allow ip from any to any via vlan4
01000 79036628 68520538306 nat 1 log ip from any to any via age0
65534 0 0 deny log ip from any to any
65535 505 555688 deny ip from any to anytcpdump when trying to connect from internet:
Code:
root@router2_down:/home/ishayahu # tcpdump -i age0 -n -tttt port 9797
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on age0, link-type EN10MB (Ethernet), capture size 262144 bytes
2024-11-19 15:34:51.618865 IP 91.218.230.210.36534 > 217.151.68.36.9797: Flags [S], seq 258903990, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 3052250922 ecr 0], length 0
2024-11-19 15:34:51.618880 IP 217.151.68.36.9797 > 91.218.230.210.36534: Flags [R.], seq 0, ack 258903991, win 0, length 0What did I missed?
