Problem Using NAT and Port Forwarding on a Draytek Vigor 3900
We have a client who has just had installed a BTNet Leased line installed.
They have 8 static (5 usable) IP address on the line (/29 subnet) assigned. Lets say this is 122.122.122.0/29
We have configured the WAN1 of the Draytek with this range and configured the WAN IP address as 122.122.122.2, subnet 255.255.255.248 and its Gateway to point to 122.122.122.1
Connected a PC to the LAN1 and LAN2 Ports on the Draytek which allows us to access the Internet OK - All Works OK from LAN to WAN.
We are now trying to Port Forward specific ports (lets say 22 and 23 - SSH and Telnet) on the next useable IP address (122.122.122.3) through to a device on LAN2 which has been configured on a different LAN/Local Subnet (192.168.2.0/24). The device is on an IP address of 192.168.2.2, LAN2 IP on Draytek is 192.168.2.1
The Draytek can ping to the device with an IP of 192.168.2.2 but we cannot seem to get the NAT/Port forwarding to work correctly.
We have tried using One to One NAT for this solution along with a Firewall rule to allow WAN to LAN2 traffic for these ports. Logging (SYSLOG) is turned on for this rule but no traffic is ever reaching the firewall rule as no logs are produced.
To see if we had set something up wrong we have also tried port forwarding these ports on the first WAN1 IP address of say 122.122.122.2 but again nothing is logged with SYSLOGS
This is the first time we have tried configuring a Draytek, usually use Zyxel firewalls without any issues so I was wondering if someone could explain where we might be going wrong.
Like, should it be One to One NAT or should it be Range to One NAT rules etc.
Any help gratefully accepted.
They have 8 static (5 usable) IP address on the line (/29 subnet) assigned. Lets say this is 122.122.122.0/29
We have configured the WAN1 of the Draytek with this range and configured the WAN IP address as 122.122.122.2, subnet 255.255.255.248 and its Gateway to point to 122.122.122.1
Connected a PC to the LAN1 and LAN2 Ports on the Draytek which allows us to access the Internet OK - All Works OK from LAN to WAN.
We are now trying to Port Forward specific ports (lets say 22 and 23 - SSH and Telnet) on the next useable IP address (122.122.122.3) through to a device on LAN2 which has been configured on a different LAN/Local Subnet (192.168.2.0/24). The device is on an IP address of 192.168.2.2, LAN2 IP on Draytek is 192.168.2.1
The Draytek can ping to the device with an IP of 192.168.2.2 but we cannot seem to get the NAT/Port forwarding to work correctly.
We have tried using One to One NAT for this solution along with a Firewall rule to allow WAN to LAN2 traffic for these ports. Logging (SYSLOG) is turned on for this rule but no traffic is ever reaching the firewall rule as no logs are produced.
To see if we had set something up wrong we have also tried port forwarding these ports on the first WAN1 IP address of say 122.122.122.2 but again nothing is logged with SYSLOGS
This is the first time we have tried configuring a Draytek, usually use Zyxel firewalls without any issues so I was wondering if someone could explain where we might be going wrong.
Like, should it be One to One NAT or should it be Range to One NAT rules etc.
Any help gratefully accepted.
You are aware that port 22 & 23 are assign to some default services on the draytec itself?
You may need to change the management access port on the draytec itself before using port forward.
The on port 23..., there is no more use for that port in practive, and DEFINITELY not on the internet.
All data is passed transparantly including passwords etc. There is no trouble listening in on the line and then use it for less noble access...
You may need to change the management access port on the draytec itself before using port forward.
The on port 23..., there is no more use for that port in practive, and DEFINITELY not on the internet.
All data is passed transparantly including passwords etc. There is no trouble listening in on the line and then use it for less noble access...
ASKER
Thanks Fred and Noci for your comments/assistance
Update on where we are at.
Ports 22 and 23 had already been changed on the management configuration to other port numbers on the Draytek
These pots needed to pass through so a third party could configure their device.
We was really struggling to get the ports 22/23 to pass through/respond to the CISCO device behind the firewall therefore we put a managed switch in place of the CSICO device to see if we could get port 443 passing through.
This did work, which makes me think the CISCO box is not responding correctly to the ports 22/23 requests. We are still waiting for the third party to test again after putting the CISCO box back in place.
Update on where we are at.
Ports 22 and 23 had already been changed on the management configuration to other port numbers on the Draytek
These pots needed to pass through so a third party could configure their device.
We was really struggling to get the ports 22/23 to pass through/respond to the CISCO device behind the firewall therefore we put a managed switch in place of the CSICO device to see if we could get port 443 passing through.
This did work, which makes me think the CISCO box is not responding correctly to the ports 22/23 requests. We are still waiting for the third party to test again after putting the CISCO box back in place.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
You probably know that simple port forwarding starts with a port being addressed on the WAN side.
Then, port forwarding generally will translate that port number to perhaps a different port number attached to a LAN device address.
e.g.
122.122.122.2:99 forwarded to 192.168.2.2:109
and, that's all there is to it.
Of course, this limits the use of port 99 from the outside to accessing 192.168.2.2 on port 109.
If you want to do something different, then what is it?
I would not suggest using more sophisticated approaches unless NEEDED.