Posted: Fri May 19, 2017 18:14 Post subject: Port Forwarding only works on certain types of connections
Update 5/22
If I ssh into the router and try to access the forwarded ports using the full domain name, I get "Connection refused". But if I try to access those same ports from the system inside the network from which I ssh'd into the router, the connection goes through.
Anyone have any ideas?
I have a Netgear R6700 running DD-WRT v3.0-r31722 (03/21/17).
I have my own mail server running on a Synology NAS. I have opened up SMTP, IMAP, and POP3 through the router and as long as I am in my home, using a device (laptop, tablet, handheld, desktop) that is connected via my internal network, either direct or wifi, everything forwards fine. I'm able to resolve and connect to my external fully qualified domain name (via DynDNS) from these devices, being forwarded to my mail server.
However, if I disable wifi on my handheld/tablet and rely solely on cellular (using the exact same mail settings), the connection does not get forwarded and I can't retrieve my mail.
Hi EGC, thanks for the reply. I checked with my ISP and they don't block anything. Plus, if I use my fully qualified domain name from inside my network, I'm using DynDNS to resolve my external IPA and domain name, it works fine, even stating the external IPA that its attempting to access. Its just simple mail, POP3, SMTP, and IMAP that I'm attempting to contact, so the ports aren't anything special. I've turned on logging but port accesses and denials don't seem to be logged. I must have configured something wrong in the router, but I can't think of anything I haven't looked at.
Any suggestions on what to try?
Thanks!
I did a couple tests to try out your thought. I disabled all firewalls on the NAS, no change. I then disabled the forward for one of the ports and tried to access it from my internal network (using the fully qualified, external domain name). I received the same connection refused error that I get from a device not directly connected to the internal network. Once I re-enabled the forwarded port, I was able to access the device.
As far as the NAS is concerned, the request is coming from my router, 192.168.1.1, whether I'm connected internally or not, since in all cases I'm using the fully qualified domain name, which DynDNS resolves properly in either case. So the router thinks the request is coming from outside, no matter how the device is connected.
Its VERY weird and I'm out of ideas.
Is there a log on the router that I'm unaware of that would show this activity?
Last edited by mburgoon on Sat May 27, 2017 16:40; edited 1 time in total
Joined: 13 Aug 2013 Posts: 6867 Location: Romerike, Norway
Posted: Sat May 27, 2017 16:28 Post subject:
mburgoon wrote:
I did a couple tests to try out your thought. I disabled all firewalls on the NAS, no change. I then disabled the forward for one of the ports and tried to access it from my internal network (using the fully qualified, external domain name). I received the same connection refused error that I get from a device not directly connected to the internal network. Once I re-enabled the forwarded port, I was able to access the device.
Are you describing what is called "NAT Loopback"? Connections from the lan is sent to the wan interface and then NAT'ed and sent back to the lan. A better approach here is to use a local dns that resolves the FQN to the private ip on the lan, while the public dns resolves to the Public ip for external clients.
mburgoon wrote:
As far as the NAS is concerned, the request is coming from my router, 192.168.1.1, whether I'm connected internally or not
This is not true. Only the destination address is replaced to the private address of the NAS. The NAS will se the public address of the source device.
mburgoon wrote:
As far as the NAS is concerned, the request is coming from my router, 192.168.1.1, whether I'm connected internally or not
"This is not true. Only the destination address is replaced to the private address of the NAS. The NAS will se the public address of the source device."
I got to thinking about this and realized you are correct, how else would the NAS know were to send the reply?
I removed the source IP from the rules and that did the trick. The router allows the connection to be forwarded from anywhere now, not just internal addresses.
