#1  
Old December 18th, 2008, 11:36 AM
anapsix anapsix is offline
Junior Member
NETGEAR Newbie
 
Join Date: Dec 2008
Posts: 5
anapsix is on a distinguished road
Default Port Forwarding vs. ACL and opening ports in firewall

Hello everyone,

I've just got myself a WNR3500 router and having some trouble understanding port forwarding from Netgear's perspective.
My brand new router has an interface similar to just about any other Netgear SOHO router, as far as I remember. So I believe this question is valid for many routers by Netgear.

What I can do:
Open a specific port(s) or port range(s) in router's firewall, as well as configure port triggering (for which I yet haven't found a good use)
What I want to to:
I can't quite figure out how to forward external port XX to internal port YY.
Say, I have a service running on port YY on the machine inside the network, but I want to connect to external port XX from outside and have my router forward the traffic to the arbitrary specified internal IP on port YY.
So, why Netgear calls it port forwarding, if I cannot actually forward a port to another port, but can only open ports in the ACL.
Reply With Quote
  #2  
Old December 18th, 2008, 11:57 AM
nobel_nomar's Avatar
nobel_nomar nobel_nomar is offline
Moderator
NETGEAR Addict
 
Join Date: Oct 2008
Location: CA, USA
Posts: 1,800
nobel_nomar is on a distinguished road
Default Re: Port Forwarding vs. ACL and opening ports in firewall

I think you are confusing port forwarding with port translation.

I do not know of any SOHO routers that do port translation.

See here:
http://en.wikipedia.org/wiki/Port_address_translation
http://en.wikipedia.org/wiki/Port_forwarding
__________________
1-888-NETGEAR - (Phone Support)

"Apple's market share is bigger than BMW's or Mercedes's or Porsche's in the automotive market. What's wrong with being BMW or Mercedes?" -Steve Jobs

Network Cards/Adapters:
GA311, WNDA3100

Routers/APs/Switches:
DGDN3300, FVS114, GS108, WRT54GL (DD-WRT)

Comps:
MacBook C2D 2.0Ghz/3GB/250GB
Hackintosh C2D 2.4 GHz/4GB/700GB
iPhone 3G (16GB Black), Xbox 360, PS3
Reply With Quote
  #3  
Old December 18th, 2008, 12:24 PM
anapsix anapsix is offline
Junior Member
NETGEAR Newbie
 
Join Date: Dec 2008
Posts: 5
anapsix is on a distinguished road
Unhappy Re: Port Forwarding vs. ACL and opening ports in firewall

Hmm..
Quote from Wikipedia:
"[...]all the packets which it sends to the public network from the multiple hosts on the private network appear to originate from a single host[...]"
Although this definition is not directly referring to what I'm trying to accomplish, but the PAT article you are referring to is talking about different implementations and use cases of PAT. So my case falls under a one specific use of PAT, I suppose.
Perhaps you right, nobel_nomar. I'm taking it too literally. This is a consumer product after all.
I'm just really bummed out I can't do what I want after spending bunch of money on it. And from code perspective I don't exactly see an issue that Netgear engineers couldn't resolve with relatively simple code changes.
Other major vendors consumer grade routers have the functionality I need and they call it port forwarding...
Reply With Quote
  #4  
Old December 18th, 2008, 01:01 PM
nobel_nomar's Avatar
nobel_nomar nobel_nomar is offline
Moderator
NETGEAR Addict
 
Join Date: Oct 2008
Location: CA, USA
Posts: 1,800
nobel_nomar is on a distinguished road
Default Re: Port Forwarding vs. ACL and opening ports in firewall

Many of the limitations on home routers are artificial, yes. The goal of any company is to make money, NETGEAR included. Some prosafe routers might do this and I think a home class router with the DD-WRT firmware could do it as well.

EDIT: that was a long post to delete fordem
__________________
1-888-NETGEAR - (Phone Support)

"Apple's market share is bigger than BMW's or Mercedes's or Porsche's in the automotive market. What's wrong with being BMW or Mercedes?" -Steve Jobs

Network Cards/Adapters:
GA311, WNDA3100

Routers/APs/Switches:
DGDN3300, FVS114, GS108, WRT54GL (DD-WRT)

Comps:
MacBook C2D 2.0Ghz/3GB/250GB
Hackintosh C2D 2.4 GHz/4GB/700GB
iPhone 3G (16GB Black), Xbox 360, PS3
Reply With Quote
  #5  
Old December 18th, 2008, 06:51 PM
anapsix anapsix is offline
Junior Member
NETGEAR Newbie
 
Join Date: Dec 2008
Posts: 5
anapsix is on a distinguished road
Exclamation Re: Port Forwarding vs. ACL and opening ports in firewall

It a pity, though..
Imho, companies make money by providing high quality products with features that are valuable to users; by competing with other companies and being better; by being honest with it's customers and listening to them..
I realize that this is a Netgear forum, but any Linksys or D-Link router can do this. D-Link calls it "Virtual Server" and it's available in their much less expensive devices. They [D-Link] even provide emulators for most of their router interfaces, so users can see exactly what features are available and how they are accessible via provided interface.
Sorry, I feel that I'm kinda raising the tone of my voice.. I just feel I'm robbed of a feature which makes sense to include in $150 flagship router..
While I understand what you are saying, I think it is not an excuse...
I'm going to try to return my WNR3500 (even if it will cost me some restocking fee) and buy myself a replacement.

Sorry Netgear.. I love you, but I'm gonna have to let you go.
Reply With Quote
  #6  
Old December 18th, 2008, 06:59 PM
jmizoguchi's Avatar
jmizoguchi jmizoguchi is offline
Senior Member
NETGEAR Fanatic
 
Join Date: Feb 2007
Location: Kentucky, USA
Posts: 95,357
jmizoguchi is on a distinguished road
Default Re: Port Forwarding vs. ACL and opening ports in firewall

Quote:
Originally Posted by anapsix View Post
It a pity, though..
Imho, companies make money by providing high quality products with features that are valuable to users; by competing with other companies and being better; by being honest with it's customers and listening to them..
I realize that this is a Netgear forum, but any Linksys or D-Link router can do this. D-Link calls it "Virtual Server" and it's available in their much less expensive devices. They [D-Link] even provide emulators for most of their router interfaces, so users can see exactly what features are available and how they are accessible via provided interface.
Sorry, I feel that I'm kinda raising the tone of my voice.. I just feel I'm robbed of a feature which makes sense to include in $150 flagship router..
While I understand what you are saying, I think it is not an excuse...
I'm going to try to return my WNR3500 (even if it will cost me some restocking fee) and buy myself a replacement.

Sorry Netgear.. I love you, but I'm gonna have to let you go.
there is one

http://interface.netgear-forum.com/

netgear made decision of home end router and prosafe router has different way to offer the options. whether that is good or bad thing is what company sees as most benefit to them.

There are so many company does different feature etc.

given URL is not easy available to here is. Most manual can tell you what you can do and not over virtual interfaces dlink does. I have used before and some demo are nice
__________________
VPN Case Study (www.vpncasestudy.com)
Our Second To None VPN Related Setup Case Study
"One Stop Solution To Your Netgear VPN Connectivity"
*Visit the site for Non-VPN related Doc & Links* [Windows & Mac user/support]

Most Other Useful Docs -"General Technical Documentation", "Router Reset", "Router Setup", "Print Server Tips", "Remote Admin"
"Wireless Tips"


Forum Policy

June Mizoguchi-i....@vpncasestudy.com
Reply With Quote
  #7  
Old December 18th, 2008, 07:42 PM
anapsix anapsix is offline
Junior Member
NETGEAR Newbie
 
Join Date: Dec 2008
Posts: 5
anapsix is on a distinguished road
Default Re: Port Forwarding vs. ACL and opening ports in firewall

Thank June, I wouldn't have found those Netgear emulators myself easily..
Unfortunately, either way I won't be able to get what I want from any Netgear consumer grade router and I really don't feel like buying expensive ProSafe router.
Again, cheapest D-Link router can do "that", like DI-514 or DI-524 both of which are in $20 range; or similar to WNR3500 Linksys routers allows to specify an external port and internal port for port forwarding.
Whether it's good or bad, that Netgear decided not to include this feature, everyone will decide on their own..
You know that I already think..
Cheers!
Reply With Quote
  #8  
Old December 18th, 2008, 07:57 PM
jmizoguchi's Avatar
jmizoguchi jmizoguchi is offline
Senior Member
NETGEAR Fanatic
 
Join Date: Feb 2007
Location: Kentucky, USA
Posts: 95,357
jmizoguchi is on a distinguished road
Default Re: Port Forwarding vs. ACL and opening ports in firewall

you gain some you loose some

look at other big enterprise routers... you have to have service contract to even get firmware too . every company has it's own way to control the products.

Port translation are very common issue I seen posted once every two weeks or so. Not so many but feature probably could be add-on .

DD-WRT is also good place for alternative firmware which may work out for you.
__________________
VPN Case Study (www.vpncasestudy.com)
Our Second To None VPN Related Setup Case Study
"One Stop Solution To Your Netgear VPN Connectivity"
*Visit the site for Non-VPN related Doc & Links* [Windows & Mac user/support]

Most Other Useful Docs -"General Technical Documentation", "Router Reset", "Router Setup", "Print Server Tips", "Remote Admin"
"Wireless Tips"


Forum Policy

June Mizoguchi-i....@vpncasestudy.com
Reply With Quote
  #9  
Old December 18th, 2008, 11:03 PM
Mars Mug's Avatar
Mars Mug Mars Mug is offline
Moderator
NETGEAR Fanatic
 
Join Date: Nov 2006
Location: Stevenage UK
Posts: 12,456
Mars Mug is on a distinguished road
Default Re: Port Forwarding vs. ACL and opening ports in firewall

The issue of port translation has come up a few times here and there are some home routers that do support PAT though I can’t remember specific models right now, just Google a ‘manufacturers name PAT’
__________________
I don't work for Netgear.

My name is Andy.
Reply With Quote
  #10  
Old December 8th, 2010, 12:31 PM
Secretariat Secretariat is offline
Junior Member
NETGEAR Newbie
 
Join Date: Dec 2010
Posts: 6
Secretariat is on a distinguished road
Default Re: Port Forwarding vs. ACL and opening ports in firewall

We encountered this issue when upgrading from another manufacturer's 802.11 b router to the Netgear WGR614 v10.

Our network is a mixture of Windows and Linux based machines. This configuration relies heavily on "port address translation" to direct traffic to the proper machine and port from LAN and well as WAN based sources.

Fortunately, each of the services requiring remote access resides on a machine running under Linux.

Discovering this issue AFTER the successful installation of the Netgear WGR614, we were initially quite frustrated. The router being replaced offered Port Address Translation within the configuration menu.

There is, however, a 'silver lining' - which is quite easily implemented through the following steps:


[I began with creating a remote access path to an Apache based ancillary web service running under CentOS 5]

01) Via the router's Internet access utility, I called up the Port Forwarding /Port Triggering Menu, then selected "Port Forwarding" as the Service Type

02) I then created a "Custom Service" for the ancillary web server, being very careful to use a port number different from that assigned to the primary web server on the network.

03) After connecting with the host server, I then modified the configuration file for the ancillary web server (/etc/httpd/conf/httpd.conf), changing the (Listen) port value to equal that created in step 02) above.

04) After restarting the Apache service, I was able to successfully log into the ancillary web server from the web [i.e. http://www.hostmachine:PortID]


ISSUE ONE - RESOLVED


[I then addressed the issue of remote login to a server, also running under CentOS 5]

05) Via the router's Internet access utility, I once again called up the Port Forwarding /Port Triggering Menu, then selected "Port Forwarding" as the Service Type

06) I created a "Custom Service" for remote access into the host server. As Port 22 (SSH - The Secure Shell) has already been assigned to another machine within the Local Area Network, I created an alias of "Port 99"

07) I then connected with the target server, and edited /etc/sysconfig/iptables.rules - making sure that there were entries for both ports 22 and 99

08) After saving the iptables.rules file, I executed the following commands from the command line:

/sbin/iptables-restore < /etc/sysconfig/iptables.rules

This uploads the modified configuration into the active firewall


service iptables save

This saves the active firewall rules to /etc/sysconfig/iptables


09) I then added the following command, also from the command line

--iptables -A PREROUTING -t nat -i eth0 -p tcp --dport99 -j REDIRECT --to-port 22

This add the redirection information - sending traffic from port 99 to port 22. Note: modify the "eth0" value as necessary, to address the correct interface (i.e. eth0, eth1, eth2, etc.).


/sbin/iptables-save > /etc/sysconfig/iptables.rules

This saves the now modified active configuration into /etc/sysconfig/iptables.rules


service iptables save

This saves the active firewall rules to /etc/sysconfig/iptables


10) I was then able to remotely log into the server via a remote connection (i.e. Port 99 redirected to Port 22)


ISSUE TWO - RESOLVED


Steps 05 to 10 were then replicated on our remaining servers, being careful to assign unique port numbers via the router's "Custom Service" utility.


CASE CLOSED!


We are VERY satisfied with this solution. By letting Linux do the Port Address Translation on each individual server, we are lowering the workload on the router (thus, potentially increasing the WGR614's throughput potential). Our technical consultants also like this approach from a security standpoint.

IMHO, there is absolutely NO need to spend additional resources on a more sophisticated router.



Resources:

Linux Home Networking: Chapter 14 - Linux Firewalls using iptables
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptable s

Slicehost Forum: IPTables redirect Port 80 to 8080
http://forum.slicehost.com/comments....cussionID=2497

LinuxQuestions.org: iptables-restore v.1.2.11:Line 68 seems to have a -t table option [these notes worked me around a major 'operator' error]
http://www.linuxquestions.org/questions/linux-networking-3/iptables-restore-v1-2-11-line-68-seems-to-have-a-t-table-option-401268/

Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -8. The time now is 07:18 PM.