Port Forwarding vs. ACL and opening ports in firewall

[anapsix]

Hello everyone,

I've just got myself a WNR3500 router and having some trouble understanding port forwarding from Netgear's perspective.
My brand new router has an interface similar to just about any other Netgear SOHO router, as far as I remember. So I believe this question is valid for many routers by Netgear.

What I can do:

Open a specific port(s) or port range(s) in router's firewall, as well as configure port triggering (for which I yet haven't found a good use)

What I want to to:

I can't quite figure out how to forward external port XX to internal port YY.
Say, I have a service running on port YY on the machine inside the network, but I want to connect to external port XX from outside and have my router forward the traffic to the arbitrary specified internal IP on port YY.

So, why Netgear calls it port forwarding, if I cannot actually forward a port to another port, but can only open ports in the ACL.

[nobel_nomar]

I think you are confusing port forwarding with port translation.

I do not know of any SOHO routers that do port translation.

See here:
http://en.wikipedia.org/wiki/Port_address_translation
http://en.wikipedia.org/wiki/Port_forwarding

[anapsix]

Hmm..
Quote from Wikipedia:

"[...]all the packets which it sends to the public network from the multiple hosts on the private network appear to originate from a single host[...]"

Although this definition is not directly referring to what I'm trying to accomplish, but the PAT article you are referring to is talking about different implementations and use cases of PAT. So my case falls under a one specific use of PAT, I suppose.
Perhaps you right, nobel_nomar. I'm taking it too literally. This is a consumer product after all.
I'm just really bummed out I can't do what I want after spending bunch of money on it. And from code perspective I don't exactly see an issue that Netgear engineers couldn't resolve with relatively simple code changes.
Other major vendors consumer grade routers have the functionality I need and they call it port forwarding...

[nobel_nomar]

Many of the limitations on home routers are artificial, yes. The goal of any company is to make money, NETGEAR included. Some prosafe routers might do this and I think a home class router with the DD-WRT firmware could do it as well.

EDIT: that was a long post to delete fordem

[anapsix]

It a pity, though..
Imho, companies make money by providing high quality products with features that are valuable to users; by competing with other companies and being better; by being honest with it's customers and listening to them..
I realize that this is a Netgear forum, but any Linksys or D-Link router can do this. D-Link calls it "Virtual Server" and it's available in their much less expensive devices. They [D-Link] even provide emulators for most of their router interfaces, so users can see exactly what features are available and how they are accessible via provided interface.
Sorry, I feel that I'm kinda raising the tone of my voice.. I just feel I'm robbed of a feature which makes sense to include in $150 flagship router..
While I understand what you are saying, I think it is not an excuse...
I'm going to try to return my WNR3500 (even if it will cost me some restocking fee) and buy myself a replacement.

Sorry Netgear.. I love you, but I'm gonna have to let you go.

[jmizoguchi]

Quote:

Originally Posted by anapsix

It a pity, though..
Imho, companies make money by providing high quality products with features that are valuable to users; by competing with other companies and being better; by being honest with it's customers and listening to them..
I realize that this is a Netgear forum, but any Linksys or D-Link router can do this. D-Link calls it "Virtual Server" and it's available in their much less expensive devices. They [D-Link] even provide emulators for most of their router interfaces, so users can see exactly what features are available and how they are accessible via provided interface.
Sorry, I feel that I'm kinda raising the tone of my voice.. I just feel I'm robbed of a feature which makes sense to include in $150 flagship router..
While I understand what you are saying, I think it is not an excuse...
I'm going to try to return my WNR3500 (even if it will cost me some restocking fee) and buy myself a replacement.

Sorry Netgear.. I love you, but I'm gonna have to let you go.

there is one

http://interface.netgear-forum.com/

netgear made decision of home end router and prosafe router has different way to offer the options. whether that is good or bad thing is what company sees as most benefit to them.

There are so many company does different feature etc.

given URL is not easy available to here is. Most manual can tell you what you can do and not over virtual interfaces dlink does. I have used before and some demo are nice

[anapsix]

Thank June, I wouldn't have found those Netgear emulators myself easily..
Unfortunately, either way I won't be able to get what I want from any Netgear consumer grade router and I really don't feel like buying expensive ProSafe router.
Again, cheapest D-Link router can do "that", like DI-514 or DI-524 both of which are in $20 range; or similar to WNR3500 Linksys routers allows to specify an external port and internal port for port forwarding.
Whether it's good or bad, that Netgear decided not to include this feature, everyone will decide on their own..
You know that I already think..
Cheers!

[jmizoguchi]

you gain some you loose some

look at other big enterprise routers... you have to have service contract to even get firmware too . every company has it's own way to control the products.

Port translation are very common issue I seen posted once every two weeks or so. Not so many but feature probably could be add-on .

DD-WRT is also good place for alternative firmware which may work out for you.

[Mars Mug]

The issue of port translation has come up a few times here and there are some home routers that do support PAT though I can’t remember specific models right now, just Google a ‘manufacturers name PAT’

[Secretariat]

We encountered this issue when upgrading from another manufacturer's 802.11 b router to the Netgear WGR614 v10.

Our network is a mixture of Windows and Linux based machines. This configuration relies heavily on "port address translation" to direct traffic to the proper machine and port from LAN and well as WAN based sources.

Fortunately, each of the services requiring remote access resides on a machine running under Linux.

Discovering this issue AFTER the successful installation of the Netgear WGR614, we were initially quite frustrated. The router being replaced offered Port Address Translation within the configuration menu.

There is, however, a 'silver lining' - which is quite easily implemented through the following steps:


[I began with creating a remote access path to an Apache based ancillary web service running under CentOS 5]

01) Via the router's Internet access utility, I called up the Port Forwarding /Port Triggering Menu, then selected "Port Forwarding" as the Service Type

02) I then created a "Custom Service" for the ancillary web server, being very careful to use a port number different from that assigned to the primary web server on the network.

03) After connecting with the host server, I then modified the configuration file for the ancillary web server (/etc/httpd/conf/httpd.conf), changing the (Listen) port value to equal that created in step 02) above.

04) After restarting the Apache service, I was able to successfully log into the ancillary web server from the web [i.e. http://www.hostmachine:PortID]


ISSUE ONE - RESOLVED


[I then addressed the issue of remote login to a server, also running under CentOS 5]

05) Via the router's Internet access utility, I once again called up the Port Forwarding /Port Triggering Menu, then selected "Port Forwarding" as the Service Type

06) I created a "Custom Service" for remote access into the host server. As Port 22 (SSH - The Secure Shell) has already been assigned to another machine within the Local Area Network, I created an alias of "Port 99"

07) I then connected with the target server, and edited /etc/sysconfig/iptables.rules - making sure that there were entries for both ports 22 and 99

08) After saving the iptables.rules file, I executed the following commands from the command line:

/sbin/iptables-restore < /etc/sysconfig/iptables.rules

This uploads the modified configuration into the active firewall


service iptables save

This saves the active firewall rules to /etc/sysconfig/iptables


09) I then added the following command, also from the command line

--iptables -A PREROUTING -t nat -i eth0 -p tcp --dport99 -j REDIRECT --to-port 22

This add the redirection information - sending traffic from port 99 to port 22. Note: modify the "eth0" value as necessary, to address the correct interface (i.e. eth0, eth1, eth2, etc.).


/sbin/iptables-save > /etc/sysconfig/iptables.rules

This saves the now modified active configuration into /etc/sysconfig/iptables.rules


service iptables save

This saves the active firewall rules to /etc/sysconfig/iptables


10) I was then able to remotely log into the server via a remote connection (i.e. Port 99 redirected to Port 22)


ISSUE TWO - RESOLVED


Steps 05 to 10 were then replicated on our remaining servers, being careful to assign unique port numbers via the router's "Custom Service" utility.


CASE CLOSED!


We are VERY satisfied with this solution. By letting Linux do the Port Address Translation on each individual server, we are lowering the workload on the router (thus, potentially increasing the WGR614's throughput potential). Our technical consultants also like this approach from a security standpoint.

IMHO, there is absolutely NO need to spend additional resources on a more sophisticated router.



Resources:

Linux Home Networking: Chapter 14 - Linux Firewalls using iptables
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptable s

Slicehost Forum: IPTables redirect Port 80 to 8080
http://forum.slicehost.com/comments....cussionID=2497

LinuxQuestions.org: iptables-restore v.1.2.11:Line 68 seems to have a -t table option [these notes worked me around a major 'operator' error]
http://www.linuxquestions.org/questions/linux-networking-3/iptables-restore-v1-2-11-line-68-seems-to-have-a-t-table-option-401268/