The address in your nat source ... translation field, is that the same address thats configured on your ethernet interface? (its hard to tell because you’ve blanked out all octets of the address)
if thats the case you should use ... translation address masquerade instead to make it function properly.
The syntax you are using is men’t to be used when packets are routed into your device using other addresses than the interface-address.
also, on the incoming side(destination nat), you only need this part if you have services on your inside lan that you are going to expose to the internet. For normal outbound nat this is not needed. When you use the interface-address you don’t need to specify a destination address, but you will need to specify the ports that needs to be forwarded.
Hello, @facsi!
You don’t have the firewall rule to allow returning traffic from the internet to your intranet hosts. So requests from 192.168.5.67 are going to the Internet, but firewall blocks responses.
Hi @zsdc, actually I already configure the firewall, take a look at firewall name ‘from-internet’. I believe the rule 1 is allowing http or https to go through client. And it implemented on eth0.
if the config is wrong, please let me know how it should be…
then accept packet.
And this rule is applied for incoming traffic on uplink interface.
So, for example, when 192.168.5.67 is trying to connect to any HTTPS server:
they sending request from one of high-numbered TCP ports, lets assume that this is 45000, to remote 443 port. This is allowed, because you do not configured filtration for outgoing traffic from intranet.
when remote host receive request, it sending answer by TCP from 443 port to 45000.
when this packet is received by your router, router use 1st firewall rule for checking. IP part of checking will be passed. But, because you allow only traffic to 80, 443, 4443 ports, and this answer have src 443 and dst 45000 ports, it will be blocked by firewall.
Your current ruleset is more looks like those, which can be used if you want to host websites on an address in “live” group.