Firewall rules w/ NAT


#1

Hello,

I’ll add as much info as I can here.

I am running Ubiquiti AirControl on a VM using a bridged adapter at 192.168.5.56
My VyOS box is a PPPoE client to the network where the Ubiquiti devices in question are located
The VyOS WAN address is 172.21.153.4

AirControl has found all the devices in the remote network, and I have been able to do mass firmware updates no problem.
However, to make mass configuration changes, I need to enable monitoring in AirControl. When I do this, it fails and gives me the error “Device cannot reach server via http://192.156.5.56:9081/AC2/report

The device in question is a Ubiquiti rocket at 192.168.1.211. The rocket can ping the VyOS WAN address however a wget http://192.156.5.56:9081/AC2/report will time out

I have tried every permutation of rules and NAT with no luck.

Is there a better way to read firewall logs? When I do “show log firewall WAN_IN” it has the exact same content as “show log firewall LAN_OUT” and “show log firewall WAN_LOCAL”.

The relevant rules/nat I have added is below:
set firewall name WAN_LOCAL default-action ‘drop’
set firewall name WAN_LOCAL description ‘WAN to router’
set firewall name WAN_LOCAL ‘enable-default-log’
set firewall name WAN_LOCAL rule 5 action ‘accept’
set firewall name WAN_LOCAL rule 5 description ‘allow ping wan’
set firewall name WAN_LOCAL rule 5 icmp type ‘8’
set firewall name WAN_LOCAL rule 5 protocol ‘icmp’
set firewall name WAN_LOCAL rule 6 action ‘accept’
set firewall name WAN_LOCAL rule 6 source address ‘192.168.1.211’
set firewall name WAN_LOCAL rule 10 action ‘accept’
set firewall name WAN_LOCAL rule 10 description ‘Allow established/related’
set firewall name WAN_LOCAL rule 10 state established ‘enable’
set firewall name WAN_LOCAL rule 10 state related ‘enable’
set firewall name WAN_LOCAL rule 20 action ‘drop’
set firewall name WAN_LOCAL rule 20 description ‘Drop invalid state’
set firewall name WAN_LOCAL rule 20 state invalid ‘enable’

set nat destination rule 200 destination port ‘1-65535’ <-- I tried using singular ports, both 9081 and the random port listed in the log entry
set nat destination rule 200 inbound-interface ‘pppoe0’
set nat destination rule 200 protocol ‘tcp’
set nat destination rule 200 translation address ‘192.168.5.56’
set nat destination rule 200 translation port ‘9081’

Log entries:
May 5 21:03:57 VyOS01-KITS kernel: [20037.803663] [WAN_IN-default-D]IN=pppoe0 OUT=eth1 MAC= SRC=192.168.1.211 DST=192.168.5.56 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=49312 DF PROTO=TCP SPT=38738 DPT=9081 WINDOW=5840 RES=0x00 SYN URGP=0
May 5 21:04:00 VyOS01-KITS kernel: [20040.792787] [WAN_IN-default-D]IN=pppoe0 OUT=eth1 MAC= SRC=192.168.1.211 DST=192.168.5.56 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=49313 DF PROTO=TCP SPT=38738 DPT=9081 WINDOW=5840 RES=0x00 SYN URGP=0

The log entries all appear the same so it isn’t clear which rule is stopping the connection.

nmap shows that the port I am trying to forward is not open when testing the WAN IP address, scanning the Aircontrol server address from my VM host shows the port as open.

Please let me know if you need any more info.

Thanks


#2

Hi
your device in this case should use http://172.21.153.4:9081/AC2/report”
as now it

and it must be


#3

Hi Syncer,

Apologies for incorrect information, I am doing exactly that, i.e. wget http://172.21.153.4:9081/AC2/report however it makes no difference.

With all the different things I have tried, all I have been able to do is change it from a time out to a
“wget: server returned error: HTTP/1.1 500 Server Error
XW.v6.1.6# wget http://172.21.153.4:9081/AC2/report

I also get this, which I think should mean that NAT is actually working correctly?
re-NAT src Pre-NAT dst Post-NAT src Post-NAT dst
192.168.1.211:43921 172.21.153.4:9081 192.168.1.211:43921 192.168.5.56:9081
tcp: 172.21.153.4 ==> 192.168.5.56 timeout: 65 use: 1

To me that looks like NAT is working as intended, so perhaps now there is some other problem giving the server error?


#4

That means that you can reach server and getting 500 error
Now you need to fix that in aircontrol itself (device must send data to that ip and not internal)


#5

I still get the same server error when using wget, but the application itself is working, and I can now configure devices via AirControl.

I assume I had port forwarding wrong initially, then I got it right but never actually checked if the application was working, I was just relying on the wget result.

Thanks for helping!


#6

This topic was automatically closed after 22 hours. New replies are no longer allowed.