Port forwarding with two routers

Tea

Storage? I am Storage!
Joined
Jan 15, 2002
Messages
3,732
Location
27a No Fixed Address, Oz.
Website
www.redhill.net.au
I want to forward a port on a work system. Tried lots of things, but can't figure it out.

The system sits behind two routers, a Smoothwall, and then a little Linksys thing. I've port forwarded through an identical Linksys router at home no worries, and I've tried plugging the target machine directly into the Smoothwall's 16-port hub, and that works fine too. But I can't figure out how to forward through both units at the same time.

Why two routers? The chain works like this:

Cable modem links to:
- Smoothwall

Smoothwall links to a 16-port hub which links to:
- various customer machines as required
- Netgear router

Netgear router links to:
- the target machine
- various other machines in the office network

This means the office network is NOT exposed to infection from the various, sometimes badly infected, machines that pass through the workshop, so the two router system is important. OK, I could build another machine especially for the port-forwarded app and connect it to the semi-public workshop network (I can forward through one router just fine), but that would be a waste of a computer, and make it difficult to copy files back and forwards between the target machine and my other own machines.

Any hints?
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
20,480
Location
I am omnipresent
Website
s-laker.org
Honestly, it should be the very straightforward matter of forwarding the port twice. If that's not working, you need to make some alternative arrangements. A few thing that occur to me:
1. Put the PC on your second router's DMZ.
2. Plug the PC into the semi-public network.
3. Create a Virtual Machine for whatever appliance need you have and put THAT on your second router's DMZ.
4. Get a router that's less sucky.

Does the office network actually need to talk to the shop network?
 

Tea

Storage? I am Storage!
Joined
Jan 15, 2002
Messages
3,732
Location
27a No Fixed Address, Oz.
Website
www.redhill.net.au
0: Should be the very straightforward matter of forwarding the port twice

That's what I'd have thought. Done it a zillion different ways, can't get anywhere.

1. Put the PC on your second router's DMZ. Does the Netgear even have a DMZ? What are the security implications of doing this?
2. Plug the PC into the semi-public network. Can't. It needs to be secure against infection from the semi-public machines, and it needs to be on the office nework so i can do work on it with shared resources.
3. Create a Virtual Machine for whatever appliance need you have and put THAT on your second router's DMZ. Might work .... have to think about that.
4. Get a router that's less sucky. IS this a router suckiness thing? Or is it a more difficult thing that it seems on first sight? But router suckiness has to be a possibility - the other Netgear (identical) I had at home was causing all sorts of problems with, of all things, FTP. I couldn't FTP reliably: on again, off again, random lost connections, work for a few hours, not work at all .... just crap. Eventually I traced it to the Netgear router. Put in a cheap & nasty TP-Link router instead, problem solved. So I'll definately try that idea.
5: Replace the Smoothie with a standard Linux box, and use that as BOTH the master firewall (what the Smoothie does now) and for uTorrent. That should work, I imagine .... but I'd face a bit of a learning curve, which is something I generally try to avoid these days ...

Hmmm .....

The sensible solution would be to just build a spare box and stick it on the semi-public network, 'cause I only need this for a couple of weeks. Maybe I'll do that.

Damnit, it SHOULD be simple.
 
Last edited:

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
20,480
Location
I am omnipresent
Website
s-laker.org
Putting a machine in DMZ means that it's not being protected by a firewall.

If you're doing this for torrenting, be aware that you need to forward a range of ports, which might be why the Netgear is choking. I haven't had much luck configuring Netgear routers to do anything out of the ordinary either, and you might be better served with a Linksys router with OpenWRT on it or something.

The outward facing machine on my home network is an OpenBSD computer. I do my torrenting directly from that. Some new home routers are starting to come with direct support for bittorrent and external storage, which would amount to the same thing.
 

Tea

Storage? I am Storage!
Joined
Jan 15, 2002
Messages
3,732
Location
27a No Fixed Address, Oz.
Website
www.redhill.net.au
Sounds like we are on the right track. Thanks Merc, I'll play with some different routers first, then, and after that (if need be) just build an extra machine for a while, which will do what I need for the next couple of weeks while I am bandwidth limited at home. I'll look at a 'nix machine instead of the Smoothie when I get some free time to deal with a bendy educational thing. Possibly that will be March 2017.
 

mangyDOG

Learning Storage Performance
Joined
Feb 15, 2003
Messages
161
Location
Ballarat, Vic, Aust.
Hi Tea,

Another option might be to add a 2nd NIC to your smooth wall box (I use IPcop and this works well). Three NICs = red to modem, green to your PCs via a standard switch, blue (or orange) to client PCs via a standard switch.

This means that all PCs are shielded from the Internet via the smoothie, green network is shielded from everything and runs on a different subnet from blue **but** can still access computers on the blue network via the smoothie router. This is important as I run a NAS on the blue network with read only access on guest account (ie all client PCs) but with write access to my username/password so I can update files on the NAS from the green network.

The final result of this is, for the cost of a single NIC you can do away with your netgear router, setup port forwarding on your Smoothwall and everything should work. ;-)

Cheers,
mangyDOG
 

Tea

Storage? I am Storage!
Joined
Jan 15, 2002
Messages
3,732
Location
27a No Fixed Address, Oz.
Website
www.redhill.net.au
Now there is a darn good idea, Mangy One! I have to rush off (helping Tannin plant another 5000 trees with the Regent Honeyeater Project up Benalla way this weekend - Tannin has been laid up with the 'flu, or possiby the black death, for the last week or so, so he's a bit weak and tottery and will need some help - but will ponder this next week.

One question: can I set the orange interface to still protect the semi-public network in the same way as the green interface? I still need to have the semi-public network machines behind a hardware firewall as they often have no other protection while I'm working on them.

PS: I'm really good with a shovel: unlike humans, I don't have to stoop, I just hold the top of the shovel with my left front paw and the bottom of the shovel with my left rear paw. Or swap over to the right-paw side if I get tired. I tried using two shovels at once last week for extra speed, but when I lifted them both up at the same time I fell down.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
20,480
Location
I am omnipresent
Website
s-laker.org
Here's a fun idea for the non-Smoothwall types (I've never used one):
OpenWRT - the alternative Linux-based firmware for the WRT54G(L) - has a Samba client.

That means it can address external storage, even without a local drive.
And it can run a bittorrent client. I'm not sure if there's a binary for a client that supports web based management, but it's still kind of a neat hack.
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,315
Location
Monterey, CA
Merc, with you being a Linux guy, you should really try Smoothwall. Particularly with the newly-released 3.0 and the user-written plugins, it is the most capable firewall I've ever used.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
20,480
Location
I am omnipresent
Website
s-laker.org
If my client have enough money to care, usually they like having someone to indemnify in the event of a security lapse, which is why I usually buy Sonicwall products if they can afford them.

I can make a Linux-based router/firewall out of anything.
 

mangyDOG

Learning Storage Performance
Joined
Feb 15, 2003
Messages
161
Location
Ballarat, Vic, Aust.
One question: can I set the orange interface to still protect the semi-public network in the same way as the green interface? I still need to have the semi-public network machines behind a hardware firewall as they often have no other protection while I'm working on them.

Hi Tea,
I'm not sure with smoothwall, but with IPcop I use the blue interface which is fully protected from the Internet. The blue Interface is intended for a wireless AP connection with limited access to the green network (none by default) but still secure from the Red network.

A quick look at the Smoothwall website indicates that SW3 now has a purple interface which is the same as the IPcop blue network.

cheers,
mangyDOG.
 

Tea

Storage? I am Storage!
Joined
Jan 15, 2002
Messages
3,732
Location
27a No Fixed Address, Oz.
Website
www.redhill.net.au
Sorry ... must have seen something shiny. Happens to me all the time, Mangy One.

Yes, it did get resolved, sort of. Two different ways.

1: The football season ended, meaning that there was no longer any requirement for uTorrent .... at least not till next year, anyway.

2: The Soup Nazi says that the trick is to make sure that both your roiuters are on the same subnet: e.g., 192.168.1.1 and 192.168.1.200. Apparently it is then easy. But I didn't actually try it because ... er .. because see reason #1.

I'll remember to post again next year if/when I need it again.

Thanks M&M!
 
Top