04-13-2012 08:15 PM
i have tried the standard way of using a vip for port forwarding and i cant use vip with my isp because of a dynamic ip.
is there any work around where i can forward ports from a server in trust to untrust for outside communication?
have attached my cfg as text file
04-14-2012 01:30 AM
You can use VIP's with a dynamic IP. But I don't see any VIP's defined in your current config.
I noticed a couple of things:
You have the minecraft en secams services defined with only one source port. Connecting clients will pick a random port in the range 0-65535. So you should define the services as:
set service "seccams" protocol tcp src-port 0-65535 dst-port 8085-8085
You defined the addresses of your servers with a netmask of /24 (255.255.255.0). That way your policies allow incoming traffic not only to your server, but to the whole internal LAN. Addresses should be defined as:
set address "Trust" "192.168.11.245" 192.168.11.245 255.255.255.255
04-15-2012 01:12 PM
You add the VIP to your untrust interface (ethernet3). Because you only have the one public IP address, you add the VIP to that address:
- Network>Interfaces>List>Edit ethernet3>VIP
- Select "Same as the interface IP address" and click Add.
- Click New VIP service, select your public IP as Virtual IP
- Select the service in Map to service
- Enter the internal IP address of your server in "Map to IP"
Now create the policy to allow the traffic:
- Policy>Policies Untrust to Trust
- Source address: Any
- Destination address: VIP (ethernet3)
- Service: select service
- Action permit