URGENT: Port Forwarding RANGE issue!
URGENT: Port Forwarding RANGE issue!
Product Category:
Business
Omada Cloud SDN (Routers)
Model Number:
ER7206
Hardware Version:
V1
Firmware Version:
1.3.0 Build 20230322 Rel.7095
Internet Service Provider(ISP):
Transworld Home
Subject:
Port Forwarding RANGE issue
Detailed Description of the Problem:
I recently bought this router.
I have three servers on LAN where I want to forward ports as TCP/UDP in Transmission > Nat > Virtual Servers:
Server1:
External: 1-1000 Internal: 1-1000
Server2:
External: 1001-2000 Internal: 1-1000
Server3:
External: 2001-3000 Internal: 1-1000
These settings work for Server1 for but not for other servers.
I have ports listening on all servers and it works for both servers if I do one port at a time like:
Server2:
External: 1022 Internal: 22
Server3:
External: 2022 Internal: 22
But doesn't work in range.
So I think it's the problem in the router's algorithm on how it handles port ranges,
as long as internal and external ports are the same in range it works,
but if it doesn't work for a one-on-one pattern even though the number of ports is the same.
I am an IT expert myself so I know what I am talking about.
I tried SSH into the router but it doesn't give me shell access and I'm only limited to CLI mode,
which doesn't offer much more than what the web portal offers.
Please help resolve the issue, Thanks!
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @AdeelKhan
AdeelKhan wrote
Q1/24 is far away, can you please ask dev team if they can send a patch for me?
I can't guarantee anything because many things are not determined by me. But the word I got from the dev leader is that will push and see if we can provide a solution next week. If delayed, please understand. That's a little bit assuring, at least.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Hi @AdeelKhan
Regarding the issue you experienced, I got a reply from the dev team. After evaluation of your requests and your scheme, it is very hard to implement this.
Concerns are
1. Due to the specialty of the iptables, it is hard to achieve what you asked for. For the first sever, it should be fine. But for the Server 2 and Server 3 you described in the OP, that'll be troublesome.
To make the different port ranges, i.e. Server 2, external 1001-2000 and internal 1-1000, will create 1000 entries which will extremely affect the memory and forward efficiency of the device. Eventually, the overall performance will be affected.
2. After some investigation on our competitors, UBNT, it can only achieve the same port range forward. They did a test on the UBNT products.
Recommend you use the same range port forward now.
I am afraid that the dev is reluctant to produce a beta at this moment after this evaluation. And it is possible to abort this from the roadmap. I am not sure yet. If you'd like to know, I can follow up on this with the dev team.
Now, it is hard to estimate how much performance will be affected if we indeed make firmware to support this. If you insist, I'll check again with the dev and see if there are any other concerns.
- Copy Link
- Report Inappropriate Content
Hey @Clive_A 👋
Thank you so much for getting in touch and reaching out to me every time with an update, I appreciate that!
1. The iptables is indeed smart with that but I think it shouldn't effect memory or resources of your router, because for one host, it still saves the port mapping bindings, I believe it shouldn't effect memory much while mapping for just one server or multiple.
Also, the stackoverflow post you've mentioned doesn't use proper way to map 1:1 ports for multiple hosts, for that you need to you slash (/) with the destination ports to define the starting port number of the source ports so it maps 1:1.
2. Sorry maybe I didn't understand it properly, ubnt routers do support what I need or not?
P.S. please have a word again with your dev team because I don't think so it will effect memory, right now I am using a raspberry pie as a router to test with hundreds of server, it uses very less memory (probs 1-2%).
- Copy Link
- Report Inappropriate Content
Hi @AdeelKhan
Thanks for posting in our business forum.
AdeelKhan wrote
Hey @Clive_A 👋
Thank you so much for getting in touch and reaching out to me every time with an update, I appreciate that!
1. The iptables is indeed smart with that but I think it shouldn't effect memory or resources of your router, because for one host, it still saves the port mapping bindings, I believe it shouldn't effect memory much while mapping for just one server or multiple.
Also, the stackoverflow post you've mentioned doesn't use proper way to map 1:1 ports for multiple hosts, for that you need to you slash (/) with the destination ports to define the starting port number of the source ports so it maps 1:1.
2. Sorry maybe I didn't understand it properly, ubnt routers do support what I need or not?
P.S. please have a word again with your dev team because I don't think so it will effect memory, right now I am using a raspberry pie as a router to test with hundreds of server, it uses very less memory (probs 1-2%).
I am simply iterating what the dev told me. UBNT only supports int 1-1000, and ext 1-1000 mapping. Not supporting int 1-1000, ext 1001-2000, this format.
I was informed that there is no way to use a single line of iptables to achieve that. But to port forward Server 2 and 3, that'll take individually 1000 entries.
- Copy Link
- Report Inappropriate Content
Hey @Clive_A 👋
Alright. Got it!
Thank you so much for the update.
I guess I have keep it going with my own solution.
Have a good day!
- Copy Link
- Report Inappropriate Content
Apparently support for base-port based 1:1 port mapping in DNAT with a base port was only added to iptables in 2018 https://stackoverflow.com/questions/33052149/is-it-possible-to-map-11-port-range-iptable-dnat-rules . Since the ER605 firmware is based on an early version (14.07) of Openwrt from 2014, it will likely not have this functionality
- Copy Link
- Report Inappropriate Content
Hey @MisterW 👋
Thank you for your response.
Is there a way I can just ssh into ER7206 and do it by myself?
- Copy Link
- Report Inappropriate Content
TBH I'd missed that you have the ER7206 and not the ER605. However having searched, it would appear that the ER7206 is based around the same Openwrt version and thus the same Linux kernel.
So basically the version of the kernel's iptables functionality does not support what you want. So there's nothing you can do, even using SSH.
- Copy Link
- Report Inappropriate Content
Hey @MisterW 👋
Thanks again for your response.
Alright, if that's the case then I'm gonna continue with my own solution with custom router.
Have a good day! 🙌🏻
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1349
Replies: 20
Voters 0
No one has voted for it yet.