Why do you need open this port? Do you have public IP address on WAN port?

I'm exposing a service over the Internet - which I can access on my mobile. I'm using no-ip.org as a dynamic DNS service and their client which regularly updates my public IP address with their service. The DNS and port forwarding all work perfectly without the IPv4 firewall enabled. The router overview page displays my public IP fine. My WAN host in the firewall rules are set to Any Host, the LAN Host for these rules I've tried not specifying an IP but just specifying the port. I've tried specifying the port and my gateway, and I've tried specifying the internal server and the port. None of the above work. All from any host, all with the direction of IN all on TCP (it's a tcp service), all set to allow, and all enabled. I have no other blocking anything.

I need this port open as I'm trying to expose a service over the internet, this service runs on port 8096 (my port forwarding originally accepted 80 and forwarded over 8096 to the target LAN server/host, however, I'm simplifying things at the moment until I get it all working)

The service is over TCP and in fact is a HTTP service (a web application that I'm running)....

For access via a domain name, I've registered with no-ip.org, and I run their client to update my sub-domain with my public IP address.. All this works, and has worked in the past when using a different router..

The only issue is when I enable the IPv4 firewall (and yes, all my networking internally is run over an IPv4 network, IPv6 is disabled on the router and all hosts).

As I think I mentioned, the whole set-up works with the firewall disabled, absolutely perfectly.. www.portchecktool.com can connect to my port, and actually I'm able to browse to the service when I'm not connected to my network... This actually, all works including me exposing port 80 on the Firewall and forwarding it to 8096 on the target (internal) host. Just, as soon as I enabled the firewall, nothing can connect. www.portchecktool.com no longer works, and I cannot browse to the service when I'm off my network.

The firewall is set to deny anything not explicitly allowed and then - currently - in my list of rules I have these two:




DescriptionLAN HostTargetScheduleRuleStatusEdit...

[/TD] [TD]MediaServer1	MediaSe...	Any Host	Any Time	Allow	Enabled	Edit
[/TD]	MediaServer2	Ext.Med...	Any Host	Any Time	Allow	Enabled

The two LAN hosts are specified as:

1.

2.


I added the second rule (well, second host for the second rule) just in case the firewalling was happening prior to any port forwarding and NATing - which I doubt, but I am/was getting desperate


The rules themselves are:

1.

2.



The other rules are all outbound, there is no rule that denies anything, except one to block some specific outbound traffic... There is no other inbound rule...


The port forwarding is as follows:




Service PortIP AddressInternal PortProtocolStatusWANEdit












[TD]

8096

server's internal IPv4 address

8096

TCP

Enabled

pppoa_0_38_0_d

[COLOR=blue]Edit

I feel like I'm doing something really bl**dy stupid

Any help will be much appreciated!

Thanks!

OH, and yes... I do have a public IP address on my WAN interface:

pppoa_0_38_0_d	PPPoA	0/38	86.158.109.110 /32	217.47.112.186	213.120.234.14 213.120.234.30	Connected

Do you have access to this service in local network?

pppoa_0_38_0_d

PPPoA

0/38

86.158.109.110 /32

217.47.112.186

213.120.234.14 213.120.234.30

Connected

Is this IPv6 protocol on your WAN port?

jimasek wrote

Do you have access to this service in local network?Is this IPv6 protocol on your WAN port?

IPv6 is disabled on the router and on all hosts and devices - everything is set to IPv4. And yes, with or without the firewall enabled it always works internally on the LAN. It's just access from the WAN.

Give me screenshot from Virtual Server and port forwarding settings?

Here's the screen shot that it let me upload .. hmm...

[ATTACH=CONFIG]2064[/ATTACH]

The settings are (in the virtual server section of port forwarding):



I don't - believe - that I need to use Port Triggering, nor do I need to use the DMZ feature (because the server doesn't connect back out, it's a standard web application, that accepts inbound HTTP requests - 8096 is its default port)

Since port forwarding works when firewall is disabled, I don't think configuration on virtual server is wrong.
Why you have to enable firewall? What are you trying to control? After you configure it as you said, can you access internet properly? Just port forwarding stops working?

I'd quite like to have my firewall on, from a basic security perspective. Security is my profession (though software architecture security as opposed to networking / infrastructure security - though I have a basic understanding). Currently, I want to restrict outbound traffic to just HTTP(S), and block known C&C servers over any port/protocol, plus time restrict some other access. All this works, if we forget the media system that I'm trying to expose over the Internet... Every other rule on the firewall works. Although, there's a key difference between the rules that do and the rules that don't work. The rules that do work are all outbound/egress rules, whereas the rules that don't work are all inbound/ingress rules. So, I'm a little confused.