Hi All,

Trying to grant access from 1 external IP address on port 889 to route through to one internal address on port 80 using a draytek 2820.

I've read through the forums seen people suggest using "Type Object" and "IP Group" then add these to your firewall filter but had no luck in getting this working.

Anyone else had this problem? or know of another solution?

Thanks

There are a couple of things that you need to do to get this to work.

Firstly, go to the NAT menu and then the Port Redirection page. Set up a new entry so that you specify the public port as 889 and then private port as 80, then link it to your private IP address. That should open up and redirect the port to the correct internal IP address.

The next step is to use the firewall rules as you mention. You need 2 rules configured like so:

RULE1
Direction: WAN to LAN
Source IP: (IP address you wish to allow)
Destination IP: Any
Service Type: (set the DESTINATION PORT as 889, do not change the source port)
Action: Pass Immediately

RULE1
Direction: WAN to LAN
Source IP: Any
Destination IP: Any
Service Type: (set the DESTINATION PORT as 889, do not change the source port)
Action: Block Immediately

The first rule should allow access to your one publlic IP address and the second rule will block all others. Combine this with the above NAT settings and you should then be able to achieve what you're looking for.

You now owe me ONE MILLION POUNDS for fixing your internets, lol.

Hi Frag,

Thanks for the reply but what you suggested doesn't seem to work, yes I can connect to the internal device but so can everyone else. It appears NAT Menu rules override firewall rules.

Thanks

Hi Frag,

Thanks again for you reply, but I've sorted this now, I used the same idea however didn't specify ports on firewall IP only.

For example :-

RULE1
Direction: WAN to LAN
Source IP: External IP
Destination IP: Internal IP
Service Type: Set To Any
Action: Pass Immediately

RULE2
Direction: WAN to LAN
Source IP: External IP
Destination IP: Internal IP
Service Type: Set To Any
Action: Block Immediately

Hope this helps anyone else out there.

Thanks

Hi maksu,

Glad you got it working... However, with that firewall rule in place you will be blocking ALL INCOMING sessions that the internal IP address might be trying to host.

This might be a problem or it might not be, essentially any further NAT rules you put in place pointing to that internal IP address will still be blocked because of the firewall rule. The fact that the original rule didnt work is probably down to the way that the service type was configured... you need to leave the source port as 1~65535 to allow the remote router to assign a pseudo port to outgoing traffic (god damn NAT). The firewall definitely takes precedence over NAT rules otherwise it would be rather useless.

If you find in future that the IP address is having trouble with accepting incoming requests (say P2P applications) then remember this firewall is in place because it will be the cause of the problem. Due primarily to the fact that it is capturing all traffic coming in to that private IP address.

Hi Frag,

Blocking all incoming sessions is fine, as they are only a bunch of network printers.

The company that supports them just needed access on port 80 to be able to view the status.

Thanks again though you most certainly pointed me in the right direction.