Port Forward Troubleshooting Guide
From Edge Threat Management Wiki - AristaJump to navigationJump to search
Port forwards can be tricky. Below is a series of suggestions about getting port forwards to work.
- Read the Port Forwarding FAQs
- Verify that the destination host on the inside is using the Untangle as its default gateway. If not the reply packets won't find their way back to Untangle.
- Verify that the destination service is reachable from the inside on the IP and port specified in your port forward rule.
- Test your (TCP) port forward using 'telnet.' In windows you can run start->run and then you can type telnet 18.104.22.168 123 where 22.214.171.124 is your external IP and 123 is the port your port forward rule matches. If it connects and hangs then the port forward is working. If it fails to connect then your port forward is not working.
- Test your rule from the outside. Port forwarding back inside the network has extra complications. First verify that it works from the outside.
- Verify there is a session shown in Reports > Port Forwarded Sessions
- Verify that Untangle can connect to the final destination. Use the Connection Test in Troubleshooting' or open the console on Untangle and type 'telnet 192.168.1.10 123' where 192.168.1.10 is the internal server you are forwarding to and 123 is the port. If it connects then Untangle can reach the server. If it fails to connect Untangle can't reach the server and the port forward will probably not function until this part is working.
- For testing, turn off the Firewall and Captive Portal applications if you have them installed. Port forwarded sessions will not connect if they are blocked by an application. If you have many policies, verify which policy is processing the session and make sure you disable the correct apps.
- Simplify your port forward rule. Remove extra qualifiers and make it contain as few as possible. For example specify just what port to forward and "Destined Local" and then which server to forward it to. If that works then add the extra qualifiers back one at a time testing each time.
- If you are port forwarding port 443 (HTTPS), try moving Untangle administration to another port so port 443 is available to be forwarded.
- Remove any Source Address and Source Interface qualifiers - 99% of the time these are misused.
- For advanced users, use tcpdump or the Packet Test in troubleshooting to debug and watch the packets. To test with tcpdump run these commands: tcpdump -i eth0 -n "port 123" and tcpdump -i eth1 -n "port 123" - assuming eth0 is your outside interface and eth1 is your inside interface.
- Still not working? Post a screenshot of your port forward rule to the forums along with the results from the above tests and ask for help.