cancel
Showing results for 
Search instead for 
Did you mean: 

Single source IP port forwarding

fraser73
Newbie
Posts: 1
Registered: 02-03-2014

Single source IP port forwarding

I have the standard Technicolor gateway which comes with the vdsl service. I have various port forwarding set up from any source IP to single hosts internally. I also have setup custom firewall services using the telnet command line. However, I cannot work out how to forward a single port from a single IP address on the internet to an internal host. I have tried a combination of custom firewall rules and port forwarders, but it seems that port forwarding rules are applied before firewall rules.
I can't imagine that the router doesn't support forwarding of ports from a single IP, so can anyone tell me what I'm doing wrong?
2 REPLIES
Community Gaffer
Community Gaffer
Posts: 17,646
Thanks: 640
Fixes: 162
Registered: 05-04-2007

Re: Single source IP port forwarding

It might be possible, however it's rare that you'd want to allow access only from a single IP (in my experience). You'd need to set up the port forward rule, this will allow any IP to access the internal service, and then use the custom firewall rules to deny any other IP addresses from accessing that service. I'll be honest, I'm not sure how easy this is on the 582 as it's not something I've tried.
If this post resolved your issue please click the 'This fixed my problem' button
 Chris Parr
 Plusnet Staff
Community Veteran
Posts: 1,841
Thanks: 103
Fixes: 6
Registered: 21-01-2013

Re: Single source IP port forwarding

Quote from: Chris
You'd need to set up the port forward rule, this will allow any IP to access the internal service, and then use the custom firewall rules to deny any other IP addresses from accessing that service.

That won't work:
When a port forward rule is assigned, the router creates the required path through NAT and also creates a hidden firewall rule to allow the required ports from WAN to LAN. This hidden FW rule has a higher priority than any custom rule, so once a packet has passed this hidden rule it will not be inspected by any custom rules.
I haven't tested the following but it may be a starting point for you to achieve what you need.
The following telnet commands should create a PF rule for port 222 from wan IP 1.2.3.4 to LAN IP 192.168.1.50
Quote
nat tmpladd intf=Internet type=napt outside_addr=1.2.3.4 inside_addr=192.168.1.50 outside_port=222 inside_port=222
firewall rule add chain=forward_host_service index=1 name=AllPorts srcintf=wan dstip=192.168.1.50 state=enabled action=accept
saveall

Modify the port and IP as required.
Ref: http://npr.me.uk/forwardports.html
Correction:
I've tested the above and it doesn't work -- surprisingly.
The following did work, tested with PFPortChecker (from portforward.com).
Quote
nat tmpladd outside_addr=0.0.0.1 inside_addr=192.168.1.65 foreign_addr=65.112.29.37 outside_port=222 inside_port=222 mode=inbound
firewall rule add chain=forward_host_service index=1 name=test srcintf=wan srcip=65.112.29.37 dstip=192.168.1.65 state=enabled action=accept
saveall

Notes:
The firewall rule would benefit from being tightened by adding the port.
I tested the above "nat" command by changing the "foreign_addr" to a incorrect one and this stopped PF from working. So, as yet, I'm only assuming this limits the outside IP to the one specified (65.112.29.37) . -- need more checking.