Help! 1 to 1 NAT on Linksys RV082 opens up firewall!
Jim Dawson
need to access a few computers over the internet using specific ports.
I configured 1 to 1 NAT on the RV082 and I was able to access the
device on the LAN side of the router but it apparently removed all
firewall protection in the process. I was able to ping IP address,
connect to a Windows share, and even establish a pcAnywhere connection
without defining any firewall rules to let me do so. I double checked
and the firewall was enabled on the device. I am using the default
firewall rules: Allow all traffic from LAN -> WAN, deny all traffic
WAN -> LAN.
According to the manual: "One to one NAT does not change the firealll
functions work. Access to machines on the LAN from the Internet will
not be allowed unless Network Access Rules are set, or Authenticated
user sessions are established"
Has anyone heard of this? I called Linksys t/s but they weren't very
helpful. I'm waiting for them to email me back about this issue, as
well as a few other problems I've had.
Alternatively, can someone recommend another low-cost firewall with 1
to 1 NAT capabilities?
Thanks in advance.
Duane Arnold
news:e1f9bda.04021...@posting.google.com:
> I am trying to set up 1 to 1 NAT on a linksys RV082 router. I have the
> need to access a few computers over the internet using specific ports.
> I configured 1 to 1 NAT on the RV082 and I was able to access the
> device on the LAN side of the router but it apparently removed all
> firewall protection in the process. I was able to ping IP address,
> connect to a Windows share, and even establish a pcAnywhere connection
> without defining any firewall rules to let me do so. I double checked
> and the firewall was enabled on the device. I am using the default
> firewall rules: Allow all traffic from LAN -> WAN, deny all traffic
> WAN -> LAN.
>
> According to the manual: "One to one NAT does not change the firealll
> functions work. Access to machines on the LAN from the Internet will
> not be allowed unless Network Access Rules are set, or Authenticated
> user sessions are established"
I just read a little bit on the user manual on this device. This one to
one Nat feature looks to be opening access to private side IP(s) behind
the router to the public Internet. I think when you do this mapping, the
protection of the router using SPI and the router's protection for those
IP being mapped to is out of the picture and the machine is wide open to
the Internet. The other machines on the LAN side this 1 to 1 NAT are not
being done for are still protected by the SPI and the router.
It's the same thing with me doing Port Forwadring of ports to a LAN IP on
my Linksys BEFW11S4 router. When I do that mapping I have to have a host
based FW on the machine setting rules on the machine as to what public IP
(s) can access the machine on the inbound ports to the machine.
I could be wrong, but you may have to do the same with any LAN side
IP/machine that this one to one NAT is enabled on and protecting it with
a host based FW. I am talking like with BlackIce, ZA, Sygate, etc, etc.
or if using IPsec that's on the Win2K and XP O/S(s) you can do it as well
to protect the machine.
Duane :)
Matt Jarvis
trying to tell me that this is how it was designed to work. I will
call again tomorrow to talk to someone in the USA hopefully will
accomadate me better. I must say that this is the 2nd RV082 (1st one
died after firmware update) and 3rd fault in firmware that I have had
to struggle with. Should have gone with the SonicWall, but way to
allow my customers go for the cheaper route! Anyway, I pointed out the
same discrepency in the manual and he claimed that it didn't
invalidate his case. He said that it is supposed to work just like DMZ
which to anyone who works on firewalls knows is BS. My emails have
also been fruitless. 2 case #s and not a single valid response. I have
gotten conflicting responses however... one said it was like that by
design and the other said that I was doing it wrong and needed to call
for support. Nothing but trouble when Support is outsourced. Dell gave
me the same problem until I got to someone in the US. Anyway, enough
rant... I will post results if/when I get them.
jimd...@myrealbox.com (Jim Dawson) wrote in message news:<e1f9bda.04021...@posting.google.com>...
Duane Arnold
news:30fce0ad.04021...@posting.google.com:
> I just got off the phone with Linksys support as well and they are
> trying to tell me that this is how it was designed to work. I will
> call again tomorrow to talk to someone in the USA hopefully will
> accomadate me better. I must say that this is the 2nd RV082 (1st one
> died after firmware update) and 3rd fault in firmware that I have had
> to struggle with. Should have gone with the SonicWall, but way to
> allow my customers go for the cheaper route! Anyway, I pointed out the
> same discrepency in the manual and he claimed that it didn't
> invalidate his case. He said that it is supposed to work just like DMZ
> which to anyone who works on firewalls knows is BS. My emails have
> also been fruitless. 2 case #s and not a single valid response. I have
> gotten conflicting responses however... one said it was like that by
> design and the other said that I was doing it wrong and needed to call
> for support. Nothing but trouble when Support is outsourced. Dell gave
> me the same problem until I got to someone in the US. Anyway, enough
> rant... I will post results if/when I get them.
>
IMHO, I think that's how the device works. Port forwarding only allows one
IP/machine to use it. Port Triggering allows multiple IP(s)/machines to use
it but an event must trigger it. Only one IP/machine can be in the DMZ, at
least on the 11S4 router. This one to one NAT looks like multiple IP
(s)/machines can be exposed to the public Internet.
Duane :)
Matt Jarvis
reasons why this has to be a bug in the firmware.
1) The manual, as quoted by parent poster, in the context of the
one-to-one NAT feature reads that access to machines on the LAN is not
allowed unless changed in the access rules. This is currently not the
case. It opens up ALL ports to the LAN machine you are 1-to-1 NATing.
2) Both Sonicwall and 3com (unaware of others) implement it the way it
is described in the manual. It is an extremely useful feature when you
need multiple servers on the same port that can't overlap i.e.
Terminal Services, pcAnywhere to multiple machines, or whatever.
3) If it were supposed to work the way that is currently (incorrectly)
does, the feature would be useless. Why bother doing the mapping to
that machine at all. Obviously security is an issue or you wouldn't
have bought the firewall and using the one-to-one NAT as currently
implemented is the equivalent of plugging the computer into a hub in
FRONT of the firwall and assigning it a public IP. Why did I bother
buying a firewall if I just end up going around it. I can have any POS
home gateway do a NAT for my LAN. The problem is that when you do
that, you leave the security up to the computer itself. You have to
deny access to all ports except a few on the network interface that is
connected to the internet. And THAT means that you would need 2
network cards for every computer you wanted to be open to the internet
(assuming you wanted full access to them from your LAN). I don't want
potentially harmful data even getting to the network interface of my
server. That is what the firewall to decide... whether the data is let
in or not. Then I don't have to worry about yet another potential
exploit of a Microsoft Server platform on any other port aside from
the one or 2 that I opened from the firewall. The TCP/IP filtering of
MS Win2k/XP isn't exploitable yet, but you never know.
In any event, I talked to Linksys support today in California and was
able to talk to someone in Tier 2. They needed to get me in touch with
another person in the department, but because it was late, it will be
tomorrow. My support experience has been turned around so far by the
wonderful people in Irvine, CA. They said that since I had my case #
and because the people in (as I now know) the Philippines were so rude
to me on the phone (and dishonest considering the conflicting reports)
that there would definately be some firings. I also learned that the
emails are answered overseas as well, so they will be approximately
just as helpful as their toll-free line. The way I was able to get
anywhere was by calling their toll # in CA at 949-261-1288. A very
friendly operator named Kathy received and took note of my comments
and was able to get me a callback with a support person in CA. Being a
skeptic, to my suprise, they actually did call me back TWICE (first
time i didn't get to the phone on time and they left a message). So
far things look good but I will post again as soon as I talk to a
higher up tomorrow. Sorry again for the long post, but I hope it helps
someone.
Duane Arnold <no...@notme.com> wrote in message news:<Xns9492D60B072DAda...@204.127.199.17>...
Matt Jarvis
Linksys support, and he has confirmed with project management that
this is indeed a firmware problem. He said that a firmware update
should be out within the next 30 days or so. Let's keep our fingers
crossed!
Matt
Adam
I would like to add that I am in the same position and Linksys is
providing me with a beta firmware by the end of the day. I will ask
them if they are willing to allow me to share this beta.
Additionally I would like to add that another problem this unit has is
if you enable the one-to-one NAT feature, you will lose all access to
its internal ip via an IPSEC connection.
I have an IPSEC connection into the RV082 which gives me full access
to my private network and machines. One of my machines is Windows 2003
Web edition. I have enabled Remote Admin (RDP) to the box. I am able
to successfully connect via RDP prior to enabling the one-to-one NAT
but as soon as I map the private to the public IP, I lose all
connectivity to this private IP. Worse, I port scan the public IP and
I can see the RDP service (3389) open but I am unable to get a
response to it when I attempt to connect using the static public
mapping.
Thomas Macauley
THANKS FOR THE POSTS. I found I have the same issue after reading your posts.
I hope you will also post the solution Linksys offered. Cheers
Adam
My apologies for not posting sooner. I did receive the beta firmware
(RV082_1.0.12_040218.rmt) and can confirm at least that the one-to-one
NAT feature honoring the firewall rules is still broken. I have not
yet tested losing connectivity to the private IP once IPSEC'ed in. I
will post a followup this week sometime.
klubar
--
--
klubar
------------------------------------------------------------------------
Posted via http://www.webservertalk.com
------------------------------------------------------------------------
View this thread: http://www.webservertalk.com/message122199.html
klubar
Sorry about the blank reply above.... it's early in the morning.
I think the issue with the RV082 is that creating a port mapping or
1-to-1 nat adds an invisibile rule permitting all access. On my old
SonicWall, adding port mapping or 1-to-1 nat added a access rule that
was visible.
The way around this problem on the RV082 is to add a rule denying all
on the port that was opened with port mapping. Then add a rule
permitting the particular IP addess you want to access the port. Check
to make sure the rules are in the right order! I think the "invisible"
rule is just above the default firewall rules.
Not obvious, but the same thing was true on a SonicWall.
Hope this helps.