NEXCOM IFA 1610 User Manual
Page 52
Copyright © 2014 NEXCOM International Co., Ltd. All Rights Reserved.
IFA 3610/IFA 2610/IFA 1610 User Manual
Chapter 5: The Firewall Menu
49
The list of the configured rules shows several information: The ID (#) showing the order in which the rules are matched
against the traffic, the Incoming IP address, the service (i.e., port and protocol) to which the traffic is directed, the Policy
applied to the traffic, the Translate to address (i.e., the host and port where to redirect the traffic), a custom Remark,
and the available Actions.
When editing a rule, the same form open as when adding a new rule, by clicking on the Add a new Port forwarding
/ Destination NAT rule. A link on the top right of the form allows to chose between a Simple mode or an Advanced
mode. The latter mode allows also to fine-tune the Access from, the policy, and the type of Translate to.
Besides the common options, these other settings can be configured:
Translate to
This part of the form changes depending on the current active editing mode, simple or advanced. If the mode is set
to advanced, besides adding Access from sub-rules, there is an additional Type drop-down menu that allows to chose
among different types of translations.
1. The first one is IP and corresponds to the only one available in simple mode. Here should be written the destination
IP address (besides port and NAT), the port or port range to forward to and if to apply NAT or not to the incoming
packets.
2. OpenVPN User: choose one OpenVPN user as the destination target for the traffic.
3. Load Balancing: specify a range of IP addresses to which traffic will be split, to avoid bottlenecks or the overloading
of a single IP.
4. Map the network. Insert a sub-network to which translate the incoming traffic
Note:
The Map network translation statically maps a whole network of addresses onto another network of addresses.
This can be useful for companies whose subsidiaries all use the same internal network. Indeed, in this case all these
networks can be connected to each other through network mapping. An example would be:
original network 1: 192.168.0.0/24
mapped network 1: 192.168.1.0/24
original network 2: 192.168.0.0/24
mapped network 2: 192.168.2.0/24
5. L2TP User: choose one L2TP user as the destination target for the traffic.
Except when selecting the Map the network option, it is always possible to define the port or port range to which the
traffic should be sent to, and if to apply NAT on the traffic or not. If Do not NAT is chosen, it is not allowed to define a
Filter policy under the Access From (advanced mode).
Warning:
When selecting IP, OpenVPN User, L2TP User or Load balancing, keep in mind that port ranges will not be
mapped 1 to 1, but rather a round robin balancing is performed. For example, mapping incoming ports 137:139 to
destination ports 137:139 will result in these ports being used randomly: The incoming traffic to port 138 can unpredictably
be redirect to either 137, 138, or 139. Leave the translation Port/Range field empty to avoid such occurrences!
Troubleshooting port-forwarding.
There are mainly two reasons why port-forwarding may not work.
1. The appliance is behind a NAT device.
In this case there is a device like a router or like another firewall between the appliance and the Internet, which
disallows direct incoming connections. The solution is to configure a port forwarding also on that device to the RED
IP of the appliance, if this is possible.
2. The destination server has wrong default gateway.
The server set as the destination of a port-forwarding rule is configured with a wrong or no default gateway.
Connections will be directed to the target IP address but due to a wrong default gateway, packets will not be directed
through the appliance. The solution is to correct the server’s gateway.