Sunday, 27 August 2017

ubuntu - Two routers with NAT in series, how to forward a port?


First of all I am a newbie at networking.


I have 2 PCs in two different networks. I'm trying to establish a connection between them.



  • First I obtained public IP of PC1 network: wget http://ipinfo.io/ip -qO –. The result was a.b.c.d.

  • On PC1 I use netcat to listen on a port nc -l -v 5555.

  • On PC2 I try to connect with nc a.b.c.d 5555. The result is I cannot connect.


I have no firewall and port forwarding is enabled in my router configuration:


router configuration


I made another test with a dedicated website:


testing the port


What did I do wrong here?




Update 1.


It was pointed out in comments/discussion that there is probably another router that does NAT (network address translation). I was asked to check the WAN IP address of my router. Here's the status:


WAN status of the router


The IP is different than the public IP I have discovered earlier. What to do now?




Update 2.


I managed to get to the other (outer) router config. This one has proper public IP on its WAN interface (a.b.c.d). I added a port forwarding rule. It points to my (inner) router local IP (192.168.9.1).


port forwarding on outermost router


Still my connection with nc doesn't work. What is wrong?



Answer



When your router does NAT, it has different IPs on its WAN and LAN interfaces. The same applies to the outer router in your setup. It looks like this (all the numbers are actual IPs taken from your screenshots):


Internet
|
WAN IP: a.b.c.d
outer router
LAN IP: 192.168.1.254
|
WAN IP: 192.168.1.100
inner router
LAN IP: 192.168.9.1
|
PC1 with IP 192.168.9.100

Your inner router is seen as 192.168.9.1 by your PC1 but the outer router can reach the inner one only by 192.168.1.100 address.


Solution: reconfigure the outer router to forward the port to 192.168.1.100 (not 192.168.9.1). Port forwarding on the inner router seems to be OK.




There is also an improvement you can make. It is common that home router offers dynamic IP addresses via DHCP and the pool starts with 192.168.???.100 (it can be changed, this is just a common default value). IP addresses of your PC1 and inner router (its WAN interface) end with 100. I think they were obtained via DHCP from respective dynamic pools. Your screenshot (update 1) tells this without doubt: "Dynamic IP".


With dynamic IPs it is possible any of these addresses will change in the future without any warning. In that case your port forwarding rule (one or the other, or both) will need to be adjusted to point to the new address.


To avoid this you should assign static IP to your inner router WAN interface (you should be able to do it in the outer router config, then reboot the inner one) and to your PC1 (in the inner router config, then reboot PC1). The setup may look like this (example):


Internet
|
WAN IP: a.b.c.d
outer router
LAN IP: 192.168.1.254
|
WAN IP: 192.168.1.5 (static, cannot change by itself)
inner router
LAN IP: 192.168.9.1
|
PC1 with IP 192.168.9.2 (static, cannot change by itself)

If you decide to set static addresses then you should reconfigure port forwarding rules accordingly. You may stick to your current settings, just keep in mind that your forwarding rules will not work if any dynamic address changes.


No comments:

Post a Comment

Where does Skype save my contact's avatars in Linux?

I'm using Skype on Linux. Where can I find images cached by skype of my contact's avatars? Answer I wanted to get those Skype avat...