Shorewall users - Mar 2003 - DNAT to another subnet - port forwarding

Hello - I have a question about port forwarding to another subnet.

Please see diagram:

http://www.aerobuilders.com/~andyj/network.jpg

I want to port forward vnc to a machine on another subnet.  I can get back
and forth between the subnets and ping back and forth no problem (even from
the firewall).  I have done this before, but never had a problem.  The only
difference now is that the default gateways are different (internet access
at both locations are separate DSL lines).

My rules are as follows for VNC:

DNAT net        loc:192.168.101.13       tcp     5900            -       all
DNAT net        loc:192.168.101.13       udp     5900            -       all

Version 1.3.14

Best regards,

Andrew Judge

Aha,  I figured it out.  I needed to add both internet gateways to the
remote subnet router.  That would make sense since it sees my NAT routable
address and then tries to respond out the local gateway instead of the
source.

Best regards,

Andrew Judge
Grove Networks Inc.

=> -----Original Message-----
=> From: shorewall-users-bounces@lists.shorewall.net
=> [mailto:shorewall-users-bounces@lists.shorewall.net]On Behalf Of Andrew
=> Judge
=> Sent: Monday, March 24, 2003 12:58 PM
=> To: shorewall-users@lists.shorewall.net
=> Subject: [Shorewall-users] DNAT to another subnet - port forwarding
=>
=>
=> Hello - I have a question about port forwarding to another subnet.
=>
=> Please see diagram:
=>
=> http://www.aerobuilders.com/~andyj/network.jpg
=>
=> I want to port forward vnc to a machine on another subnet.  I
=> can get back
=> and forth between the subnets and ping back and forth no problem
=> (even from
=> the firewall).  I have done this before, but never had a
=> problem.  The only
=> difference now is that the default gateways are different
=> (internet access
=> at both locations are separate DSL lines).
=>
=> My rules are as follows for VNC:
=>
=> DNAT net        loc:192.168.101.13       tcp     5900
=> -       all
=> DNAT net        loc:192.168.101.13       udp     5900
=> -       all
=>
=> Version 1.3.14
=>
=> Best regards,
=>
=> Andrew Judge
=>
=> _______________________________________________
=> Shorewall-users mailing list
=> Post: Shorewall-users@lists.shorewall.net
=> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

On Mon, 24 Mar 2003, Andrew Judge wrote:
> Hello - I have a question about port forwarding to another subnet.
> 
> Please see diagram:
> 
> http://www.aerobuilders.com/~andyj/network.jpg
> 
> I want to port forward vnc to a machine on another subnet.  I can get back
> and forth between the subnets and ping back and forth no problem (even from
> the firewall).  I have done this before, but never had a problem.  The only
> difference now is that the default gateways are different (internet access
> at both locations are separate DSL lines).
> 
> My rules are as follows for VNC:
> 
> DNAT net        loc:192.168.101.13       tcp     5900            -      
all
> DNAT net        loc:192.168.101.13       udp     5900            -      
all
> 
> Version 1.3.14
> 
You will have to SNAT the connections so that the traffic in the outbound 
direction is routed back through the Shorewall box:

DNAT	net   loc:192.168.1.1.13   tcp   5900   -   all:192.168.100.254

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.sf.net
Washington USA  \ teastep@shorewall.net