I have an Edgerouter X that, because the client has copper ADSL into the premises, needs to have a Huawei router in the mix. Unfortunately I can't just bridge the router as he has VOIP dependant on this router.
Premises are two houses next door to each pother owned by the same person and has CAT 6 cable between them, one is a holiday house he rents out so needs to be seperate subnet
The Huwaei Router is set to 192.168.10.1 with dmz forwarded to the ERX through ETH0 (have also tried to forward individual ports to ERX)
ERX is 192.168.1.1 which is the main subnet for clients house of 192.169.1.x (eth1)
Second subnet is 192.168.2.x (eth2)
There are 4 ports I need to forward to a device on the 192.168.2.x subnet (808,8000,554 and 443)
And one port (2601) to a device on the 192.168.1.x subnet
Have setup DDNS for client for his WAN address.
Have setup mutltiple times but cannot get to devices from the WAN (fine inside LAN)
Any help appreciated, config below
firewall {
all-ping enable
broadcast-ping disable
group {
address-group NVR {
address 192.168.2.115
description "Camera Group"
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name NVR {
default-action accept
description Camera
rule 1 {
action accept
description Camera808
destination {
group {
address-group NVR
}
}
log disable
protocol tcp
}
rule 2 {
action accept
description Camera8000
destination {
address 192.168.2.115
port 8000
}
log disable
protocol tcp
source {
group {
address-group ADDRv4_eth0
}
}
}
}
name WAN_IN {
default-action drop
description "packets from Internet to LAN & WLAN"
enable-default-log
rule 1 {
action accept
description "allow established sessions"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action drop
description "drop invalid state"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
rule 3 {
action accept
description Alarm
destination {
address 192.168.1.3
port 2601
}
log disable
protocol tcp
source {
address 192.168.10.1
group {
}
port 2601
}
state {
established enable
invalid disable
new enable
related enable
}
}
}
name WAN_LOCAL {
default-action drop
description "packets from Internet to the router"
enable-default-log
rule 1 {
action accept
description "allow established session to the router"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action drop
description "drop invalid state"
log enable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
rule 3 {
action accept
description Alarm
destination {
address 192.168.1.3
port 2601
}
log disable
protocol tcp
source {
address 192.168.10.1
port 2601
}
state {
established enable
invalid disable
new enable
related enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description WAN
duplex auto
firewall {
in {
name NVR
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address 192.168.1.1/24
description LAN
duplex auto
speed auto
}
ethernet eth2 {
address 192.168.2.1/24
description LAN2
duplex auto
speed auto
}
loopback lo {
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth2
lan-interface eth1
rule 1 {
description NVR808
forward-to {
address 192.168.2.115
port 808
}
original-port 808
protocol tcp
}
rule 2 {
description NVR554
forward-to {
address 192.168.2.115
port 554
}
original-port 554
protocol tcp
}
rule 3 {
description NVR443
forward-to {
address 192.168.2.115
port https
}
original-port https
protocol tcp
}
rule 4 {
description NVR8000
forward-to {
address 192.168.2.115
port 8000
}
original-port 8000
protocol tcp
}
rule 5 {
description Alarm24
forward-to {
address 192.168.1.3
port 2601
}
original-port 2601
protocol tcp
}
wan-interface eth0
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN {
authoritative disable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.1
lease 86400
start 192.168.1.2 {
stop 192.168.1.254
}
static-mapping Adams-Air {
{ A FEW STATIC MAPS HERE)
}
}
}
shared-network-name LAN2 {
authoritative disable
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 192.168.2.1
lease 86400
start 192.168.2.100 {
stop 192.168.2.150
}
static-mapping Camera {
ip-address 192.168.2.115
mac-address bc:ad:28:a0:38:32
}
static-mapping Unifi1 {
ip-address 192.168.2.101
mac-address 80:2a:a8:40:48:a2
}
}
}
}
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on eth2
}
}
gui {
https-port 443
}
nat {
rule 1 {
description NVR
destination {
address 192.168.2.115
port 808
}
inbound-interface eth0
inside-address {
address 192.168.10.1
port 808
}
log enable
protocol tcp_udp
source {
group {
address-group ADDRv4_eth0
}
}
type destination
}
rule 5000 {
description "masquerade for WAN"
log disable
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
upnp {
listen-on eth1 {
outbound-interface eth0
}
}
}
system {
conntrack {
expect-table-size 4096
hash-size 4096
table-size 32768
tcp {
half-open-connections 512
loose enable
max-retrans 3
}
}
gateway-address 192.168.10.1
host-name TheBeachHouse
login {
user (REMOVED) {
authentication {
encrypted-password (REMOVED)
plaintext-password ""
}
level admin
}
user ubnt {
authentication {
encrypted-password (REMOVED)
plaintext-password ""
}
full-name ""
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Australia/Sydney
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@4:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.7.1.4821926.151103.1114 */