Port Forwarding between routers?

[lollysticky]

My network setup:

I am owner of part of the network (it's a building with several tenants), but I have admin access to router1.

My problem:
I want to set up a webserver attached to my switch. This would require all incoming internet trafic to be redirected from router1 to router2 and then to the webserver.

This link between router1 and router2 is somehow hard to establish. The routers only allow you to enter IP ranges within their specific subnetwork (router1 -> 192.168.0.*; router2 -> 192.168.2.*).

So how do I redirect router1 traffic (192.168.0.1 ) to router2 (192.168.2.1) ?
Does router2 have a dual IP address or something so I can target it?

 

[Innocence]

Router 2 will have an IP address on the 192.168.0/24 network as well - it will be it's "Internet" or "WAN" address.

I assume the owner of the internet service and all other users are OK with you taking over Port 80? And the ISP allows it? And it has a static IP?

 

[gimp]

you have to port forward from the 1st router to the 2nd router's WAN IP.
Then port forward from the 2nd router to the server's IP.

That's assuming it's hooked up in a double-NAT situation.
Even then, though, it may not work properly. Double-NAT can cause issues.

 

[lollysticky]

Router 2 will have an IP address on the 192.168.0/24 network as well - it will be it's "Internet" or "WAN" address.

I figured as much but I couldn't locate it
I found an IP adress 192.168.0.135 on router2 ... I'll try this.

I assume the owner of the internet service and all other users are OK with you taking over Port 80? And the ISP allows it? And it has a static IP?

1) the other people are fine with it
2) why wouldn't the ISP allow it?
3) it has a dynamic ip, but that shouldn't be a problem as I'll be using dyndns (which can be enabled in the router)

 

[gimp]

2) why wouldn't the ISP allow it?

because a lot of ISPs TOS explicitly state you are not allowed to run a server on their internet connection. Along with this, some of them block the common ports for people that do try to run these services from their connections.
most common with home/personal accounts, but there are probably some business accounts that have similar TOS

 

[lollysticky]

because a lot of ISPs TOS explicitly state you are not allowed to run a server on their internet connection. Along with this, some of them block the common ports for people that do try to run these services from their connections.
most common with home/personal accounts, but there are probably some business accounts that have similar TOS

didn't know that, but that isn't the issue here. I have ran other webservers myself (but in easier network setups ) and the ISP TOS does not state you cannot run a webserver yourself.

-> I set up everything now properly with port forwarding, but the magic still isn't happening. Is there a tool to trace a HTTP request so I can see where it gets blocked (router1, router2) ? I disabled all my firewalls to be safe but still no avail

 

[Innocence]

because a lot of ISPs TOS explicitly state you are not allowed to run a server on their internet connection. Along with this, some of them block the common ports for people that do try to run these services from their connections.
most common with home/personal accounts, but there are probably some business accounts that have similar TOS

A lot of ISPs will block incoming port 80 on consumer-grade connections.

If you're just setting up for your own use (as I assume you are since you're content to use DynDNS) just use a non-standard port.

 

[Liger88]

Is there a tool to trace a HTTP request so I can see where it gets blocked (router1, router2) ? I disabled all my firewalls to be safe but still no avail

Wireshark.

It'd be so much easier to disable all the Routing/NAT/DHCP/DNS services of the wireless router and just turn it into a dummy AP connected to Switch 1.

 

[lollysticky]

Wireshark.

It'd be so much easier to disable all the Routing/NAT/DHCP/DNS services of the wireless router and just turn it into a dummy AP connected to Switch 1.

believe me when I say I tried this
but for some reason router1 doesn't seem to be able to handle all the devices (it continuously shuts down :/)
I might give it another try if I can't figure this out.

 

[Liger88]

you have to port forward from the 1st router to the 2nd router's WAN IP.
Then port forward from the 2nd router to the server's IP.

That's assuming it's hooked up in a double-NAT situation.
Even then, though, it may not work properly. Double-NAT can cause issues.

Wouldn't you forward Router 1 to Router 2's interface and not the Server?

This little guide might be of assistance to OP.


http://portforward.com/help/doublerouterportforwarding.htm

Can't say for sure though since its been a long time since I've had to port forward behind two NAT'ed devices lol. Not fun.

 

[lollysticky]

OK, I redesigned the network and now router2 is just a wireless AP, all devices are now on the router1 network.

All ports forwarded and firewall set up. But I still end up with this (router1 logs)

Tuesday February 26, 2013 21:49:37 Unrecognized attempt blocked from *.*.*.*:80 to *.*.*.* TCP:59319

When using online port checker tools, my port 80 is labeled as 'closed' ...
I even tried opening up other ports (f.e. 8080) but this also stays closed.

I then went googling, and found another guy which apparently ran into the same stuff I've been experiencing. Conclusion: the entire setup of firewall + port forwarding sucks donkehballs on this piece of hardware

The feature set looked great, setup was simple, and the download speeds were the same as those of the Linksys. Then came the sadness. I then tried to access a web-server I was running from home behind the firewall on port 8080. The "virtual server" settings were easy enough to configure, and in a few minutes I was able to access my web-server from outside the firewall. HOWEVER, many of my pages were hanging, or only loading part of the content. I flashed the router with the latest firmware. No luck. I then turned on the debugging and dropped-packets options on the DI-604's logging screen (nice feature), and found that I was repeatedly getting an error saying that the "do_nat[1] buffer was too small". I also noticed that the router was dropping packets from the LAN to the WAN on port 8080, which was weird since some pages being served on 8080 weren't having any problems. I then set the port for the web-server in DMZ mode as a sanity check, and the pages then worked, but were VERY slow. I tried adding new IP filtering rules to open up the router, but nothing worked. So then I called D-Link's 24/7 tech hotline. The wait was short and I had high hopes, however, I was promptly told that the "virtual server" options on the router were an "unsupported feature" and that there was nothing he could do to help me.

link: amazon review

 

[Innocence]

Not to be a dick, but I just want to draw attention to the fact that your network is being run off a router that is currently selling for $1.69 on Amazon.

......$1.69
That's like a third of a Starbucks Latte.


But in seriousness, I ran a DI-604 for a long time (then a DI-614 for a while) at home and never had trouble with the port forwarding.

 

[lollysticky]

Not to be a dick, but I just want to draw attention to the fact that your network is being run off a router that is currently selling for $1.69 on Amazon.

......$1.69
That's like a third of a Starbucks Latte. Maybe it's time to upgrade.

If you checked the network graph, you'd know that router1 is not my property
and it's indeed very old :/

 

[serpretetsky]

can you post a screenshot of your port settings webpage?

The reviewer's problem seems to be different from yours. He could connect to his webserver, but it was flakey, your router seems to be flat out denying the request.

what port will your webserver be accepting http requests, port 80?

 

[mwarps]

Double NAT sucks, and you have to hope the first router has either a static IP address, or some sort of Dynamic DNS.

 

[lollysticky]

can you post a screenshot of your port settings webpage?

The reviewer's problem seems to be different from yours. He could connect to his webserver, but it was flakey, your router seems to be flat out denying the request.

what port will your webserver be accepting http requests, port 80?

Upper part is the port forwarding setup
Bottom part is the firewall rules (which are automatically generated from the forwarding setup rules)
The example shown above now shows port 8080, but it's the same for port 80 as well

 

[serpretetsky]

someone else mentioned it, but can you install wireshark or some packet sniffing software on the webserver?

I want to know if the webserver is recieving any packets at all, and maybe the router is blocking the outgoing packets, or if the webserver is getting nothing.

Also, excuse me if this is insulting in any way, and also excuse me if you're already mentioned it, i can't see it anywhere.

1) Can you connect to the web from the webserver? (can you visit websites for example on the webserver)
2) Can your internal computers on the same network see the webserver and open the website you are attempting to host?

 

[wgm3446]

You guys should chip in together, get one Cisco router for ~$1000 and vlan it out and you don't have to worry about all this mess. That would be the best option.

http://www.cablesandkits.com/cisco-891-gigabit-ethernet-security-router-cisco891k9-new-p-5772.html

Just an example.


EDIT: Actually, if you want Web Server access too, get an ASA and you can share the DMZ. And sub VLAN out the interfaces.
http://www.cablesandkits.com/cisco-asa5505-security-firewall-bundle-asa5505secbunk9-new-p-4825.html

 

[Innocence]

You guys should chip in together, get one Cisco router for ~$1000 and vlan it out and you don't have to worry about all this mess. That would be the best option.

http://www.cablesandkits.com/cisco-891-gigabit-ethernet-security-router-cisco891k9-new-p-5772.html

Just an example.


EDIT: Actually, if you want Web Server access too, get an ASA and you can share the DMZ. And sub VLAN out the interfaces.
http://www.cablesandkits.com/cisco-asa5505-security-firewall-bundle-asa5505secbunk9-new-p-4825.html

The Cisco world always amuses me.

You could always just do everything either of those Cisco will do, for free on some ancient desktop (seriously, run pfSense on a Pentium II , it'll be fine) with 2 NICs using one of many "canned" linux/bsd based routers.

 

[wgm3446]

I won't argue that. pfSense would work just fine too for this type of situation.

 

[lollysticky]

someone else mentioned it, but can you install wireshark or some packet sniffing software on the webserver?

I want to know if the webserver is recieving any packets at all, and maybe the router is blocking the outgoing packets, or if the webserver is getting nothing.

Also, excuse me if this is insulting in any way, and also excuse me if you're already mentioned it, i can't see it anywhere.

1) Can you connect to the web from the webserver? (can you visit websites for example on the webserver)
2) Can your internal computers on the same network see the webserver and open the website you are attempting to host?

no packets get to the webserver, they're all blocked by the router. None of the ports I open up and forward, actually seem to be open to the outside world.

to answer your other questions
1) yes
2) yes, I can access it through http://192.168.0.132 from all my computers

also, I'm going to try and temporarily replace the router by my wireless access point (after reverting it back to router status obviously) to see if that solves it
If that works, I'm gonna have the landlord buy a new one :/