Port Forwarding

The port forwarding page is used to forward incoming connection requests to internal network hosts. When using a dial-up external connection, this feature is probably not required, though will still available.

Port forwards are used to allow Internet hosts connecting to a particular port to connect to a network host in an internal network zone. The connection can be forwarded to any IP address and port. For example, a port forward rule can be used to forward port 80 (HTTP) requests to a web server located in a DMZ. If the web server is located on the internal address 192.168.2.60, a port forward rule could be created to forward from all port 80 traffic to 192.168.2.60.

However, it is important to consider the security implications of each newly created port forward. Port forwards allow unknown hosts from the Internet to access a particular internal host. If a cracker manages to break into a host that they have been forwarded to, the cracker can potentially gain access to other hosts in your local network.

It is recommended that such rules only forward traffic to an isolated network zone, preferably containing no confidential or security-sensitive network hosts. Use the "Zone bridging" configuration page to create such an isolated network (I.e. a DMZ).

The following configuration controls are used to create port forward rules:

• Protocol - Used to set the protocol that is used for this forward rule. Usually it is TCP or UDP, but other options are provided for forwarding more exotic services.
• External IP - Sets the IP addresses of the external host which is allowed to use this forwarding rule. This can be left blank, which means that any host can utilise the rule. As well as being a single IP address, this can also be a IP address range or a subnet range.
• Source IP - This is only required if the SmoothHost add-on module is installed. This will set the external IP alias that this rule will apply too. In most cases, this will be left as the IP of the default external IPnection.
• Destination address - Used to sets the IP address of the network host that will receive the forward.
• Source port - Used to set a single port or port range, specified using an 'A:B' notation (E.g. 1000:1028 covers the range of ports from 1000 to 1028). A list of pre-defined values for commonly used services can be found in the drop-down menu. Note - if the protocol is neither TCP nor UDP, then the port settings are not used.
• User defined [source port] - Used to define a custom port if "User defined" is selected in the Source port drop-down menu.
• Destination port - If left blank and the Source port specified a port range, the destination port will be the same as the port that the connection came in on. If it contains a single port, then this will be used as the target. Note - if the protocol is neither TCP nor UDP, then the port settings are not used.
• User defined [destination port] - Used to define a custom port if "User defined" is selected in the Destination port drop-down menu.
• Comment - A text-field used to assign a helpful message describing the port forward rule.
• Enabled - Determines whether the port forward rule is currently active.

To create a port forward rule, enter appropriate configuration values into each of these controls and click the Add button.

To remove one or more port forward rules, locate each rule within the Current rules list and select their adjacent Mark tick-box controls. Click the Remove button.

To edit a particular port forward rule, locate it within the Current rules list and select its adjacent Mark tick-box. Click the Edit button to populate the configuration controls in the Add a new rule region with the port forward rule's current configuration values. Alter the configuration values as necessary, and click the Add button.

Note - Failure to click the Add button will result in the loss of the port forward rule.

Single or multiple IP addresses can be specified in a number of different manners:

• IP address - An identifier for a single network host, written as quartet of dotted decimal values, e.g. "192.168.10.1"
• IP address range - Two IP addresses that define an inclusive range of consecutive IP addresses, e.g. "192.168.10.1-192.168.10.40".
• IP subnet [dotted decimal] - An arbitrary IP address and network mask that specifies a subnet range of IP addresses, e.g. "192.168.10.0/255.255.255.0" defines a subnet range of IP addresses from "192.168.10.0" to "192.168.10.255".
• IP subnet [network prefix] - An arbitrary IP address and network mask in network prefix notation, e.g. "192.168.10.0/24" defines a subnet range of IP addresses from "192.168.10.0" to "192.168.10.255".

External Connectivity

The connectivity page is used to create connection profiles for creating external connections.

To create a connection profile, first choose an empty profile using the Profiles drop-down menu and click the Select button. Enter a name for the profile into the Profile name text-field.

Next, enter the profile's global settings in the "Global settings" region:

• Method - Used to select the external connection type or method. See the sections below for a description of how the additional settings for each method should be entered.
• Auto connect on boot - Used to automatically initiate the external connection when the system boots.
• Custom MTU - Used to enter a custom MTU (Maximum Transmission Unit) value. This should be set to the value recommended by the ISP.

Click the Update button and continue to configure the method-specific settings displayed in the region below the "Global settings" region.

To configure a static ethernet connection, enter appropriate values for the following configuration controls:

• Interface - Used to set the external interface for this connection.
• Default gateway - Used to set the IP address of the default gateway specified by the ISP.
• Address - Used to specify the static IP address assigned to the connection by the ISP.
• Netmask - Used to specify the static subnet mask assigned to the connection by the ISP.
• Primary DNS - Used to set the IP address of the primary DNS server specified by the ISP.
• Secondary DNS - Used to set the IP address of the primary DNS server specified by the ISP.

To configure a DHCP ethernet connection, enter appropriate values for the following configuration controls:

• Interface - Used to set the external interface for this connection.
• DHCP Hostname - Used to set the hostname of the ISP's DHCP server.
• MAC spoof - Used to spoof the MAC address of interface connecting to the dial device. This is sometimes required in order to get cable modems working.

To configure a PPP over ethernet connection, enter appropriate values for the following configuration controls:

• Service name - Required by some ISPs (leave blank if not provided).
• Concentrator - Required by some ISPs (leave blank if not provided).
• Interface - Used to set the external interface for this connection.
• PPP Profile - Used to select the PPP profile for this dial connection.

To configure a PPTP over ethernet connection, enter appropriate values for the following configuration controls:

• Interface - Used to set the external interface for this connection.
• PPP Profile - Used to select the PPP profile for this dial connection.
• Address - Used to specify the static IP address assigned to the connection by the ISP.
• Netmask - Used to specify the static subnet mask assigned to the connection by the ISP.
• Gateway - Used to specify the IP address of the default gateway specified by your ISP.
• Telephone - Used to specify the telephone number that should be dialled by this connection.

To configure an ADSL modem connection, enter appropriate values for the following configuration controls:

• Service name - Required by some ISPs (leave blank if not provided).
• Concentrator - Required by some ISPs (leave blank if not provided).
• PPP Profile - Used to select the PPP profile for this dial connection.

To configure an ISDN TA connection, enter appropriate values for the following configuration controls:

• PPP Profile - Used to select the PPP profile for this dial connection.
• Telephone - Used to specify the telephone number that should be dialled by this connection.
• Channels - Used to specify whether the ISDN is a "Single channel" or "Dual channel" connection, dependent on whether you are using one or two ISDN lines for connectivity.
• Keep second channel up - Used to force the second channel to remain up, instead of automatically closing once the data-rate decreases beyond the threshold.
• Minimum time to keep second channel up - If you find the second channel is going up and down too quickly, you should lengthen this timeout, or perhaps stop the second channel from going down completely.

To configure a dial-up modem connection, enter appropriate values for the following configuration controls:

• PPP Profile - Used to select the PPP profile for this dial connection.
• Modem Profile - Used to select the Modem profile for this dial connection.
• Telephone - Used to specify the telephone number that should be dialled by this connection.

To delete a connection profile, choose the profile to be deleted from the Profiles drop-down menu and click the Delete button.

PPP Setup

The PPP settings page is used to create PPP profiles that store PPP settings for external connections using dial-up modem devices. Up to 5 profiles can be created to store dialup details.

To create a PPP profile, first choose an empty profile using the Profiles drop-down menu and click the Select button. Enter a name for the profile into the Profile name text-field. Next, enter the global settings configuration values using the following controls:

• Interface - The serial port the modem is attached to.
• Computer to modem rating - The connection speed of the modem.
• Modem speaker on - Determines whether to use the speaker or not.
• Dialing mode - Determines whether to use tone or pulse dialing.

Next, specify the telephony settings using the following controls:

• Dial on demand - After enabling Dial on Demand, you still have to click the Connect button on the homepage to initiate the dial connection.
• Dial on demand for DNS - Used to make the system dial for DNS requests, which is usually what you want.
• Idle timeout - Used in non-persistent connections, sets a time of inactivity, after which the line will automatically be dropped. Setting this to 0 disables this timeout.
• Persistent connection - Used to instruct the system to try to redial the line if the link fails for some reason. Use this with caution. If you have metered charges you probably not want to use this. However, if you have unlimited service time with your ISP, you will probably want to use this in order to keep the link connected as much as possible.
• Maximum retries - Whether or not Persistent is enabled, if more then the Maximum Retries number of dial attempts fail in a row, the system will give up until you try to dial the link again by pressing the Dial button.

Next, specify the authentication settings using the following controls:

• Username - The username required by the ISP.
• Password - The password required by the ISP.
• Method - There are several ways in which ISPs use this username and password to login to their systems. The most common methods are PAP or CHAP. Select this if your ISP uses either of those two. If your ISP uses a text-based login script, choose standard login script. For people in the UK who use Demon Internet as their ISP, a special script has been created for them to use. The 'Other' login script option has been provided for people who have ISPs with special needs. If you need to do this, you will need to login to the SmoothWall box and create a file in /modules/firewall/etc/ppp. This filename (without the /modules/firewall/etc/ppp component) should be entered into the Script name box. The file contains 'expect send' pairs, separated by a tab.
• Script name - Used when "Other login script" is selected in Method.

Next, specify the DNS settings using the following controls:

• Manual - Select this if your ISP does not support automatic DNS server configuration.
• Automatic - Select this if your ISP supports automatic DNS server configuration.
• Primary DNS - Used to set the IP address of your ISP's primary DNS server.
• Secondary DNS - Used to set the IP address of your ISP's secondary DNS server.

Click the Save button to save the settings. If there are any errors, an error message will be displayed at the top of the page. Clicking the Restore button will reload the old settings.

To delete a PPP Profile, choose the profile to be deleted from the Profiles drop-down menu and click the Delete button.

To restore a partially altered PPP Profile, click the Restore button. The profile's configuration values will be restored to those that are currently saved.

To view a PPP Profile, choose the profile to be viewed from the Profiles drop-down menu and click the Select button.

Application Helpers

The application helpers page is used to enable or disable NATing helper modules for protocols like IRC, FTP, etc. A reboot is required after changing these settings.

The following application helpers are available:

• FTP - IP information is embedded within FTP traffic - this helper application ensures that FTP communication is not adversely affected by the firewall's NATing process.
• IRC - IP information is embedded within IRC traffic - this helper application ensures that IRC communication is not adversely affected by the firewall's NATing process.
• Enable advanced PPTP client support - When enabled, loads special software modules to help PPTP clients. This is the protocol used in standard Windows VPNing. If this option is not selected, it is still possible for PPTP clients to connect through to a server on the outside, but not in all circumstances. Difficulties can occur if multiple clients on the local network wish to connect to the same PPTP server on the Internet. In this case, this application helper should be used. Note - when this application helper is enabled, it is not possible to forward PPTP traffic. For this reason, this option is not enabled by default.
• Enable H323 passthrough support - When enabled, loads modules to enable passthrough of H323, a common protocol used in Voice over IP (VoIP) applications. Without this option enabled, it will not be possible to make VoIP calls. Additionally, with this option enabled, it is possible to receive incoming H323 calls through the use of a port forward on the H323 port. This option is disabled by default because of a theoretical security risk associated with the use of H323 passthrough. We recommend that you only enable this feature if you require VoIP functionality.