Simple Port Forwarding / ACL Question

Similar Messages

• Simple Port Forwarding - SRW2016, SRW2024, SRW2048

  Does anyone have a guide for simple port forwarding on the SRW2016-48 series?
  Thanks

  What "ports" do you want to forward? What do you mean with "port forwarding"? Please explain what you want to do!

• Home Hub 3 Port Forwarding Issue - Question to BT

  Question to BT
  Hello i have recently joined BT Infinity and have hit the issue of the Port Forwarding not working. My HH3 is on the following version of software. Will this version automatically upgrade to the latest version of firmware and will this fix my port forwarding issue?
  As i work in IT (Cisco Network Eng) i need to be able to access several devices/services at home and this is a real pain for me. If you think that this could drag on as some posts have indicated could you please let me know and i will either get a draytek or throw in a cisco 1841.
  Thank you
  Dean.
  Current firmware:
  V100R001C01B031SP09_L_B
  Last updated:
  Unknown

  requiem wrote:
  Question to BT
  Hello i have recently joined BT Infinity and have hit the issue of the Port Forwarding not working. My HH3 is on the following version of software. Will this version automatically upgrade to the latest version of firmware and will this fix my port forwarding issue?.........
  Thank you
  Dean.
  Current firmware:
  V100R001C01B031SP09_L_B
  Last updated:
  Unknown
  Hi Dean
  By the look of it you've got the type B version of the HH3 with current firmware.
  From http://bt.custhelp.com/app/answers/detail/a_id/13073
  The latest versions of the firmware are:
  BT Home Hub 3 – Software version 4.7.5.1.83.8.57.1.3 (Type A) or V100R001C01B031SP09_L_B
  Please Click On any Text in Blue as that automatically links to information.
  PC (NDEGR)

• Rv120w and simple port forwarding.

  Hi
  I just got a new rv120w and want to set it up, like my old router.
  I have a webserver that people around the world, should be able to visit, but I can't figure whats wrong.
  You can see my settings in port forwarding here.
  Can anyone help me out here ?
  Regards Steen

  Hi
  Thats a little strange :
  The access rule was created automatic.When I deleted it, the port forwarding also was deleted. I created the port forwarding again, the access rule came again (with the same settings as before) and now it is working from the internet.
  But not from the lan side.
  Hmmmm ?

• Newbie: simple port forwarding

  I want to add surveillance camera to my office. I have configured the ip webcam on the LAN and wanting to know how to configure the OS X server to point to the webcam. The server is the internet gateway.
  Thanks,
  Jon

  There's no GUI interface for setting up port forwarding when your Mac is the router/gateway.
  If possible I'd set this up at your router, where the router performs NAT for the network, rather than your Mac (almost by definition if your Mac is acting as the gateway then it has a public-facing interface, which I rarely recommend).
  In addition to that, the specifics on which port(s) to forward will depend on the camera. Some cameras implement a web-based interface, so you might need port 80. Others may use different ports (and even cameras that use a web interface may use a different port).
  One other consideration would be a tool such as Security Spy - it's software designed to interact and manage multiple cameras, including features like time lapse recording, motion detection, remote notifications, and more. If this were running on your gateway then you wouldn't need to deal with port forwarding to the camera directly.

• Help needed please (Port forwarding/Firewall Question)

  So im hooked up thru my router so if I want to play a game I have to port forward so im told.
  Ok, I im at my port forwarding menu and its asking for the following info...some of this info I know and some I have no idea what it means or where I can get it from. Heres the parts im asked to enter that I have no idea what to enter......
  Source IP Address:
  Destination IP Address
  Source Netmask:
  Destination Port Map
  Where do I find out these things!?...Im a COMPLETE novice when it comes to routers and im so confused.

  Hello,
  Unfortunately, that information is going to have to come from the people who are providing you the online game.
  The settings you need are going to depend on what their program requires, and how they communicate with your computer.
  All of this is different for each service you are trying to use.
  Here are some articles to get you familiarized with the concept though:
  http://en.wikipedia.org/wiki/Port_forwarding
  http://forums.furthurnet.org/viewtopic.php?p=3821
  http://www.boutell.com/newfaq/creating/forwardports.html
  http://panasonic.co.jp/pcc/products/en/netwkcam/technic/port_fwrd.html
  http://p2p.weblogsinc.com/2005/04/24/how-to-configure-your-router-to-allow-fast- bittorrent-downloads/
  While they all discuss doing it with different routers, the principals and ideas are the same.
  But, the actual configuration is going to depend on the specific needs of the service you are trying to use (the particular online game).
  I hope this helps.

• Simple Port Forwarding Question

  Sorry if this has been asked and answered many times before but I I've been at this for hours and I'm getting nowhere.
  We have a Cisco 861 router.  I've taken over the IT responsibilities from someone else and I'm just trying to forward TCP/UDP ports 5899 and 9010 to our server.  I can access the server using Remote Desktop so I can see the previous IT person has gotten that far.  Below is the output of our "Running Configuration".
  I can see the line "ip port-map user-protocol--4 port tcp 3389"  but I can't figure out how to add my own 5899 and 9010 lines.
  I'm using the Cisco Configuration Professional UI but I don't have a problem using the command line interface if I'm sure I have the right commands to input.  I started adding an extended rule using the ACL Editor in CCP but I'm afraid to deliver the changes to the router because it doesn't look anything like the "ip port-map user-protocol--4 port tcp 3389" line.
  Here is the information generated from the ACL editor (again, I haven't delivered it to the router):
  ip access-list extended user-protocol--05
  remark Radmin5899
  remark CCP_ACL Category=1
  remark Radmin5899
  permit tcp any host 10.10.10.10 eq 5899
  exit
  I don't think the ACL output is correct because I don't see the public IP.
  How do I create a cusom ip port-map like the ones listed in the "Running Configuration"?
  Any help would be greatly appreciated.
  Kevin G
  Running Configuration:
  Building configuration...
  Current configuration : 10177 bytes
  ! Last configuration change at 09:45:33 PCTime Fri Feb 21 2014 by admin
  version 15.0
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname Summit
  boot-start-marker
  boot-end-marker
  logging buffered 51200
  logging console critical
  enable secret 5 $1$q6Ct$Wo7VDTQAbAL7BjYEvSXvJ/
  no aaa new-model
  memory-size iomem 10
  clock timezone PCTime -5
  clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
  crypto pki trustpoint TP-self-signed-1582036946
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1582036946
  revocation-check none
  rsakeypair TP-self-signed-1582036946
  crypto pki certificate chain TP-self-signed-1582036946
  certificate self-signed 01
    30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 31353832 30333639 3436301E 170D3933 30333031 30303030
    34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35383230
    33363934 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100A98F 75C0DEE6 FA35B0D2 3F42C711 3E622144 312E5DEC 8A721820 1E25EDCB
    A8F10958 4DE48A8D AF5C0297 92526567 DCCCECC8 165C7A66 9CFF76C1 E8083FE2
    807FD489 4A8EEF92 5528F079 F069690E 3F3A269B 4D948A32 E9F556B0 5AE8DC1A
    9F753D60 58E0A298 1D1045C2 641D5976 E857FAE8 C853CF31 24356154 828F98E2
    913D0203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603
    551D1104 15301382 1153756D 6D69742E 73706D63 2E6C6F63 616C301F 0603551D
    23041830 16801436 F9B786F7 EB0AE78E DE16D0D8 EED4E8D5 E4679830 1D060355
    1D0E0416 041436F9 B786F7EB 0AE78EDE 16D0D8EE D4E8D5E4 6798300D 06092A86
    4886F70D 01010405 00038181 007B2A5E E5180062 70FD14E5 A1B9C29D C20C99D4
    5897D077 B4F4250E 6788CF79 4640E214 C112724B 7EB04A9D 0754956E 2D5AF34A
    0C1D1A6E 86AC0E07 FFFBEC66 B8DA4E35 E05B2AA9 F8FD084C A23A2E21 A92C409E
    9AA9C45A F2B406BC E123869A 2989FBDD 65E96A95 8D6CB6C9 BAF33F75 19999CB3
    4F8613BB 40251384 2D30F8A1 82
     quit
  no ip source-route
  ip port-map user-protocol--2 port tcp 100
  ip port-map user-protocol--1 port tcp 101
  ip port-map user-protocol--4 port tcp 3389
  ip dhcp excluded-address 10.10.10.1 10.10.10.100
  ip dhcp pool spmcpool
     network 10.10.10.0 255.255.255.0
     domain-name spmc.local
     dns-server 10.10.10.10 8.8.8.8
     default-router 10.10.10.1
  ip cef
  no ip bootp server
  no ip domain lookup
  ip domain name spmc.local
  license udi pid CISCO861-K9 sn FTX1446810J
  username admin privilege 15 secret 5 $1$W2UZ$IvcuhFV2mkG0u/RI.XwUN0
  username spmc privilege 15 secret 5 $1$P88u$ZEG5RuEVxxAaTXW3BQ1q3/
  ip tcp synwait-time 10
  ip ssh time-out 60
  ip ssh authentication-retries 2
  class-map type inspect match-any SDM_BOOTPC
  match access-group name SDM_BOOTPC
  class-map type inspect match-all sdm-nat-user-protocol--4-1
  match access-group 102
  match protocol user-protocol--4
  class-map type inspect match-all sdm-nat-user-protocol--2-1
  match access-group 104
  match protocol user-protocol--2
  class-map type inspect match-all sdm-nat-http-1
  match access-group 102
  match protocol http
  class-map type inspect match-all sdm-nat-user-protocol--1-2
  match access-group 103
  match protocol user-protocol--1
  class-map type inspect match-all sdm-nat-user-protocol--1-1
  match access-group 102
  class-map type inspect match-any SDM_DHCP_CLIENT_PT
  match class-map SDM_BOOTPC
  class-map type inspect match-all sdm-nat-smtp-1
  match access-group 102
  match protocol smtp
  class-map type inspect match-any sdm-cls-bootps
  match protocol bootps
  class-map type inspect match-any ccp-cls-insp-traffic
  match protocol cuseeme
  match protocol dns
  match protocol ftp
  match protocol h323
  match protocol https
  match protocol icmp
  match protocol imap
  match protocol pop3
  match protocol shell
  match protocol realmedia
  match protocol rtsp
  match protocol smtp
  match protocol sql-net
  match protocol streamworks
  match protocol tftp
  match protocol vdolive
  match protocol tcp
  match protocol udp
  class-map type inspect match-all ccp-insp-traffic
  match class-map ccp-cls-insp-traffic
  class-map type inspect match-any ccp-cls-icmp-access
  match protocol icmp
  class-map type inspect match-all ccp-icmp-access
  match class-map ccp-cls-icmp-access
  class-map type inspect match-all ccp-invalid-src
  match access-group 100
  class-map type inspect match-all sdm-nat-https-1
  match access-group 102
  match protocol https
  class-map type inspect match-all ccp-protocol-http
  match protocol http
  policy-map type inspect ccp-permit-icmpreply
  class type inspect sdm-cls-bootps
    pass
  class type inspect ccp-icmp-access
    inspect
  class class-default
    pass
  policy-map type inspect sdm-pol-NATOutsideToInside-1
  class type inspect sdm-nat-http-1
    inspect
  class type inspect sdm-nat-smtp-1
    inspect
  class type inspect sdm-nat-user-protocol--4-1
    inspect
  class type inspect sdm-nat-https-1
    inspect
  class type inspect sdm-nat-user-protocol--1-2
    inspect
  class type inspect sdm-nat-user-protocol--2-1
    inspect
  class class-default
    drop
  policy-map type inspect ccp-inspect
  class type inspect ccp-invalid-src
    drop log
  class type inspect ccp-protocol-http
    inspect
  class type inspect ccp-insp-traffic
    inspect
  class class-default
    drop
  policy-map type inspect ccp-permit
  class type inspect SDM_DHCP_CLIENT_PT
    pass
  class class-default
    drop
  zone security out-zone
  zone security in-zone
  zone-pair security ccp-zp-self-out source self destination out-zone
  service-policy type inspect ccp-permit-icmpreply
  zone-pair security ccp-zp-in-out source in-zone destination out-zone
  service-policy type inspect ccp-inspect
  zone-pair security ccp-zp-out-self source out-zone destination self
  service-policy type inspect ccp-permit
  zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
  service-policy type inspect sdm-pol-NATOutsideToInside-1
  interface FastEthernet0
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface FastEthernet4
  description Internet$FW_OUTSIDE$$ES_WAN$$ETH-WAN$
  ip address 66.x.x.x 255.255.255.248
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip flow egress
  ip nat outside
  ip virtual-reassembly
  zone-member security out-zone
  duplex auto
  speed auto
  interface Vlan1
  description LAN$FW_INSIDE$$ES_LAN$$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
  ip address 10.10.10.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat inside
  ip virtual-reassembly
  zone-member security in-zone
  ip tcp adjust-mss 1452
  ip default-gateway 66.x.x.x
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip flow-top-talkers
  top 20
  sort-by bytes
  ip nat inside source list 3 interface FastEthernet4 overload
  ip nat inside source static tcp 10.10.10.100 100 66.x.x.x 100 extendable
  ip nat inside source static tcp 10.10.10.101 101 66.x.x.x 101 extendable
  ip nat inside source static tcp 10.10.10.10 25 66.x.x.x 25 extendable
  ip nat inside source static tcp 10.10.10.10 80 66.x.x.x 80 extendable
  ip nat inside source static tcp 10.10.10.10 443 66.x.x.x 443 extendable
  ip nat inside source static tcp 10.10.10.10 3389 66.x.x.x 3389 extendable
  ip nat inside source static tcp 10.10.10.10 5899 66.x.x.x 5899 extendable
  ip nat inside source static tcp 10.10.10.10 9010 66.x.x.x 9010 extendable
  ip nat inside source static udp 10.10.10.10 9010 66.x.x.x 9010 extendable
  ip nat inside source static 10.10.10.10 66.x.x.x
  ip route 0.0.0.0 0.0.0.0 FastEthernet4 66.x.x.x
  ip access-list extended SDM_BOOTPC
  remark CCP_ACL Category=0
  permit udp any any eq bootpc
  logging trap debugging
  access-list 1 remark INSIDE_IF=Vlan1
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 10.10.10.0 0.0.0.255
  access-list 2 remark CCP_ACL Category=2
  access-list 2 permit 10.10.10.0 0.0.0.255
  access-list 3 remark CCP_ACL Category=2
  access-list 3 permit 10.10.10.0 0.0.0.255
  access-list 100 remark CCP_ACL Category=128
  access-list 100 permit ip host 255.255.255.255 any
  access-list 100 permit ip 127.0.0.0 0.255.255.255 any
  access-list 101 remark CCP_ACL Category=16
  access-list 101 permit ip 10.10.10.0 0.0.0.255 any
  access-list 102 remark CCP_ACL Category=0
  access-list 102 permit ip any host 10.10.10.10
  access-list 103 remark CCP_ACL Category=0
  access-list 103 permit ip any host 10.10.10.101
  access-list 104 remark CCP_ACL Category=0
  access-list 104 permit ip any host 10.10.10.100
  no cdp run
  snmp-server community agsl RO
  control-plane
  banner exec ^C
  % Password expiration warning.
  Cisco Configuration Professional (Cisco CP) is installed on this device
  and it provides the default username "cisco" for  one-time use. If you have
  already used the username "cisco" to login to the router and your IOS image
  supports the "one-time" user option, then this username has already expired.
  You will not be able to login to the router with this username after you exit
  this session.
  It is strongly suggested that you create a new username with a privilege level
  of 15 using the following command.
  username <myuser> privilege 15 secret 0 <mypassword>
  Replace <myuser> and <mypassword> with the username and password you
  want to use.
  ^C
  banner login ^CAuthorized access only!
  Disconnect IMMEDIATELY if you are not an authorized user!^C
  line con 0
  login local
  no modem enable
  transport output telnet
  line aux 0
  login local
  transport output telnet
  line vty 0 4
  privilege level 15
  login local
  transport input telnet ssh
  scheduler max-task-time 5000
  scheduler allocate 4000 1000
  scheduler interval 500
  end

  Turns out, through some quirk of either Java, IE or CCP, the "Port to Application Mappings" page was blank.  I added the necessary application protocol and it worked for opening a port I needed open on the server.  Even with the screen blank I could click on the blank area in different spots and the "Edit..." button would become available.  For whatever reason, whenever I go into CCP now, the page is no longer blank.
  I'm having a different problem now with opening ports for our camera DVR.  I'll start a new thread for that.
  Thanks for the help.

• D6200 Port Forwarding | VPN question!

  *I just tried to open the following ports on a Netgear D6200:*
  VPN-PPTP TCP 1723
  VPN-L2TP UDP 1701
  VPN-IPSEC UDP 500
  I selected the...

  Hi - I have TT super router and wish to ise the D6200 wireless capabilities. I have found instructions and connections on the TT forum and connected...

• Port forwarding in Solaris 8

  Hi,
  I am new to Solaris and am trying to set up a simple port forwarding from port 80 to 8080.
  I know how to do this in Linux:
  iptables -t nat -I PREROUTING -p tcp dport 80 -j REDIRECT to-port 8080
  but cannot find a way to do this in Solaris. I have installed SunScreen, but am not sure whether this is the right thing to use.
  This is a simple server in a hosting centre.
  Can anyone help?

  In solaris you can do port forwarding with ssh . You have to install SSH from soalris 2 of 2 CD .
  see man pages of ssh
  Regards

• Does Verizon Wireless support Port forwarding.

  The 4510L has port forwarding. But the IP address ports are all stealth. I know VW has to take security measures for spam and hackers but this is just a little over kill here. The IP addresses they use are from wdspco.org. At lest in my area. Come on VW where is a tech support that are not sale reps. This feature should be part of the ISP service. It should not be an issue to allow simple port forwarding for the NOC. I know the public IP address is not routable. Its not going to cost more to route.

      We would love to support you with your Env3, jeffrey8066!
  What can we do to help?
  TamaraH_VZW
  Follow us on Twitter @VZWSupport

• How to Port Forward on Cisco 1900 Router?

  We have a cisco 1900 router. I m new to cisco routers commands, recently started learning. I need to forward all requests coming from port 1723 from outside to inside server ip. I check "show running-config" and I see already forwarded ports and ip like below,
  ip nat pool onlyone xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.252
  ip nat inside source list 1 pool onlyone overload
  ip nat inside source static tcp 192.168.0.xx 22 xxx.xxx.xxx.xxx 22 extendable
  ip nat inside source static tcp 192.168.0.xx 80 xxx.xxx.xxx.xxx 80 extendable
  ip nat inside source static tcp 192.168.0.xx 80 xxx.xxx.xxx.xxx 96 extendable
  ip nat inside source static tcp 192.168.0.xx 443 xxx.xxx.xxx.xxx 443 extendable
  ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
  where xxx.xxx.xxx.xxx is public facing IP.
  so what is the command to add "ip nat inside source static tcp 192.168.1.xx 1723 <public-ip> 1723 extendable" to currnetly working settings?
  I am currently reading below but no luck so far...
  http://www.cisco.com/en/US/docs/routers/access/1900/software/configuration/guide/software_configuration.pdf
  I have found this
  http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml#topic7
  interface ethernet 0
  ip address 172.16.10.1 255.255.255.0
  ip nat inside
  !--- Defines Ethernet 0 with an IP address and as a NAT inside interface.
  interface serial 0
  ip address 200.200.200.5 255.255.255.252
  ip nat outside
  !--- Defines serial 0 with an IP address and as a NAT outside interface.
  ip nat inside source static tcp 172.16.10.8 8080 172.16.10.8 80
  !--- Static NAT command that states any packet received in the inside
  !--- interface with a source IP address of 172.16.10.8:8080 is
  !--- translated to 172.16.10.8:80.
  How do I know if "interface ethernet 0" and "interface serial 0" will work for me?

  the router is already setup and working for 2 years. all i need to do  add a simple port forward from public ip to internal server. Following  make sense to accomplish what i m trying to do. Lets assume 1.2.3.4 is  my office public static ip and 192.168.0.10 is my internal server. All  requests will come from some Ip lets say 25.24.23.22:1723 to  1.2.3.4:1723 and router will forward this request to 192.168.0.10:1723.  This is all i m trying to accomplish. I m not setting up a new router.  Some rules are already there. Therefore below seem to be what i need. All I need is how to identify "interface ethernet 0" & "interface serial 0". I understand the inside and outside details. All i have to find is how to replace ethernet 0 and serial 0 with what i have in my router setup.
  interface ethernet 0
  ip address 172.16.10.1 255.255.255.0
  ip nat inside
  !--- Defines Ethernet 0 with an IP address and as a NAT inside interface.
  interface serial 0
  ip address 200.200.200.5 255.255.255.252
  ip nat outside
  !--- Defines serial 0 with an IP address and as a NAT outside interface.
  ip nat inside source static tcp 172.16.10.8 8080 172.16.10.8 80
  !--- Static NAT command that states any packet received in the inside
  !--- interface with a source IP address of 172.16.10.8:8080 is
  !--- translated to 172.16.10.8:80.

• Port Forward and IP address question

  I am configuring my father's computer so that I can "see" his screen. He's on a different network, using a mac with a wireless router. He enables remote desktop login, I use Chicken of the VNC software on my mac to see and control his computer.
  Here's my question, when I set up his router to forward the ports so this will work, do I use the ports for apple remote desktop or VNC? (The ports overlap (5900) but are different.)
  Also, which IP address do I enter into Chicken of the VNC? His router IP, his static IP that we assigned or his computer's IP.
  Thanks for the help,
  Rob

  ok, but in his prefs for apple remote desktop, it gives the static IP address that we set as the address other people can use, so... any thoughts?
  You use that private address if you are in the same subnet as his Mac. That is the address you enter into the port forwarding settings on the router because the router needs to send requests received on the public IP address to that unreachable private IP address.
  When you are on the internet, you can't reach that private IP address.

• Combo unix ssh port forwarding + iChatAV + Bonjour question

  I don't know which forum is best for this question, so thought I'd try here first.
  I've been tossing around the idea of picking up a couple of iSights and running iChatAV. Problem is, if I understand this correctly, iChatAV uses a couple of ports for connections to third-party servers: AOL buddy server or Jabber server, a port for something called snatmap, a port for SIP, and some other stuff. Plus, it requires that you open up nearly 20 ports on your network for the AV traffic! (I get nervous just having my non-standard ports for smtp and ssh open, and my imaps port open (which is another issue -- anybody know how to change imaps port 993 to a non-standard port if running uw-imap server?) It doesn't look like iChatAV can, normally, operate by "calling up" an IP address or hostname...it always has to set up calls using AOL or Jabber...unless, perhaps, the destination iSight/iChatAV is on your own Bonjour-capable subnet.
  So, I'm thinking, what if a calling party created a ssh tunnel and port-forwarded the dozens of UDP and couple of TCP ports over a ssh tunnel, as a lengthy list of port forward options like "-L 5297:localhost:5297 -L ...", (assuming that the forwarding host, to whom the caller ssh's, is the same computer that is running iChatAV, hence, the remote host specification in the "-L" option of "localhost"). Would the caller then be able to treat the connection like Bonjour networking and when he calls localhost on his end of the circuit, it "bonjours" to the called hostname's localhost and thus a peer-to-peer connection would be made?
  Or perhaps a reverse port forward tunnel ("-R" options) could be set up in advance by the "to-be-called" party, and then the calling party initiates a iChatAV call as a "same-subnet-as-calling-computer-via-Bonjour" type of call?
  I'm just kicking around some thoughts here; I don't know enough about the intricacies of iChatAV and Bonjour (and ssh) to really know all the "gotchas" and I'd like to get the planning done with a high degree of confidence of success before I plunk out $300 on two iSights.
  If the general concensus of the group moderator and others on this forum is that this question should be posted in another forum, I apologize, and I'll move, but I thought that the ssh tunneling nature of my inquiry (and my unrelated side question about how to change 993 to a non-standard port) made this forum the obvious, and best, choice.
  Thanks in advance for any thoughts on these issues!
  2001 Quicksilver G4   Mac OS X (10.4.5)  

  No, you can't do what you describe. You have to use port forwarding on the router for any incoming connections, and each port forward rule can only map to a single server/service.
  However, SSH has the ability to tunnel other connections, so it may be possible to remove one or more of the existing port forwarding rules and replace them with a SSH rule, then use SSH tunneling to get to those services. Of course, this will only work for services that only you (or other authorized users) need to access, and not public services such as web/http traffic (assuming you're running a public web site).
  The only other option would be to replace your router with one that doesn't have such a strict limit on the number of port forwarding rules.

• RV042 Port Forwarding bypassing ACL

  I have a RV042 with Port Forwarding configured for RDP. This Port Forwarding Rule is being applied before my ACL - so subnets that are not authorized through are being allowed in. Firmware version 4.0.0.07. Any help would be greatly appreciated.                  

  Hi Eric, the default state table may be the problem.
  Try to make an access rule something like-
  Action Deny
  Service All
  Source interface WAN
  Source IP any
  Destination IP any
  Save
  Action Permit
  Service RDP
  Source interface WAN
  Source IP -xx.xx.xx.xx
  Destination IP - xx.xx.xx.xx
  Save
  -Tom
  Please mark answered for helpful posts

• RVS4000; Port Forwards bypass IP ACL; How to filter

  I am using a RVS4000.  I am forwarding several ports to a specific host on the LAN.  Nonetheless, I wish the IP ACL in the firewall to block incoming traffic from the WAN unless the IP ACL allows.  However, it seems that any port which is forwarded happens prior to and bypasses the ACL rules.  How do I block traffic from "bad" addresses when the destination port is in the forwarding table?

  By George, I think I've got it!  (Well, I've narrowed it down anyway.)  So, I've got an RVS4000 with firmware version V2.0.0.3 and I've been trying to do a similar thing:  I have a NAS sitting on my local LAN with a horribly insecure FTP server on it.  I would like my mainframe to send files to that server.  But I don't want the rest of the friggin Internet beating on it.
  So, I set up a Single Port Forward and two ACL rules, as described by tekliu above.  Alas, just like michaelrach above, every address in the Internet was able to get through the firewall on port 21.
  I read all the posts, asked all the experts, swore a lot, wailed and gnashed my teeth.  Then I set up a test and banged away for a while.
  First, I took Tekliu exactly at his word and try adding (#2) a Deny for everybody and (#1) an Allow for the single IP address I want in.  That worked!  The right host can get in and the wrong host can't.  I'm ready to turn out the lights and go home. 
  But I wanted to figure out why my initial attempt (and those of the others who posted here) didn't work and this one did.  After much guessing, I discovered that if you specify an Allow range of x.y.4.2 thru x.y.4.254, it works correctly.
  If you specify an Allow range of x.y.1.1 thru x.(y+1).1.1 it lets everybody through.
  x.y.4.2 thru x.y.128.254 works correctly.
  x.y.4.2 thru x.y.200.254 lets evrybody through.
  It's the binary difference between the start and end address!  I didn't feel like narrowing it down farther.  But to someone who understand this stuff, this has to be a real good clue as to why it's failing.