Guys,
I have a PAT/firewall issue that's not going away. This issues differs from the previous in that its a peering issue, not conductor. With a 24 hour turnaround (due to time zone difference) on answers its taking a great deal of time to get things going so ;
I have two 128T routers and conductor. The routers cannot peer at all through a NAT/Firewall on one side. Here are the main points:
The conductor is on the internet and can talk to both devices and manage them.
One 128T router is on the internet the other behind a firewall using NAT.
I have wireshark between the internet attached router and the firewall. I can see how its passing BFD (not very well)
When both routers are attached to the internet directly they peer no issues. it works
Both routers can ping each other from inside the PCLI with the one behind the firewall.
When one router is placed behind a firewall the BFD source port becomes an ephemeral port number and the destination port 1280.
This differs obviously from the usual 1280 -> 1280 source/destination port number you normally get with internet attached routers.
The on-net router must peer with an IP address that cannot be routed across a public internet as it is a private IP address. 172.x.x.x
I have tried various combinations of outbound and bi-directional settings on the adjacency settings
I have tried tried various NAT combinations in the fields provided in adjacency settings.
This maybe and possibly is, a compound issue, with 128T mis-configuration and wrong firewall settings making the number of permutations excessive to solve easily by trial and error.
One issue seems to be how do deal with the on-net router whose peer IP address is in the 172.x.x.x non-routable range. With a source address that's non-routable it won't get far. It needs the internet IP address as the destination. You can see the non-routable address pop-out of the interface onto the internet with wireshark.
I did try using the firewalls internet IP address as a destination and attempt to port forward to the 128T. That did not yield any results. I was hoping if the destination address was the firewall and port forwarding DNAT could swap out the IP address it may work. It did not.
It should be a standard problem with one peer behind a NAT/FW. I have read various answers on Interchange but I have not had any traction so far. The firewall BTW is a fortigate 61e in case you are familiar with it.
128T router----internet----FW/NAT----128T router
Please help.
Stephen
------------------------------
Stephen Lilley
------------------------------