I'm running R069 but this has been an issue from the first day.
I have several port forwards from the internet to internal hosts, I set these up in the GUI under the port forwarding section.
They work, the problem is that they masquerade the incoming traffic behind the LAN IP of the Almond+.
This causes issues for SMTP as the mail server can't see the original source IP of the connection, so can't apply blacklisting or other filtering rules properly.
The iptables rule that causes the problem is this one:
Chain zone_lan_nat (1 references)
target prot opt source destination
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
The fix I have found is to insert the following rule:
Chain zone_lan_nat (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
Can anyone tell me why incoming traffic is being masqueraded and if there is any good reason for this practice? Also, is there some way other than hacking the firewall scripts to turn this behaviour off?
Masquerading outgoing traffic is neccessary and good, but not incoming traffic.
Thanks,
JT