Can you try manually adding some custom port forward rules:

iptables -I PREROUTING -t nat -d your_WAN_IP -p tcp --dport whatever -j DNAT --to-destination your_LAN_IP

iptables -I FORWARD -o your_LAN_interface -d your_LAN_IP -p tcp --dport whatever -j ACCEPT

iptables -I POSTROUTING -t nat -s your_LAN_subnet -p tcp --dport whatever -s SNAT --to-source your_ClearOS_LAN_IP

The third rule should be unnecessary if you only have one LAN interface. Change "-p tcp --dport whatever" to suit your port and protocol or drop entirely to forward everything (but make sure your LAN machine is properly firewalled).

With this set up you may even get away without assigning an IP to your external virtual interface but leave it there for the moment.

[edit]
Do this from the command line in case any of the rules are in error. If it works, then copy each rule into the Custom Firewall module but replace "iptables" with "$IPTABLES". This will make them permanent otherwise you lose them each time the firewall restarts.
[/edit]

Nick Howitt wrote:

So what are you trying to do with this extra IP? Is there some service configured to use it somewhere, wither in ClearOS or on the LAN behind it?

Yes. There is some device which is configured to use it in the LAN, especially in the VLAN. All the trafic in my network pass through VLAN configuration. Whithout VLAN identity, no trafic is permit.

So what are you trying to do with this extra IP? Is there some service configured to use it somewhere, wither in ClearOS or on the LAN behind it?

Hi Nick
Unfortunately, i was not arrived to achieve the goal. In fact, i search how to use firewall rules to reach the purpose but i don't find. I'm really a beginner :-(

OK, let's take a look on that !
Thanks

Either in the Custom Firewall module or directly in /etc/clearos/firewall.d/local. Try the rules at the command line first, but also check what is there with an "iptables -nvL" and "iptables -nvL -t nat" to see what changes you may need. Have a look for the ones relating to a VLAN with a single IP then compare to what you end up with after making the networking changes.

Nick Howitt wrote:

Don't worry about what the webconfig says, the question is does it work. I very much doubt the webconfig will work in this case but the networking underneath may. It could, at worst, break the firewalling. At best, I'd guess you'll need to add your own firewall rules for the extra IP's.

And, do you have any idea on how i can do this ? What should I configure in these rules ?

Don't worry about what the webconfig says, the question is does it work. I very much doubt the webconfig will work in this case but the networking underneath may. It could, at worst, break the firewalling. At best, I'd guess you'll need to add your own firewall rules for the extra IP's.

Thanks for your response
This is my config in the first hand

DEVICE=p3p1.100
TYPE="VLAN"
ONBOOT="yes"
USERCTL="no"
BOOTPROTO="static"
IPADDR="192.168.2.254"
NETMASK="255.255.255.0"
IPADDR1="41.74.11.121"
NETMASK1="255.255.255.252"
VLAN="yes"

But, when i checked ifconfig's command or my web interface, i just have the first IP address (192.168.2.254).

In the order hand, i do this configurations but i have the same results

DEVICE=p3p1.100
TYPE="VLAN"
ONBOOT="yes"
USERCTL="no"
BOOTPROTO="static"
IPADDR0="192.168.2.254"
NETMASK0="255.255.255.0"
IPADDR1="41.74.11.121"
NETMASK1="255.255.255.252"
VLAN="yes"

Bellow is the output of ifconfig command

p3p1.100: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.2.254 netmask 255.255.255.0 broadcast 192.168.2.255
inet6 fe80::f6f2:6dff:fe03:bdc7 prefixlen 64 scopeid 0x20<link>
ether f4:f2:6d:03:bd:c7 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 20 bytes 1152 (1.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0


I don't forget to set immutable bit in order to avoid ClearOs's overwritting.

Thanks for your attention.

I know NetworkManager supports this sort of configuration but ClearOS does not use NetworkManager. Its config file should be NetworkManager compatible, so let's try. I assume you've created your VLAN interface. It should have a file associated with it called /etc/sysconfig/network-scripts/ifcfg-?????. It should be obvious and the name ties up with the one in the webconfig.

Have a look at this reference. It looks like you can have, instead of IPADDR, IPADDRn with n starting at 0.

Although it says you can leave out n for one IP address, I'd first of all try leaving IPADDR= set as it is then add another line:

IPADDR1="your_second_IP"

Then restart the interface with:

ifdown interface_name && ifup interface_name

If that does not work, try changing "IPADDR=" to "IPADDR0=" and restart the interface.

If this works, you may break the ClearOS webconfig. You also risk ClearOS overwriting the file. To avoid ClearOS overwriting the file you may have to set the immutable bit ("chattr +i /etc/sysconfig/network-scripts/ifcfg-?????").

Let us know if it works!