This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT or Route Issue?

I am not sure if this is a route problem or a DNAT issue.  I am trying to open up port 22 in the firewall by using a DNAT rule, but when I am testing to see if the port is open on destination server, its not working.  I am using the website http://canyouseeme.org/ to perform the test port open check.  The error the website is displaying is:

Error: I could not see your service on xx.xx.xx.xx on port (22)
Reason: No route to host.

When I test out other ports that should be closed, I get a different error from the website "Reason: Connection timed out".  So it appears the DNAT is configured correctly, but still not sure why its not working.  

When I test for port 22, in the live log of the firewall, i never see any lines with port 22 in the log.  When I test with a random port that has not been opened with DNAT, I can see the firewall DROPing the TCP packet.   I have every service turned off except the firewall.  Any help would be greatly appreciated.

Thanks

I have included pictures of everything.

Network diagram

 

Network Protection -> Firewall -> Masquerading
Network = Internal (Network) 10.0.0.0/24
Interface = External (WAN)

Definitions & Users -> Service Definitions
Name = SSH
Type of definition = TCP
Destination port = 22
Source port: 1:65535

 

Network Protection -> Firewall -> NAT
Rule type:DNAT (destination)
Matching condition
For traffic from = Any IPv4
Using service = SSH
Going to = External (WAN) (Address)
Action
Change the destination to = rin-server
Automatic firewall rule = checked
Advanced = Log inital packets = checked

Definitions & Users -> Network Definitions
Name = rin-server
Type = Host
IPv4 address: 10.0.0.64



This thread was automatically locked due to age.
  • It appears that you are using the external IP of the firewall to NAT to the internal server on port 22.  Do you by chance have SSH shell access enabled on the UTM?  And if so, is it set to use port 22 (default port)?  That would be the first thing to check, as it would cause a conflict.  Look under Management > System Settings > Shell Access

    Troubleshooting these cases, I always look at three things.  Routes, Rules, and NATs.  Assuming you've set up the DMZ interface on the UTM as 10.0.0.1, and your RIN server is connected to this interface (through the router), then I don't think it's a routing issue with the firewall.  Your rule (permission) appears to be correct as per the NAT configuration.  And your NAT configuration also appears to be correct.  Unless I'm missing something obvious, I don't think it's the UTM.

    Wild stab in the dark here.  I'm assuming your RIN server is Windows.  Have you verified everything is configured properly on it?  Is Windows firewall blocking the traffic?  Try disabling Windows firewall to test.  Are there any routes in the routing table on the server that are conflicting?  Try doing a trace route to the Internet to ensure it is routing through the UTM.

    Also I see a router between the UTM and your server.  Check to make sure there are no conflicting routes configured on it.  Again, try doing a trace route to the Internet from your RIN server.

    In addition, in this case I don't believe you need a masquerading rule, unless your RIN server is initiating traffic to the Internet.

    Keep in mind that I'm still a novice when it comes to configuring and troubleshooting UTM's.  So everything I've said could be completely wrong. :)

    Good luck and let us know if you make any progress.

    -------------------------------

    Interesting [in-ter-uh-sting, -truh-sting, -tuh-res-ting]

    A word typically used by IT technicians to describe an issue they didn't expect, or never encountered, and don't know how to fix.

  • One place I failed to look was outside of the UTM configuration.  I found the source of the DNAT not working.  It was at the AT&T router.  I initially was using the AT&T router without the UTM and i had previously setup port forwarding of port 22.  Once I started using the UTM, I put the UTM in DMZ+ mode in the AT&T router, but I never deleted the port forward of port 22, so the DNAT was never getting this packet.  I deleted the port forward on the AT&T router and everything started working.  I tried to disable the masquerade rule as you suggested, but that caused the internet to not work any more, so I had to re-enable it.  Thank you for your help, it is much appreciated.

    Byron

  • Thanks for updating us on your solution.  Glad to hear you figured it out!

    -------------------------------

    Interesting [in-ter-uh-sting, -truh-sting, -tuh-res-ting]

    A word typically used by IT technicians to describe an issue they didn't expect, or never encountered, and don't know how to fix.