port forwarding headache

Hello all,

I am trying to create a port forwarding rule to forward from the WAN(ANY) to an IP in the LAN ports 80, 443 and 8008 (both TCP and UDP).

 

Below is the rule I created on the XG (version SFOS 17.5.0 GA). I blocked every country except the USA.

I set the destination as the port/gateway, and the forward to the IP on the same port/gateway. 

I also tried to set the destination as the IP (10.0.0.102) but still doesn't work.

The only odd thing is that the 'Mapped Port' fields next to the protected server field are grayed out, I cannot enter anything.

I checked if the ports were opened canyouseeme.org and GRC shields up.

 

 

The forwarded services are the standard HTTP and HTTPS, for the customer service TCP/UDP 8008 I placed a snapshot below:

 

Last snapshot is the protected server, a single IP:

 

The rule is positioned after two prior rules to drop most foreign and some domestic traffic:

 

Any help would be greatly appreciated!

  • Hi,

    you will need to create your definitions for 80 and 443 because the standard XG services are the reverse to what you want.

    Ian

  • In reply to rfcat_vk:

    Ian,

    Thank you so much for your input.

    I created an http and https item but the XG is still not forwarding any traffic.

    Even if I ignore http and https for the moment port 8008 should be forwarding but it's not working either.

    Do I need a rule to specifically just open the ports? And then the forwarding will take place?

  • In reply to Marco Ferrante:

    You should not have MASQ in your rule since that is the default External IP. You can't use that. If you would like to hide the traffic you should create a new NAT policy that have and IP on the internal Interface. Best is just to remove it.

  • In reply to RickardNordahl:

    Thank you Rickard,

    I removed the Masq.

    Still no joy!

  • In reply to Marco Ferrante:

    Your 8008 definition is back to front. Use the existing default services as a guide.

    Ian

  • In reply to Marco Ferrante:

    The WAN interface only has VPN and SSL checked, should it also have Dynamic routing checked perhaps?

  • In reply to Marco Ferrante:

    Dynamic routing is not needed. But what i can see now, is that you are publishing the server on the same subnet as the server are located. Seems wrong to me.

     

    Is you external IP really 10.0.0.1 ? 

     

    //Rickard

  • In reply to RickardNordahl:

    Rickard,

    Glad you asked!

    That 10.0.0.1 comes from the value in the destination/host network field. If you notice the source says: "any zone, 10.0.0.1"

    The options are:

    Port 1: default network 172.16.16.16 on port 1

    Port 3: I created a 10.0.0.1/255.255.255.0  (my server is on 10.0.0.102)

    Third choice is ip 10.0.0.102 (same as protected server)

    I tried all three options and the forwarding rule still does not work.

    Keep your questions coming!

    Regards.

  • In reply to RickardNordahl:

    SOLVED!

    Rickard, you led me to the solution.

    In the destination/host I had to select the port where the internet is coming from (showing my internet ip address).

    The word destination really induces the user into making the mistake of thinking  it's the packets final destination, instead it's where the internet is coming from.

    If anyone is interested I will post a snapshot.

    Thank you all!