ELI5: How do I do a "Business Rule" in v18 (firewall rule + NAT rule)

Hi guys,

Been messing with the new version and Im not sure how to publish services to internet (Outgoing NATs are working fine)

What's the way to do it? What takes effect first?

 

Scenario (demo):

WAN (Port2):
192.168.12.90

LAN (Port1)
172.16.16.0/24 (.16 gateway / XG)

Host:
172.16.16.17

Im publishing any port (lets take for the sake of this example the safest port: 3389). How should I create the rules for this scenario?

Thanks in advance!!! Antonio.




[locked by: Stuart Hatto at 11:24 AM (GMT -7) on 15 Oct 2019]
[unlocked by: Stuart Hatto at 9:10 AM (GMT -7) on 16 Oct 2019]
Parents
  • You would basically use NAT. 

    NAT will take the decision "Should XG change the traffic?".

    Then you need a firewall rule, which allows this traffic. 

     

     

    There are two different approaches.

    Ether use the Destination or Interface Way.

    I would recommend Destination. 

     

    So put in "Original Destination" your WAN Interface.

    In "Translated Destination" you would select the "Going to" Destination. So to speak your Server. 

    You could select Service now: Original Service would be RDP. 

    In Case you want to change the Source or Service, select it by the drop down menu. 

     

    You can now select Interface matching criteria, if you want. But this is not needed. 

     

    Additionally, you need a Firewall, which allows this connection. 

    WAN to LAN Port RDP should be enough. Be more specific if you want. 

     

     

    As always, please put a Feedback loop, if you notice a lack of documentation! 

    __________________________________________________________________________________________________________________

Reply
  • You would basically use NAT. 

    NAT will take the decision "Should XG change the traffic?".

    Then you need a firewall rule, which allows this traffic. 

     

     

    There are two different approaches.

    Ether use the Destination or Interface Way.

    I would recommend Destination. 

     

    So put in "Original Destination" your WAN Interface.

    In "Translated Destination" you would select the "Going to" Destination. So to speak your Server. 

    You could select Service now: Original Service would be RDP. 

    In Case you want to change the Source or Service, select it by the drop down menu. 

     

    You can now select Interface matching criteria, if you want. But this is not needed. 

     

    Additionally, you need a Firewall, which allows this connection. 

    WAN to LAN Port RDP should be enough. Be more specific if you want. 

     

     

    As always, please put a Feedback loop, if you notice a lack of documentation! 

    __________________________________________________________________________________________________________________

Children
  • Ok, so I played in my test environment and got the following results.

    NAT Policy:

    Original Destination: 192.168.12.90 (the "wan" interface on the lab)
    Translated Destination: 172.16.16.17 (the Windows 7 VM for testing purposes)

    Firewall Rule Results:

    First try:
    Source: Any Zone, Any Host. Destination: Any Zone, Any Host. Service: 3389 TCP. Results: Works.

    Second try:
    Source: Wan Zone, Any Host. Destination: Any Zone, Host. 172.16.16.17 Service: 3389 TCP. Results: Fails.

    Third try:
    Source: Wan Zone, Any Host. Destination: Lan Zone, Any Host. Service: 3389 TCP. Results: Works.

    Last try:
    Source: Wan Zone, Any Host. Destination: Lan Zone, Host 172.16.16.17. Service: 3389 TCP. Results: Fails.

    Any time I put an IP address in the Destination Host, it fails. The thing is that in packet capture, it shows the IP address of the host and its the same

     

    When destination host in firewall rule is the IP Host (same NAT policy):

    When destination host in firewall rule is any (same NAT policy):

     

    So unsure why it doesnt take effect the IP host.

     

     

    -----------------------------------------------------------

    Edit:

    Did one more try, with the following config:

    Source: Wan Zone, Any Host. Destination: Lan Zone, Host 192.168.12.90. Service: 3389 TCP. Results: Works.

     

    This kinda  confuses me: The 192.168.12.90 is the WAN and not LAN (I know the NAT translate it, but visually is confusing). 

    It matches prior to NAting? In that case, it makes sense that it works with 192.168.12.90, but why LAN zone?
    Or it semi-matches prior to NATing but then, the destination zone (and not host) matches after NATing?

    I mean, it will be confusing for clients trying to understand the flow of the NATs.

     

    Thanks!