2

I'm trying to forward a specific port on my WatchGuard firewall to an internal host in a specific VLAN. My setup is roughly as follows:

 INTERNET
    vv
WatchGuard
    vv--------vv--------vv
  [VLAN1]   [VLAN2]   [VLAN3]
              vv
            Server

I've setup a SNAT rule from Any-External to the IP address of the internal server without port translation. Then, I added a firewall policy with

  • Action: Allow
  • a custom filter on port tcp:10000
  • from any source
  • to my snat rule

This is all as recommended by the documentation, but when trying to access it from an outside ip, the port remains filtered and is logged as unhandled (xxx being the external client and yyy the ip of the firewall):

Process=firewall  Disposition=Deny  Policy=Unhandled External Packet-00  Source IP=xx.xx.xx.xx  Destination IP=yy.yy.yy.yy  Source Interface=0-External  Destination Interface=0-External  Source Port=19852  Destination Port=10000  Protocol=webmin/tcp

I've been playing around with port translation, more specific interface settings for the SNAT and proxy instead of filter actions, but I simply cannot get it to work. What am I missing?

Edit (2015-06-16): Here are my config screens:

Interfaces SNAT Rule Firewall Policy I Firewall Policy II

Port Check from internal network:

$ nmap -sT -p 10000 192.168.79.100
[...]
PORT      STATE SERVICE
10000/tcp open  snet-sensor-mgmt
[...]

Port Check from external network (on the ip yyy of the internet connection, xxx being a known open management port):

user@extServer:~# nmap -sT -p xxx,10000 yyy.yyy.yyy.yyy
[...]
PORT      STATE    SERVICE
8089/tcp  open     unknown
10000/tcp filtered snet-sensor-mgmt
[...]
Lars
  • 484
  • 5
  • 19

2 Answers2

2

If you used 'Any-External' in the SNAT rule, than you made the error here.

Select the external IP address(es), that you will actually be using for this SNAT rule instead of the alias 'Any-External' and things will start working.

Still you may use 'Any-External' in the filter rule.

The problem is in the understanding of the alias 'Any-External'. All IP address-es, that are configured on your ports on the firewall are covered by the Alias 'Firebox', while the 'Any-External' begins beyond that with the gateway IP address of your provider. You could create an Alias 'external-ports' - that would than work fine in SNAT rules, but not the 'Any-External'.

B.Z.
  • 56
  • 1
  • Thanks for your answer - Problem is, I can choose an SNAT `external IP-Address` of either "External" or "Any-External". Firebox is not an option there. Any more hints? – Lars Jun 15 '15 at 11:26
  • Why can't you choose an external IP address? Do you have dynamic IP addresses? If you have static IP addresses on your external interface, you should have them offered in the SNAT configuration. – B.Z. Jun 15 '15 at 21:04
  • If you have a dynamic IP on your external interface, check the external interface config for the name you gave to that interface. Select this name in the "External/Optiona IP Address" field pulldown in your SNAT action. – B.Z. Jun 15 '15 at 21:21
  • ok, I did rename it to "upstream" and selected it - I've also took screenshots from the relevant options just in case. As you can see, the external port is still closed / filtered and inaccessible. Do you see any problem in the screenshots I missed? – Lars Jun 16 '15 at 13:51
1

Turns out that my ISP has provided two IP addresses to the connection (without noticing me) and that I was talking to the wrong one all along. The management-port was bound to all interfaces (therefore it was open), but the bound external port was not.

Note to self: double check IPs.

with shoutouts to @B.Z. for rubberducking

Lars
  • 484
  • 5
  • 19