Firewall rules stop working.

TomT

Hi

We've an issue with a firewall rule stopping working, last time this happened we deleted and re added it and it worked fine.

It's happened again, but this time removing and re adding it hasn't worked.

The rule is a simple port redirect for 8081 to 80 and is setup in NAT Port Forward as :

Interface: WAN
Protocol: TCP/UDP
Source: Any
Source port range: any
Destination: Selected VIP
Destination port range: Other 8081 Other 8081
Redirect target IP: the required servers IP Address
Redirect target port: HTTP
NAT Reflection: Use system default
Filter rule association: Pass

Currently this isn't working, but it has been.
A pcap captured on the firewall shows the destination IP sending [RST,ACK] back to us.

We can access the destination direct on it's IP Port 80, but that is only open for specific IP Addresses

Any ideas why this has stopped and how we allow anyone to access port 80 on the destination via port 8081 ?

Thanks

Gertjan

@tomt said in Firewall rules stop working.:

The rule is a simple port redirect for 8081 to 80 and is setup in NAT Port Forward as :
Interface: WAN
Protocol: TCP/UDP

Ok up untill here. These two are new to me :

Source: Any
Source port range: any

You clikced "Display advanced" to access them ?

Destination: Selected VIP

Destination is "WAN address" for me

The rest is default :

Destination port range: Other 8081 Other 8081
Redirect target IP: the required servers IP Address
Redirect target port: HTTP
NAT Reflection: Use system default
Filter rule association: Pass

TomT

Thanks for your reply.

I didn't click on 'Display Advanced' and that resulted in the Source being set to ANY and the Source port range being ANY.

We have multiple Virtual IP Addresses configured with in Firewall / Virtual IPs. The destination is one of these Virtual WAN Addresses.

Thanks

TomT

Anyone any ideas on this ?
It's currently blocking access and causing me issues.

Thanks

Gertjan

Let me make sure I understand the question.

I have a Synology NAS "diskstation".
It lives on LAB, IP 192.168.1.15
On this disk I have a web server - running on port 80.
I wanted to make this web server accessible from the Internet.

I have a known URL that point to my home IP : brit.test-domaine.fr
I want to make this web server visible on port 8081.
So, when you go here : http://brit.test-domaine.fr:8081 you should see this screen :

0_1530195443242_0f8e06f1-b8ee-49e9-888e-0e1f52eb64a1-image.png

I added this NAT rule :

0_1530195493271_c3e494bd-63fc-4d75-b52f-69c955b212c4-image.png
0_1530195533784_c8ec0d4c-a67e-46c5-b5cf-584ffddbb5e3-image.png

and I worked.

Note the fact that a related firewall is created. Is was added at the bottom, right after my last own explicit "drop all rule", so I had to lift this auto created rule just above it.

Is this scenario identical with yours ?

(Ok, I didn't mention that I needed to NAT also the router in front of my pfSense : all incoming traffic on TCP, port 8081 from WAn to IP-pfSense - but that actually a nearly identical operation)