Firewall rules stop working.



  • Hi

    We've an issue with a firewall rule stopping working, last time this happened we deleted and re added it and it worked fine.

    It's happened again, but this time removing and re adding it hasn't worked.

    The rule is a simple port redirect for 8081 to 80 and is setup in NAT Port Forward as :

    Interface: WAN
    Protocol: TCP/UDP
    Source: Any
    Source port range: any
    Destination: Selected VIP
    Destination port range: Other 8081 Other 8081
    Redirect target IP: the required servers IP Address
    Redirect target port: HTTP
    NAT Reflection: Use system default
    Filter rule association: Pass

    Currently this isn't working, but it has been.
    A pcap captured on the firewall shows the destination IP sending [RST,ACK] back to us.

    We can access the destination direct on it's IP Port 80, but that is only open for specific IP Addresses

    Any ideas why this has stopped and how we allow anyone to access port 80 on the destination via port 8081 ?

    Thanks



  • @tomt said in Firewall rules stop working.:

    The rule is a simple port redirect for 8081 to 80 and is setup in NAT Port Forward as :
    Interface: WAN
    Protocol: TCP/UDP

    Ok up untill here. These two are new to me :

    Source: Any
    Source port range: any

    You clikced "Display advanced" to access them ?

    Destination: Selected VIP

    Destination is "WAN address" for me

    The rest is default :

    Destination port range: Other 8081 Other 8081
    Redirect target IP: the required servers IP Address
    Redirect target port: HTTP
    NAT Reflection: Use system default
    Filter rule association: Pass



  • Thanks for your reply.

    I didn't click on 'Display Advanced' and that resulted in the Source being set to ANY and the Source port range being ANY.

    We have multiple Virtual IP Addresses configured with in Firewall / Virtual IPs. The destination is one of these Virtual WAN Addresses.

    Thanks



  • Anyone any ideas on this ?
    It's currently blocking access and causing me issues.

    Thanks



  • Let me make sure I understand the question.

    I have a Synology NAS "diskstation".
    It lives on LAB, IP 192.168.1.15
    On this disk I have a web server - running on port 80.
    I wanted to make this web server accessible from the Internet.

    I have a known URL that point to my home IP : brit.test-domaine.fr
    I want to make this web server visible on port 8081.
    So, when you go here : http://brit.test-domaine.fr:8081 you should see this screen :

    0_1530195443242_0f8e06f1-b8ee-49e9-888e-0e1f52eb64a1-image.png

    I added this NAT rule :

    0_1530195493271_c3e494bd-63fc-4d75-b52f-69c955b212c4-image.png
    0_1530195533784_c8ec0d4c-a67e-46c5-b5cf-584ffddbb5e3-image.png

    and I worked.

    Note the fact that a related firewall is created. Is was added at the bottom, right after my last own explicit "drop all rule", so I had to lift this auto created rule just above it.

    Is this scenario identical with yours ?

    (Ok, I didn't mention that I needed to NAT also the router in front of my pfSense : all incoming traffic on TCP, port 8081 from WAn to IP-pfSense - but that actually a nearly identical operation)


Log in to reply