USG40 - Port forwarding problems

Options
kaika313
kaika313 Posts: 31  Freshman Member
First Anniversary Friend Collector First Comment
edited April 2021 in Security

Hi,


I’m facing some issues setting port forwarding to internal NAS with USG40.

My configuration is:


INTERNET --> ISP ROUTER 192.168.0.1 -- USG40 192.168.0.253, DHCP/GATEWAY 192.168.1.1 to internal LAN1 range 192.168.1.xx-192168.1.yy


This is what I’ve done:

1 -set up an object for the internal HOST assigning its internal address: 192.168.1.200

2-NAT with: 

Port Mapping Rule: Virtual Server

Incoming Interface: Wan 1

Original IP: User Defined —> Public IP Address

Mapped IP: internal NAS IP

Port Mapping Type: Port —>TCP —> Original 8080, Mapped 8080

NAT Loopback enabled

3-Policy Control rule:

From: WAN

To: LAN1

Source: Any

Destination: internal NAS IP

Service: TCP protocol, Starting/Ending port 8080.


But, when I try to access port 8080 from an external location I cannot access and if I test it with a port checker it says that it’s closed or filtered. Also, I I read USG’s log I can see that at any attempt to connect a “Match default rule, DROP error occurs with ACCESS BLOCK message.


What I’m doing wrong? I cannot understand. The only thing is that I suppose could interfere is a NAT rule I set up for L2TP VPN with 1:1 NAT mapping type using wan1 as Interface, original IP our public IP address and as Mapped IP USG’s 192.168.0.253 IP with any Protocol selected.


Could you help me, please?


Thank you


Regards


Comments

  • PeterUK
    PeterUK Posts: 2,763  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited June 2018
    Options

    Are you able to put your ISP router in modem mode or bridge mode? or double NAT by DMZ to 192.168.0.253 by your ISP router you then need Original IP: User Defined 192.168.0.253. 


  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,454  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @kaika313,
    “Match default rule, DROP”, can you try to disable security policy rule temporarily for testing.(Configuration > Security Policy > Policy Control > “Enable policy control”)
    If it is okay to connect the NAS by disable USG security policy, then we can focus on security policy configuration.


  • kaika313
    kaika313 Posts: 31  Freshman Member
    First Anniversary Friend Collector First Comment
    Options
    Hi @Zyxel_Cooldia, I've disabled it but the only difference is that instead of waiting some seconds to give me error this time negative response (the same) is immediate.
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,454  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @kaika313,
    Can you send me your configuration file via private message for further checking?
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,454  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @kaika313,

    From the configuration file, the NAT rule “Original IP” should be USG wan interface IP, instead of upper layer router public IP.






Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)