Match default rule - connection drop - Qnap HBS3 - NAT & Firewall USG60

Options
Hi everyone, 

I'm having an issue with a service running on a USG60.

The USG is performing perfectly, I've setup several NAT & Firewall rules which are working.

Now i'm trying to connect a remote QNAP with HBS3 over port 8899 to my own QNAP. 

The external computer does not go past the firewall, i'm getting in the log "match defaul rule, Drop"

What I've done:
  
Object -> Address -> Add external IP adres as Host
Object -> Address -> Add internal IP Qnap as Host
Object -> Service -> Add TCP=8899 as a service

Security Policy - add rule from WAN -> LAN1 Source External IP (also tried any) - destination Interal IP - Service port 8899 (also tried any)

NAT - add rule Virtual Server -> Wan1 -> Source IP Any -> External IP Any -> Internal IP Qnap Host - Protocol TCP -> External port 8899 (also tried any) -> Internal port TCP 8899

As a extra security I've added a country filter to my Security Policy WAN-TO-DEVICE with only allowing IP ranges inside the netherlands.

If i check the log, I see that the external IP address sometime uses different port (Qnap detect service button in HBS3), but even with the firewall off, and the NAT on any it DROPS the connetion.

What am I missing?

Thanks for the advice.

Have a great day!
Sander




Accepted Solution

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,066  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited May 2022 Answer ✓
    Options

    According to our remote session result, we noticed USG60 can NAT forward to the Qnap host IP(192.168.50.18:8899) successfully.

    So, we suggest you can check the Qnap device if can receive the port 8899 related traffics from USG60. If so, it may not be USG60’s problem.


All Replies

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,066  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
     
    It seems you disable your NAT rule you may enable it and see if NAT works?
     
    BTW, you can use the below to troubleshoot if the NAT works on your lan1 interface (assuming D-QNAP’s IP address belongs to lan1 )
    Router#packet-trace interface lan1 extension-filter port 8899

  • Sander1977
    Sander1977 Posts: 2
    Options
    hi Jeff, thanks for your reply, i've disable rule 13 since it's the same as rule 2, rule 13 was for another qnap which has been disabled. I tried testing with both rules. 

    The external Q-nap is D-ANDRE. And in the log it shows "match default rule" drop.

    Thanks,
    Sander
  • PeterUK
    PeterUK Posts: 2,723  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited May 2022
    Options
    uncheck "Use Static-Dynamic Route to Control 1-1 NAT Route"

    Is port 8899 used in any other NAT rules?

    Make address object for type interface IP wan1 and set for External IP NAT rule.

    what is the subnet for LAN1 and the IP of Qnap Host? and is the device connected to LAN1 port?
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,066  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @Sander1977

    Can you provide the device config file to us via private message? Maybe we can try to troubleshoot it at our lab.
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,066  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited May 2022 Answer ✓
    Options

    According to our remote session result, we noticed USG60 can NAT forward to the Qnap host IP(192.168.50.18:8899) successfully.

    So, we suggest you can check the Qnap device if can receive the port 8899 related traffics from USG60. If so, it may not be USG60’s problem.


Security Highlight