Match default rule - connection drop - Qnap HBS3 - NAT & Firewall USG60
Freshman Member
I'm having an issue with a service running on a USG60.
The USG is performing perfectly, I've setup several NAT & Firewall rules which are working.
Now i'm trying to connect a remote QNAP with HBS3 over port 8899 to my own QNAP.
The external computer does not go past the firewall, i'm getting in the log "match defaul rule, Drop"
What I've done:
Object -> Address -> Add external IP adres as Host
Object -> Address -> Add internal IP Qnap as Host
Object -> Service -> Add TCP=8899 as a service
Security Policy - add rule from WAN -> LAN1 Source External IP (also tried any) - destination Interal IP - Service port 8899 (also tried any)
NAT - add rule Virtual Server -> Wan1 -> Source IP Any -> External IP Any -> Internal IP Qnap Host - Protocol TCP -> External port 8899 (also tried any) -> Internal port TCP 8899
As a extra security I've added a country filter to my Security Policy WAN-TO-DEVICE with only allowing IP ranges inside the netherlands.
If i check the log, I see that the external IP address sometime uses different port (Qnap detect service button in HBS3), but even with the firewall off, and the NAT on any it DROPS the connetion.
What am I missing?
Thanks for the advice.
Have a great day!
Sander
Accepted Solution
-
According to our remote session result, we noticed USG60 can NAT forward to the Qnap host IP(192.168.50.18:8899) successfully.
So, we suggest you can check the Qnap device if can receive the port 8899 related traffics from USG60. If so, it may not be USG60’s problem.
See how you've made an impact in Zyxel Community this year!
0
Zyxel Employee
All Replies
-
Hi @Sander1977It seems you disable your NAT rule you may enable it and see if NAT works?
BTW, you can use the below to troubleshoot if the NAT works on your lan1 interface (assuming D-QNAP’s IP address belongs to lan1 )Router#packet-trace interface lan1 extension-filter port 8899
See how you've made an impact in Zyxel Community this year!
0 -
hi Jeff, thanks for your reply, i've disable rule 13 since it's the same as rule 2, rule 13 was for another qnap which has been disabled. I tried testing with both rules.
The external Q-nap is D-ANDRE. And in the log it shows "match default rule" drop.
Thanks,
Sander0 -
uncheck "Use Static-Dynamic Route to Control 1-1 NAT Route"
Is port 8899 used in any other NAT rules?
Make address object for type interface IP wan1 and set for External IP NAT rule.
what is the subnet for LAN1 and the IP of Qnap Host? and is the device connected to LAN1 port?0 -
Hi @Sander1977
Can you provide the device config file to us via private message? Maybe we can try to troubleshoot it at our lab.
See how you've made an impact in Zyxel Community this year!
0 -
According to our remote session result, we noticed USG60 can NAT forward to the Qnap host IP(192.168.50.18:8899) successfully.
So, we suggest you can check the Qnap device if can receive the port 8899 related traffics from USG60. If so, it may not be USG60’s problem.
See how you've made an impact in Zyxel Community this year!
0
Guru Member
Categories
- All Categories
- 415 Beta Program
- 2.5K Nebula
- 152 Nebula Ideas
- 101 Nebula Status and Incidents
- 5.8K Security
- 296 USG FLEX H Series
- 281 Security Ideas
- 1.5K Switch
- 77 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.5K Consumer Product
- 254 Service & License
- 396 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 87 About Community
- 76 Security Highlight
