Match default rule - connection drop - Qnap HBS3 - NAT & Firewall USG60

Sander1977

Hi everyone, 

I'm having an issue with a service running on a USG60.

The USG is performing perfectly, I've setup several NAT & Firewall rules which are working.

Now i'm trying to connect a remote QNAP with HBS3 over port 8899 to my own QNAP. 

The external computer does not go past the firewall, i'm getting in the log "match defaul rule, Drop"

What I've done:
  
Object -> Address -> Add external IP adres as Host
Object -> Address -> Add internal IP Qnap as Host
Object -> Service -> Add TCP=8899 as a service

Security Policy - add rule from WAN -> LAN1 Source External IP (also tried any) - destination Interal IP - Service port 8899 (also tried any)

NAT - add rule Virtual Server -> Wan1 -> Source IP Any -> External IP Any -> Internal IP Qnap Host - Protocol TCP -> External port 8899 (also tried any) -> Internal port TCP 8899

As a extra security I've added a country filter to my Security Policy WAN-TO-DEVICE with only allowing IP ranges inside the netherlands.

If i check the log, I see that the external IP address sometime uses different port (Qnap detect service button in HBS3), but even with the firewall off, and the NAT on any it DROPS the connetion.

What am I missing?

Thanks for the advice.

Have a great day!
Sander

Zyxel_Jeff

According to our remote session result, we noticed USG60 can NAT forward to the Qnap host IP(192.168.50.18:8899) successfully.

So, we suggest you can check the Qnap device if can receive the port 8899 related traffics from USG60. If so, it may not be USG60’s problem.

Zyxel_Jeff

Hi @Sander1977

 

It seems you disable your NAT rule you may enable it and see if NAT works?

 

BTW, you can use the below to troubleshoot if the NAT works on your lan1 interface (assuming D-QNAP’s IP address belongs to lan1 )

Router#packet-trace interface lan1 extension-filter port 8899

Sander1977

hi Jeff, thanks for your reply, i've disable rule 13 since it's the same as rule 2, rule 13 was for another qnap which has been disabled. I tried testing with both rules. 

The external Q-nap is D-ANDRE. And in the log it shows "match default rule" drop.

Thanks,
Sander

PeterUK

uncheck "Use Static-Dynamic Route to Control 1-1 NAT Route"

Is port 8899 used in any other NAT rules?

Make address object for type interface IP wan1 and set for External IP NAT rule.

what is the subnet for LAN1 and the IP of Qnap Host? and is the device connected to LAN1 port?

Zyxel_Jeff

Hi @Sander1977

Can you provide the device config file to us via private message? Maybe we can try to troubleshoot it at our lab.

Zyxel_Jeff

According to our remote session result, we noticed USG60 can NAT forward to the Qnap host IP(192.168.50.18:8899) successfully.

So, we suggest you can check the Qnap device if can receive the port 8899 related traffics from USG60. If so, it may not be USG60’s problem.