HTTPS virtual server - requests coming in on different ports?

ChipConnJohn
ChipConnJohn Posts: 44  Freshman Member
Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula First Comment Fourth Anniversary
Hello all,

I'm trying to configure an ATP500 to pass https traffic to a FileMaker Pro server.  I have everything set properly as far as I can tell, but when I look in the logs I see:

Match default rule, DNAT Packet, DROP  Source=IP of Source Server:5103  Destination= IP of internal FMP server:443  ACCESS BLOCK

I can't figure out why the requests are coming in on ports other than 443?  

I've tested from a web browser too and get the same result.  Source ports ranging from around 4350 to 6000.

My NAT Rule:
Virtual Server  Incoming Interface: ge2(my WAN)  Source IP=(IP of requesting server) ExternalIP= WAN1  InternalIP = FMP Server IP  Port Mapping Type= Service  Ext Port=HTTPS  Int Port=HTTPS

TIA,
John

Accepted Solution

  • ChipConnJohn
    ChipConnJohn Posts: 44  Freshman Member
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula First Comment Fourth Anniversary
    Answer ✓
    SOLVED!

    Ok, the port number thing was throwing me off.  I looked at a different port forwarding that is working and the random ports are in the logs there too.  So, that was a red herring.

    The problem was I had To:LAN1 on an ATP500.  I don't use many of these.  I use a lot of the ATP100/200s.  These have LAN1 predefined.  On the ATP500 there are no default members in LAN1.  However, LAN has the member physical ports of my LAN.  Once I changed the Policy Control rule To:LAN it all worked.

    Thanks,
    -John

All Replies

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,249  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary
    Hi @ChipConnJohn

    Match default rule, DNAT Packet, DROP  Source=IP of Source Server:5103  Destination= IP of internal FMP server:443  ACCESS BLOCK

    "Match default rule" and dropped means the traffic doesn't hit the proper security policy, please check your security policy if allow the traffic which is from WAN to LAN direction.


    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • ChipConnJohn
    ChipConnJohn Posts: 44  Freshman Member
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula First Comment Fourth Anniversary
    Thanks Jeff, 

    In my Policy Control, the first rule is this:
    From:WAN  To:LAN1  IPv4Source:IPHostObject of internet source  IPv4Destination:FMPServerLanIP  Service:HTTPS  Device:any  User:any  Schedule:None  Action:allow  Log:no  Profile:nothing here.

    I think I have this correct?

    I'm still confused why the error message says the incoming port number is 5103 (or anything other than 443).  
  • ChipConnJohn
    ChipConnJohn Posts: 44  Freshman Member
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula First Comment Fourth Anniversary
    I just setup a test from my IP going to port 444 in NAT and 443 to the FMP Server.

    I put https://WANipOFDest:444 in my webbrowser.

    When I look at the logs I see:
    Match default rule, DNAT packet, DROP  Source:MyWanIP:64823  Dest:InternalIPofFMP:443  Access Block.

    Why are these requests coming in on random dynamic ports when I'm specifying, in this case port 444?
    Or am I looking at this incorrectly?
  • ChipConnJohn
    ChipConnJohn Posts: 44  Freshman Member
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula First Comment Fourth Anniversary
    Answer ✓
    SOLVED!

    Ok, the port number thing was throwing me off.  I looked at a different port forwarding that is working and the random ports are in the logs there too.  So, that was a red herring.

    The problem was I had To:LAN1 on an ATP500.  I don't use many of these.  I use a lot of the ATP100/200s.  These have LAN1 predefined.  On the ATP500 there are no default members in LAN1.  However, LAN has the member physical ports of my LAN.  Once I changed the Policy Control rule To:LAN it all worked.

    Thanks,
    -John

Security Highlight