HTTPS virtual server - requests coming in on different ports?
ChipConnJohn
Posts: 44 Freshman Member
in Security
Hello all,
I'm trying to configure an ATP500 to pass https traffic to a FileMaker Pro server. I have everything set properly as far as I can tell, but when I look in the logs I see:
Match default rule, DNAT Packet, DROP Source=IP of Source Server:5103 Destination= IP of internal FMP server:443 ACCESS BLOCK
I can't figure out why the requests are coming in on ports other than 443?
I've tested from a web browser too and get the same result. Source ports ranging from around 4350 to 6000.
My NAT Rule:
Virtual Server Incoming Interface: ge2(my WAN) Source IP=(IP of requesting server) ExternalIP= WAN1 InternalIP = FMP Server IP Port Mapping Type= Service Ext Port=HTTPS Int Port=HTTPS
TIA,
John
I'm trying to configure an ATP500 to pass https traffic to a FileMaker Pro server. I have everything set properly as far as I can tell, but when I look in the logs I see:
Match default rule, DNAT Packet, DROP Source=IP of Source Server:5103 Destination= IP of internal FMP server:443 ACCESS BLOCK
I can't figure out why the requests are coming in on ports other than 443?
I've tested from a web browser too and get the same result. Source ports ranging from around 4350 to 6000.
My NAT Rule:
Virtual Server Incoming Interface: ge2(my WAN) Source IP=(IP of requesting server) ExternalIP= WAN1 InternalIP = FMP Server IP Port Mapping Type= Service Ext Port=HTTPS Int Port=HTTPS
TIA,
John
0
Accepted Solution
-
SOLVED!
Ok, the port number thing was throwing me off. I looked at a different port forwarding that is working and the random ports are in the logs there too. So, that was a red herring.
The problem was I had To:LAN1 on an ATP500. I don't use many of these. I use a lot of the ATP100/200s. These have LAN1 predefined. On the ATP500 there are no default members in LAN1. However, LAN has the member physical ports of my LAN. Once I changed the Policy Control rule To:LAN it all worked.
Thanks,
-John1
All Replies
-
Hi @ChipConnJohnMatch default rule, DNAT Packet, DROP Source=IP of Source Server:5103 Destination= IP of internal FMP server:443 ACCESS BLOCK
"Match default rule" and dropped means the traffic doesn't hit the proper security policy, please check your security policy if allow the traffic which is from WAN to LAN direction.See how you've made an impact in Zyxel Community this year!
0 -
Thanks Jeff,
In my Policy Control, the first rule is this:
From:WAN To:LAN1 IPv4Source:IPHostObject of internet source IPv4Destination:FMPServerLanIP Service:HTTPS Device:any User:any Schedule:None Action:allow Log:no Profile:nothing here.
I think I have this correct?
I'm still confused why the error message says the incoming port number is 5103 (or anything other than 443).0 -
I just setup a test from my IP going to port 444 in NAT and 443 to the FMP Server.
I put https://WANipOFDest:444 in my webbrowser.
When I look at the logs I see:
Match default rule, DNAT packet, DROP Source:MyWanIP:64823 Dest:InternalIPofFMP:443 Access Block.
Why are these requests coming in on random dynamic ports when I'm specifying, in this case port 444?
Or am I looking at this incorrectly?0 -
SOLVED!
Ok, the port number thing was throwing me off. I looked at a different port forwarding that is working and the random ports are in the logs there too. So, that was a red herring.
The problem was I had To:LAN1 on an ATP500. I don't use many of these. I use a lot of the ATP100/200s. These have LAN1 predefined. On the ATP500 there are no default members in LAN1. However, LAN has the member physical ports of my LAN. Once I changed the Policy Control rule To:LAN it all worked.
Thanks,
-John1
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight