V4.32 NAT port 80 and 443 not allowed
So your stopping the use of 80 and 443 from WAN or OPT to a NAT IP? This seems like a silly idea?
This idea needs to be done correctly as I have a rule in place that works with it saying its conflicting when its not for a Virtual interface on LAN1. I can understand its to stop people from doing a NAT rule on LAN1 directly that stops them logging in but its too strict.
Accepted Solution
-
@PeterUK
Regarding to this case,
The solution will be included in next patch firmware released by the end of Feb.
@OneZyUser
Regarding to your first description,
for example, you change port to device port from 80,443 to 8080, you only can access device with port 8080(from wan or lan side).
Charlie
5
All Replies
-
Hi @PeterUK
It is because the port 80 has been used in ZyWALL HTTP server.
You can change default HTTP server port as others, then there is no this problem.
Configuration > System > WWW > HTTP server port.
0 -
But you don't have too the rule works fine without changing the ZyWALL HTTP server. You can run a web server on port 80 with ZyWALL HTTP server on port 80.
0 -
just an update this is still a problem in V4.33
0 -
@Zyxel_Stanley, the problem is if I disable admin access to port 443 (https, or 80 http) from WAN (so that only admins can access it from within the LAN), I should be able to free up that port for a virtual server behind NAT (when coming from WAN, and nat_loopback disabled).
Another corner case is, as it happened to me, if I have a group of static IPs (all terminating at the same physical port), this rule will prevent me from running another server on the same port (even if I use a different static WAN IP).
0 -
For example, it is possible to do so
0 -
Hi.You can use the "Redirect Service" to public a web service.
You need create a security police allow this traffic (Wan to Serverxxx Allow)0 -
@PeterUK
Regarding to this case,
The solution will be included in next patch firmware released by the end of Feb.
@OneZyUser
Regarding to your first description,
for example, you change port to device port from 80,443 to 8080, you only can access device with port 8080(from wan or lan side).
Charlie
5 -
I just got a new firewall for a customer and I have the same issue. I don't mind the warning if my Nat rule was set to answer on my firewall IP, but I have a block of 5 IP's and I get this error even if I set the nat rule to answer on a different IP address, I think this is pretty dumb as the only way to resolve seems to be to change the device ports to something else... not a deal breaker but a pain. if this is the way it will be you should default the firewall access ports to something besides 80 and 443 out of the box. like 8080 and 4433 (as most other firewalls already do this) but I still don't understand why this would happen when setting nat rule to answer on an IP other than my firewall interface ip.0
-
Its said that this will be fixed at some point but what you can do is Edit the config file to force to the ports you want.
0 -
@michael3767
This case already solved in the patch firmware, so which model are you using?
I will private message firmware to you.
Charlie0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight