Getting DNAP Packet DROP trying to NAT in a Zyxel - Here's the trick
This had me stumped for a bit. I have an HTTPS service that needs to be accessible from the outside. But the server is setup with the standard port 443. Since that's used elsewhere, we setup a 1:1 NAT Rule for port 7443 → port 443 and setup a firewall policy that was basically this:
From: WAN
To: DMZ
IPv4 Source: United_States_IPs
IPv4 Dest: Internal DMZ Server
Service: Port 7443
But it would NOT work. We kept getting:
Match default rule, DNAT Packet, DROP [count=3]
So I found this discussion (and a few others)
For some reason in these threads Zyxel kept saying to add TELNET to the ZyWall firewall rule, but that makes no sense…
On a hunch, I changed the firewall rule so the Service matched the NAT destination service (port 443). And it worked when accessing the DNAT port (7443). When I tried to access port 443 directly, the packets dropped.
Seems counterintuitive - I expect the port I need to 'open' is the actual one before NAT. . . But it seems like DNAT happens 'before' the firewall rule and the port in NAT tied to the WAN1 interface takes care of opening the outside port (7443) and the firewall rule takes care of allowing it 'inside' (443).
Just thought I'd mention it in case others run into this.
Accepted Solution
-
Hi @itxnc ,
Greeting Forum, You're corret. DNAT happens "before" firewall rule.
We will have hidden rule after created Virtual server :
src: USA IP
dport:7443
dst: Internal DMZ Server:443.
The next packets exaimation (Firewall rule), packet be like
src:USA IP
dport:443
dst: Internal DMZ Server:443
So you will need the kind of allowed rule with translated port.
Thank you
0
All Replies
-
Hi @itxnc ,
Greeting Forum, You're corret. DNAT happens "before" firewall rule.
We will have hidden rule after created Virtual server :
src: USA IP
dport:7443
dst: Internal DMZ Server:443.
The next packets exaimation (Firewall rule), packet be like
src:USA IP
dport:443
dst: Internal DMZ Server:443
So you will need the kind of allowed rule with translated port.
Thank you
0
Categories
- All Categories
- 384 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 80 Nebula Status and Incidents
- 5.1K Security
- 79 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 909 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 209 Service & License
- 335 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 898 Nebula FAQ
- 415 Security FAQ
- 234 Switch FAQ
- 205 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 73 About Community
- 62 Security Highlight