Getting DNAP Packet DROP trying to NAT in a Zyxel - Here's the trick
This had me stumped for a bit. I have an HTTPS service that needs to be accessible from the outside. But the server is setup with the standard port 443. Since that's used elsewhere, we setup a 1:1 NAT Rule for port 7443 → port 443 and setup a firewall policy that was basically this:
From: WAN
To: DMZ
IPv4 Source: United_States_IPs
IPv4 Dest: Internal DMZ Server
Service: Port 7443
But it would NOT work. We kept getting:
Match default rule, DNAT Packet, DROP [count=3]
So I found this discussion (and a few others)
For some reason in these threads Zyxel kept saying to add TELNET to the ZyWall firewall rule, but that makes no sense…
On a hunch, I changed the firewall rule so the Service matched the NAT destination service (port 443). And it worked when accessing the DNAT port (7443). When I tried to access port 443 directly, the packets dropped.
Seems counterintuitive - I expect the port I need to 'open' is the actual one before NAT. . . But it seems like DNAT happens 'before' the firewall rule and the port in NAT tied to the WAN1 interface takes care of opening the outside port (7443) and the firewall rule takes care of allowing it 'inside' (443).
Just thought I'd mention it in case others run into this.
Accepted Solution
-
Hi @itxnc ,
Greeting Forum, You're corret. DNAT happens "before" firewall rule.
We will have hidden rule after created Virtual server :
src: USA IP
dport:7443
dst: Internal DMZ Server:443.
The next packets exaimation (Firewall rule), packet be like
src:USA IP
dport:443
dst: Internal DMZ Server:443
So you will need the kind of allowed rule with translated port.
Thank you
0
All Replies
-
Hi @itxnc ,
Greeting Forum, You're corret. DNAT happens "before" firewall rule.
We will have hidden rule after created Virtual server :
src: USA IP
dport:7443
dst: Internal DMZ Server:443.
The next packets exaimation (Firewall rule), packet be like
src:USA IP
dport:443
dst: Internal DMZ Server:443
So you will need the kind of allowed rule with translated port.
Thank you
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight