Getting DNAP Packet DROP trying to NAT in a Zyxel - Here's the trick

itxnc · August 2023

This had me stumped for a bit. I have an HTTPS service that needs to be accessible from the outside. But the server is setup with the standard port 443. Since that's used elsewhere, we setup a 1:1 NAT Rule for port 7443 → port 443 and setup a firewall policy that was basically this:

From: WAN
To: DMZ
IPv4 Source: United_States_IPs
IPv4 Dest: Internal DMZ Server
Service: Port 7443

But it would NOT work. We kept getting:

Match default rule, DNAT Packet, DROP [count=3]

So I found this discussion (and a few others)

https://community.zyxel.com/en/discussion/3993/match-default-rule-dnat-packet-drop

For some reason in these threads Zyxel kept saying to add TELNET to the ZyWall firewall rule, but that makes no sense…

On a hunch, I changed the firewall rule so the Service matched the NAT destination service (port 443). And it worked when accessing the DNAT port (7443). When I tried to access port 443 directly, the packets dropped.

Seems counterintuitive - I expect the port I need to 'open' is the actual one before NAT. . . But it seems like DNAT happens 'before' the firewall rule and the port in NAT tied to the WAN1 interface takes care of opening the outside port (7443) and the firewall rule takes care of allowing it 'inside' (443).

Just thought I'd mention it in case others run into this.

Zyxel_Kevin · August 2023

Hi @itxnc ,

Greeting Forum, You're corret. DNAT happens "before" firewall rule.

We will have hidden rule after created Virtual server :

src: USA IP

dport:7443

dst: Internal DMZ Server:443.

The next packets exaimation (Firewall rule), packet be like

src:USA IP

dport:443

dst: Internal DMZ Server:443

So you will need the kind of allowed rule with translated port.

Thank you

Zyxel_Kevin · August 2023