Getting DNAP Packet DROP trying to NAT in a Zyxel - Here's the trick

itxnc
itxnc Posts: 98  Ally Member
First Anniversary 10 Comments Friend Collector

This had me stumped for a bit. I have an HTTPS service that needs to be accessible from the outside. But the server is setup with the standard port 443. Since that's used elsewhere, we setup a 1:1 NAT Rule for port 7443 → port 443 and setup a firewall policy that was basically this:

From: WAN
To: DMZ
IPv4 Source: United_States_IPs
IPv4 Dest: Internal DMZ Server
Service: Port 7443

But it would NOT work. We kept getting:

Match default rule, DNAT Packet, DROP [count=3]

So I found this discussion (and a few others)

For some reason in these threads Zyxel kept saying to add TELNET to the ZyWall firewall rule, but that makes no sense…

On a hunch, I changed the firewall rule so the Service matched the NAT destination service (port 443). And it worked when accessing the DNAT port (7443). When I tried to access port 443 directly, the packets dropped.

Seems counterintuitive - I expect the port I need to 'open' is the actual one before NAT. . . But it seems like DNAT happens 'before' the firewall rule and the port in NAT tied to the WAN1 interface takes care of opening the outside port (7443) and the firewall rule takes care of allowing it 'inside' (443).

Just thought I'd mention it in case others run into this.

Accepted Solution

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 752  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓

    Hi @itxnc ,

    Greeting Forum, You're corret. DNAT happens "before" firewall rule.

    We will have hidden rule after created Virtual server :

    src: USA IP

    dport:7443

    dst:  Internal DMZ Server:443.

    The next packets exaimation (Firewall rule), packet be like

    src:USA IP

    dport:443

    dst: Internal DMZ Server:443

    So you will need the kind of allowed rule with translated port.

    Thank you

All Replies

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 752  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓

    Hi @itxnc ,

    Greeting Forum, You're corret. DNAT happens "before" firewall rule.

    We will have hidden rule after created Virtual server :

    src: USA IP

    dport:7443

    dst:  Internal DMZ Server:443.

    The next packets exaimation (Firewall rule), packet be like

    src:USA IP

    dport:443

    dst: Internal DMZ Server:443

    So you will need the kind of allowed rule with translated port.

    Thank you

Security Highlight