Unable to browse websites hosted on my LAN

Hector
Hector Posts: 3
First Comment
edited April 2021 in Security
My previous USG 20 died and I upgraded to a Zywall 110. I'm hosting several websites on my LAN. I'm using an Apache web server reverse proxy to specific domains to different servers in my LAN. All it's doing is forwarding port 80 to port 8080 on Heracles. I already changed the firewall's port to 8081. This all worked fine on my USG 20.

The 110 has the new (to me) Security Policy Control. I've tried several permutations, but I can't seem to get the right rule to let me see the hosted sites from inside my LAN.

Here are the NAT rules:

Here are the policy rules:

I tried about 26 or 27 different permutations of the SERVER_REVERSE_PROXY rule with no luck. The websites work fine from the WAN.

Thanks in advance!

Accepted Solution

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓

    Hi @Hector  

    The reason is because NAT loopback function did not enabled.

    Due to you access to server from LAN side, so NAT loopback function is required.

    It’s happy to know we found the reason of it. :+1:


All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @Hector  

    The service port (destination port) on your policy control rule should be 8080 port but not 80.

    You can change it as 8080 and try it again.

     

    Also you can reference to FAQ according port forwarding guide.

  • Hector
    Hector Posts: 3
    First Comment
    I changed the policy control rule as you suggested like so:

    I'm still unable to browse websites from my LAN. The new Email_IMAP rule is working as I expected. This one is so strange!

    Any other ideas?
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @Hector

    It’s strange situation, due to your mail server is working correctly.

    I will send you private message for check this situation more details.

  • PeterUK
    PeterUK Posts: 2,654  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited April 2019

    You could try IPv4 to any and see if that works

    Are you using the newest firmware? 


  • Hector
    Hector Posts: 3
    First Comment
    Both NAT and Security Control rules are IPV4.

    I'm using firmware version V4.33(AAAA.0). As far as I can tell, that the latest for Zywall 110.
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓

    Hi @Hector  

    The reason is because NAT loopback function did not enabled.

    Due to you access to server from LAN side, so NAT loopback function is required.

    It’s happy to know we found the reason of it. :+1:


  • PeterUK
    PeterUK Posts: 2,654  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    Looking at your screenshots you cannot have “Enable NAT Loopback” setting enabled with “External IP” set to “any”.

    Make a address rule with type “INTERFACE IP” for “wan1” and set that for “External IP” and check “Enable NAT Loopback”.


Security Highlight