Match default rule, DNAT Packet, DROP
Freshman Member
I just deployed an ATP200 and upgraded his firmware to the V4.35(ABFW.3)
Then I made a nat rule:
from public_ip port xxxx translate to internal_ip port yyyy
I made the relevant security policy:
from wan1 to internal_ip port xxxx allow
I keep getting "Match default rule, DNAT Packet, DROP"
How can I troubleshoot using the web console or the tools inside the firewall and see why DNAT is failing?
Also I would troubleshoot if It is missing a route, or pat (port address translation) is failing or nat (network address) is failing.
Accepted Solution
-
Hi @Hoygen83
In the default Policy Control rule do not allow telnet to access device.
Go to Configuration > Object > Service > Service Group > select Default_Allow_WAN_TO_ZyWALL >click Edit
Add TELNET into Default_Allow_WAN_TO_ZyWALL group
Then you can telnet to access device.
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP!
5
Zyxel Employee
All Replies
-
Trying to troubleshoot the message: "Match default rule, DNAT Packet, DROP"
i edited the security policy that now is.
from wan to internal_ip allow all
and the log message changed, now it is:
priority:1, from WAN to ANY, TCP, service others, DNAT Packet, ACCEPT
but if i telnet to public_ip xxxx i still get impossible to get connection.
0 -
Hi @Hoygen83
You can check if the telnet service is enabled on the device.
Go to Configuration > System > TELNET > enable the telnet, and try to telnet again
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP!
0 -
thanks the service is up.
But still i have the issue.
0 -
Hi @Hoygen83
In the default Policy Control rule do not allow telnet to access device.
Go to Configuration > Object > Service > Service Group > select Default_Allow_WAN_TO_ZyWALL >click Edit
Add TELNET into Default_Allow_WAN_TO_ZyWALL group
Then you can telnet to access device.
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP!
5 -
@Hoygen83
I was having the same issue on a USG60 with a simple SSH configuration. I kept getting the same DNAT error. In my case I changed the IPv4 Source from a Geo_filter to "any" and the ssh traffic could then flow. @Zyxel_Jerry is this expected behavior? Why does a geographic filter cause the DNAT to fail?
if activated here:
results in:
Whereas if policy is as such:
results in:
0 -
@tag2103
Have you checked your public IP address on GeoIP page of device?
For your description, it seems the Public IP does not belong in US country, so the session will be drop.0 -
Is Content Filter license enabled?0
Guru Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
