Match default rule, DNAT Packet, DROP

Hoygen83
Hoygen83 Posts: 21  Freshman Member
First Anniversary First Comment
edited April 2021 in Security

I just deployed an ATP200 and upgraded his firmware to the V4.35(ABFW.3)

Then I made a nat rule:

from public_ip port xxxx translate to internal_ip port yyyy

I made the relevant security policy:

from wan1 to internal_ip port xxxx allow

I keep getting "Match default rule, DNAT Packet, DROP"

How can I troubleshoot using the web console or the tools inside the firewall and see why DNAT is failing?

Also I would troubleshoot if It is missing a route, or pat (port address translation) is failing or nat (network address) is failing.

Accepted Solution

All Replies

  • Hoygen83
    Hoygen83 Posts: 21  Freshman Member
    First Anniversary First Comment

    Trying to troubleshoot the message: "Match default rule, DNAT Packet, DROP"

    i edited the security policy that now is.

    from wan to internal_ip allow all

    and the log message changed, now it is:

    priority:1, from WAN to ANY, TCP, service others, DNAT Packet, ACCEPT

    but if i telnet to public_ip xxxx i still get impossible to get connection.

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,026  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @Hoygen83

    You can check if the telnet service is enabled on the device.

    Go to Configuration > System > TELNET > enable the telnet, and try to telnet again


  • Hoygen83
    Hoygen83 Posts: 21  Freshman Member
    First Anniversary First Comment

    thanks the service is up.

    But still i have the issue.

  • @Hoygen83
    I was having the same issue on a USG60 with a simple SSH configuration. I kept getting the same DNAT error. In my case I changed the IPv4 Source from a Geo_filter to "any" and the ssh traffic could then flow. @Zyxel_Jerry is this expected behavior? Why does a geographic filter cause the DNAT to fail?


    if activated here:

    results in:


    Whereas if policy is as such:

    results in:

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    @tag2103
    Have you checked your public IP address on GeoIP page of device?

    For your description, it seems the Public IP does not belong in US country, so the session will be drop.
  • PeterUK
    PeterUK Posts: 2,651  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Is Content Filter license enabled? 

Security Highlight