Issue with usg60w and server

Alecz87
Alecz87 Posts: 6  Freshman Member
Friend Collector First Comment
edited April 2021 in Security
Hi all,
I've configured a server with a public ip address and an usg60w firewall in transparent bridge mode.
I've set the same public ip and gateway of the server on the bridge interface and set the lan1 on 192.168.6.1 subnet. Everything worked great, i was able to send and receive mail from the outside and i was able to connect from outside to the server via the public ip. Suddendly, without every kind of change, the server was not more reachble, instead of the server via the public ip i reach the zyxel log in panel, and i was not able anymore to send and receive emails.
Could someone give me an advice?

Thank you

Comments

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,426  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @Alecz87,
    Did you enable Session control or ADP? (Configuration > Security policy > ADP|Session control)
    You also can check log on Monitor > Log. is there any event log about the mail server IP.





  • Alecz87
    Alecz87 Posts: 6  Freshman Member
    Friend Collector First Comment
    edited April 2018
    Hi @Zyxel_Cooldia, i've check and the ADP is disabled, instead session control is empty, maybe i've to set arule to give unlimited session to any hosts?
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,426  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @Alecz87,
    I thought that mail sever was blocked by USG ADP or session control, but it seems not.
    When the server was unable to access. can you ping to mail server from USG diagnostic tool(Maintenance > Diagnostics > Network Tool)?




  • Alecz87
    Alecz87 Posts: 6  Freshman Member
    Friend Collector First Comment
    Hi @Zyxel_Cooldia, i need to try it, i think on saturday morning when i can do some tests without interfere with the work of the users.
    I cannot understand how is possible that everything works and from a moment to another no, i also troes to set the server on the lan1 and set the public ip to the wan1, but both the email client that the webpanel of our mail server does not recognize the authentications
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,426  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @Alecz87,
    if you move the mail server to lan side, you have to set port mapping on USG for mail service port.
    e.g. SMTP(TCP 25), POP3(TCP 110) , and web mail port for Internet user access.
    From your issue description, it looks like mail server service fail.
    USG only forward the traffic from wan to lan, it would not intervene client to server authentication.

    Port mapping configuration guide.
    https://businessforum.zyxel.com/discussion/1171/how-to-allow-public-access-to-a-server-behind-zywall-usg#latest
  • Alecz87
    Alecz87 Posts: 6  Freshman Member
    Friend Collector First Comment
    Hi @Alecz87,
    if you move the mail server to lan side, you have to set port mapping on USG for mail service port.
    e.g. SMTP(TCP 25), POP3(TCP 110) , and web mail port for Internet user access.
    From your issue description, it looks like mail server service fail.
    USG only forward the traffic from wan to lan, it would not intervene client to server authentication.

    Port mapping configuration guide.
    https://businessforum.zyxel.com/discussion/1171/how-to-allow-public-access-to-a-server-behind-zywall-usg#latest
    Hi, i've done some tests, i notice in the log monitor that when i try to access at the email, i've a log message "match default rule, DROP" so i think that there is a default rule that i have to disable
  • Alecz87
    Alecz87 Posts: 6  Freshman Member
    Friend Collector First Comment
    Hi @Zyxel_Cooldia, i have this entry in the log monitor every time try to connect to the mail server: "match default rule DROP destination 255.255.255.255:67 access block" i tried to app a new policy in which allows the port 67 but never change
  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    First Anniversary Friend Collector First Answer First Comment
    Hi @Alecz87,
    the broadcast to port 67 is existing, when a device request a DHCP address by the DHCP server, this is not an issue during mail server connectivity.
    have you a simple graph, where the systems are located and what's working and not working ?

    regards
    Christian
  • Alecz87
    Alecz87 Posts: 6  Freshman Member
    Friend Collector First Comment
    Hi @ChristianG,
    For the moment i have solved applying a transparent bridge, but I noticed that if i logged out from the zyxel panel after some minutes the public ip connect to the zyxel log in panel instead of the server, while if i leave an account logged in with infinite session time this not happened. Is possible?

    Regards
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,426  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @Alecz87,
    Did you binding the server IP to USG interface. what i mean is USG IP same as mail server IP.
    As ChristianG mentioned, Can you post your network topology and send me your configuration via private message.
    It would be helpful to figure out what could went wrong.


Security Highlight