Having some issues with a Port Forward

SecCon
SecCon Posts: 51  Ally Member
This should be simple, and it was, until I had to configure the rule in a Zyxel Firewall.

I run a backup from a remote web server to a local SFTP Server via port 22022.
Everything works. The locally receiving machine is a Windows and those settings are as they where before I placed the USG40 on my Lan.  netstat -an shows the port listening and there is no reason to think anything is wrong there.

On the web server, same story, everything worked for months and I have a local log file archive of thousands of successful transfers to prove that.

So when configuring a Port Forward on a Zyxel USG40 I seem to be missing something despite following the Guide that is available in the interface and despite having done some troubleshooting to find out what is wrong. As part of this I do of course check the logs, I should specifically check for MESSAGE log entries according to this: https://kb.zyxel.com/KB/searchArticle!viewBlob.action?attOid=14440 , but there are none.

The configuration looks like this:


So any hints on what may be wrong? I have not messed with the Security Policy, since this should be picked up by it and an exclusion made automagically. If it is any kind of smart.

The manual indicates another way to do this, but I am just assuming it is wrong, since there is a guide to do it in the interface.


Best Answer

Answers

  • SecCon
    SecCon Posts: 51  Ally Member
    edited June 2
    Ian31 said:
    The link I posted is the one referred to from within the interface. I did not look it up usin google or archive.org to find it.

    I'll read through your link and see if that works better.

    Oh, I see know. All has to be done manually. Every single rule. Old firewalls are stupid Excel sheets after all. ... ffs...
  • PeterUK
    PeterUK Posts: 1,117  Guru Member

    You likely need source IP to any to have any IP connect to 192.168.1.234

  • SecCon
    SecCon Posts: 51  Ally Member
    PeterUK said:

    You likely need source IP to any to have any IP connect to 192.168.1.234


    No, since the IP of the web host is fixed.
  • PeterUK
    PeterUK Posts: 1,117  Guru Member
    So it be
    remote IP of web server > WAN IP:22022 > NAT > remote IP of web server > 192.168.1.234:22022
  • SecCon
    SecCon Posts: 51  Ally Member
    OK, first fail log...

    Need to revise and startover...


    Maybe I missed the wan + any port > lan + 22022
    Edited out IP addresses.
  • gb5102
    gb5102 Posts: 25  Freshman Member
    Firewall rule should look like:
    FROM: WAN
    TO: any (or whatever zone contains the 'receiving machine')
    SOURCE: <WEBSERVER_IP>
    DEST: 192.168.1.234
    SERVICE: <PORT 22022>
    ACTION: allow
  • SecCon
    SecCon Posts: 51  Ally Member
    I know, I think I am fucking up the Security Policy part which is a first for me so I will just have to try again.

    (have been doing port forwards in different routers - D-link, Asus, Cisco - for more than 20 years, but this is a Firewall as well so more complex.)
  • SecCon
    SecCon Posts: 51  Ally Member
    Yeah wonderful...

    1
        
    2021-06-20 10:57:26
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:16021
        
    ACCESS FORWARD
    2
        
    2021-06-20 10:57:20
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, UDP, service others, DNAT Packet, ACCEPT
        
    141.98.10.208:5063
        
    192.168.1.234:5060
        
    ACCESS FORWARD
    3
        
    2021-06-20 10:57:19
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    192.99.35.225:49748
        
    192.168.1.234:2236
        
    ACCESS FORWARD
    4
        
    2021-06-20 10:57:14
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:41520
        
    ACCESS FORWARD
    5
        
    2021-06-20 10:57:13
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:57040
        
    ACCESS FORWARD
    6
        
    2021-06-20 10:57:13
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:4798
        
    ACCESS FORWARD
    7
        
    2021-06-20 10:57:10
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:13675
        
    ACCESS FORWARD
    8
        
    2021-06-20 10:57:08
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:32576
        
    ACCESS FORWARD
    9
        
    2021-06-20 10:57:07
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    185.128.43.46:53024
        
    192.168.1.234:4400
        
    ACCESS FORWARD
    10
        
    2021-06-20 10:57:05
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:19776
        
    ACCESS FORWARD
    11
        
    2021-06-20 10:57:00
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, UDP, service others, DNAT Packet, ACCEPT
        
    155.94.196.244:1461
        
    192.168.1.234:8080
        
    ACCESS FORWARD
    12
        
    2021-06-20 10:56:51
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:40999
        
    ACCESS FORWARD
    13
        
    2021-06-20 10:56:48
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:55375
        
    ACCESS FORWARD
    14
        
    2021-06-20 10:56:44
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:52626
        
    ACCESS FORWARD
    15
        
    2021-06-20 10:56:41
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:59429
        
    ACCESS FORWARD
    16
        
    2021-06-20 10:56:40
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:4307
        
    ACCESS FORWARD
    17
        
    2021-06-20 10:56:40
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:63759
        
    ACCESS FORWARD
    18
        
    2021-06-20 10:56:31
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:38879
        
    ACCESS FORWARD
    19
        
    2021-06-20 10:56:30
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:9859
        
    ACCESS FORWARD
    20
        
    2021-06-20 10:56:27
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:8376
        
    ACCESS FORWARD
    21
        
    2021-06-20 10:56:27
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:5481
        
    ACCESS FORWARD
    22
        
    2021-06-20 10:56:24
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:1421
        
    ACCESS FORWARD
    23
        
    2021-06-20 10:56:23
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:16933
        
    ACCESS FORWARD
    24
        
    2021-06-20 10:56:21
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:23952
        
    ACCESS FORWARD
    25
        
    2021-06-20 10:56:19
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:18574
        
    ACCESS FORWARD
    26
        
    2021-06-20 10:56:05
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:6860
        
    ACCESS FORWARD
    27
        
    2021-06-20 10:56:05
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:52889
        
    ACCESS FORWARD
    28
        
    2021-06-20 10:56:04
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:53159
        
    ACCESS FORWARD
    29
        
    2021-06-20 10:56:02
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:40172
        
    ACCESS FORWARD
    30
        
    2021-06-20 10:55:59
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:40554
        
    ACCESS FORWARD
    31
        
    2021-06-20 10:55:55
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:29123
        
    ACCESS FORWARD
    32
        
    2021-06-20 10:55:51
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:16495
        
    ACCESS FORWARD
    33
        
    2021-06-20 10:55:50
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    101.176.111.31:25619
        
    192.168.1.234:23
        
    ACCESS FORWARD
    34
        
    2021-06-20 10:55:48
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:39891
        
    ACCESS FORWARD
    35
        
    2021-06-20 10:55:47
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:21441
        
    ACCESS FORWARD
    36
        
    2021-06-20 10:55:46
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:2396
        
    ACCESS FORWARD
    37
        
    2021-06-20 10:55:39
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:17200
        
    ACCESS FORWARD
    38
        
    2021-06-20 10:55:39
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:28094
        
    ACCESS FORWARD
    39
        
    2021-06-20 10:55:38
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:6363
        
    ACCESS FORWARD
    40
        
    2021-06-20 10:55:36
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:22795
        
    ACCESS FORWARD
    41
        
    2021-06-20 10:55:35
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:37179
        
    ACCESS FORWARD
    42
        
    2021-06-20 10:55:31
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:30807
        
    ACCESS FORWARD
    43
        
    2021-06-20 10:55:30
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:36501
        
    ACCESS FORWARD
    44
        
    2021-06-20 10:55:29
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:20308
        
    ACCESS FORWARD
    45
        
    2021-06-20 10:55:28
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:39861
        
    ACCESS FORWARD
    46
        
    2021-06-20 10:55:27
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:54809
        
    ACCESS FORWARD
    47
        
    2021-06-20 10:55:26
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:61318
        
    ACCESS FORWARD
    48
        
    2021-06-20 10:55:23
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:37500
        
    ACCESS FORWARD
    49
        
    2021-06-20 10:55:22
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:16274
        
    ACCESS FORWARD
    50
        
    2021-06-20 10:55:21
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:61748
        
    ACCESS FORWARD
    51
        
    2021-06-20 10:55:19
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:36613
        
    ACCESS FORWARD
    52
        
    2021-06-20 10:55:18
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:63058
        
    ACCESS FORWARD
    53
        
    2021-06-20 10:55:18
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:5383
        
    ACCESS FORWARD
    54
        
    2021-06-20 10:55:17
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:58846
        
    ACCESS FORWARD
    55
        
    2021-06-20 10:55:17
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:23937
        
    ACCESS FORWARD
    56
        
    2021-06-20 10:55:15
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    92.63.197.16:43024
        
    192.168.1.234:63092
        
    ACCESS FORWARD
    57
        
    2021-06-20 10:55:06
        
    notice
        
    Security Policy Control
        
    priority:1, from WAN to LAN1, TCP, service others, DNAT Packet, ACCEPT
        
    116.117.157.69:21712
        
    192.168.1.234:2236
        
    ACCESS FORWARD

    I will be making a support ticket for this, then I can include all the details - which frankly I am not doing here, and get a better response.

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 963  Zyxel Employee
    Hi @SecCon
    May be your default policy control rule already broken then caused traffic blocked by default configuration.
    I will send you private message for further check on it. 

Security Highlight