This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routing services (iSCSI, Samba, TimeMachine) from DMZ- to WiFi-Zone

Hello community,

I'm new with HW firewalls but the XG125 is great. It looks that I have to understand some basics and want to open first all services and afterwards (after understanding) closing the doors at the firewall!

One simple question from my side. Please see the attached sketch.

I've a MacBook connected at the WiFi zone and a NAS at the DMZ zone. I open everything that I could configure to make traffic transparent. I can ping from the MacBook all devices in the different segments without problems. I can login on the firewall and also on the NAS out from the MacBook. So far so good.

But I do not get any samba shares in my finder, no SAN share or neither make a BackUp through TimeMachine. Configuration of all those services at the NAS is correct.

What basics are missing in my thoughts? Can you please advice? Something is suppressing those services? Do I need to explicitly make a rule to let something going through?

Regards, Frank

This thread was automatically locked due to age.

Parents

0 rfcat_vk over 7 years ago

Hi,

please post your firewall rules because trying to figure what you are doing from your drawing is not easy.

Ian
Cancel
Vote Up 0 Vote Down

Cancel
0 Frank Zimmermann over 7 years ago in reply to rfcat_vk

Hi Ian,

here they are. They are always the same for each zone.

As an example WiFi, attached.

Thanks,

Frank
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 7 years ago in reply to Frank Zimmermann

Hi Frank,

I think you have made some of your rules overly complex, when an 'any' would done the job.

Try adding a gateway to your firewall rule, you have NAT (MASQ).

Ian
Cancel
Vote Up 0 Vote Down

Cancel
0 Frank Zimmermann over 7 years ago in reply to rfcat_vk

Hi Ian,

ok. Understood. This is how it looks now. After rebooting the device still no services from the NAS available. The gateway is selected to be port2. This port is connected to the WAN router.

Any idea?

Regards, Frank
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 7 years ago in reply to Frank Zimmermann

Hi Frank,

the time machine backup and NAS access do not use standard web ports, you will need a another rule which does not have any web functions because the web functions invoke the proxy.

Ian
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 rfcat_vk over 7 years ago in reply to Frank Zimmermann

Hi Frank,

the time machine backup and NAS access do not use standard web ports, you will need a another rule which does not have any web functions because the web functions invoke the proxy.

Ian
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Frank Zimmermann over 7 years ago in reply to rfcat_vk

Hi Ian,

it's like Christmas to me. I added tcp port 3260 on the main firewall rule and my connection to the SAN service works. Great!

Now I'm investigating how to open udp 5353. Because this is the bonjour discovery for TimeMachine.

Searching for answers in the Internet looks like I've to create a business application rule and try the complex DNAT/FullNAT/... menu. Looks horrible.

Thanks a lot, Ian for showing me the way.

Regards, Frank
Cancel
Vote Up 0 Vote Down

Cancel