Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 2 subscribers
  • Views 2510 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web server access from internet: Why doesn't this work?

jasperf
Hi,

I am trying to figure out why I am not able to reach the web server behing my UTM9 (Home) Firewall. Everything appears to be setup correctly, but I keep receiving "...could not open the page because the server stopped responding." I can reach the web server internally, but when I try to reach it over the internet, it doesn't want to work.


My setup:

internet -> W723V (VDSL) -> UTM9.100.16 -> web server

Port forwarding is being done on the W723V and I am able to reach the webadmin without any problems. I'm probably missing something very small [:S] and it's frustrating.

The connection is reaching the webserver (see packets coming in using tcpdump on the webserver). I've tried practically every solution here in the portal without success :frown:.

Any help would be greatly appreciated.

THank you.

jasperf

Here is the NAT Rule

Position: 2
Rule Type: DNAT
Matching Condition
For traffic from: Any
Using service: HTTP
Going to: Freeman-Ext (WAN) (Address)
Action
Change the destination to: NASBD636B


And the service to: HTTP
Automatic Firewall rule NO
Comment:
Advanced
Log initial packets YES

The RULESET

ANY ->HTTP->WebServer

This is what I am seeing in the logs.

2013:06:06-16:36:26 JMFUTM9 ulogd[4989]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth0" srcip="192.168.1.13" dstip="98.240.173.93" proto="6" length="60" tos="0x00" prec="0x00" ttl="63" srcport="80" dstport="34122" tcpflags="ACK SYN"
2013:06:06-16:36:26 JMFUTM9 ulogd[4989]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth0" srcip="192.168.1.13" dstip="98.240.173.93" proto="6" length="60" tos="0x00" prec="0x00" ttl="63" srcport="80" dstport="34122" tcpflags="ACK SYN"
2013:06:06-16:36:27 JMFUTM9 ulogd[4989]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth0" srcip="192.168.1.13" dstip="98.240.173.93" proto="6" length="60" tos="0x00" prec="0x00" ttl="63" srcport="80" dstport="34122" tcpflags="ACK SYN"
2013:06:06-16:36:29 JMFUTM9 ulogd[4989]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth0" srcip="192.168.1.13" dstip="98.240.173.93" proto="6" length="60" tos="0x00" prec="0x00" ttl="63" srcport="80" dstport="34122" tcpflags="ACK SYN"
2013:06:06-16:36:29 JMFUTM9 ulogd[4989]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth0" srcip="192.168.1.13" dstip="98.240.173.93" proto="6" length="60" tos="0x00" prec="0x00" ttl="63" srcport="80" dstport="34122" tcpflags="ACK SYN"
2013:06:06-16:36:30 JMFUTM9 ulogd[4989]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth0" srcip="192.168.1.13" dstip="98.240.173.93" proto="6" length="60" tos="0x00" prec="0x00" ttl="63" srcport="80" dstport="34122" tcpflags="ACK SYN"
2013:06:06-16:36:30 JMFUTM9 ulogd[4989]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth0" srcip="192.168.1.13" dstip="98.240.173.93" proto="6" length="60" tos="0x00" prec="0x00" ttl="63" srcport="80" dstport="34122" tcpflags="ACK SYN"
2013:06:06-16:36:33 JMFUTM9 ulogd[4989]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth0" srcip="192.168.1.13" dstip="98.240.173.93" proto="6" length="60" tos="0x00" prec="0x00" ttl="63" srcport="80" dstport="34122" tcpflags="ACK SYN"
2013:06:06-16:36:36 JMFUTM9 ulogd[4989]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth0" srcip="192.168.1.13" dstip="98.240.173.93" proto="6" length="60" tos="0x00" prec="0x00" ttl="63" srcport="80" dstport="34122" tcpflags="ACK SYN"
2013:06:06-16:36:38 JMFUTM9 ulogd[4989]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth0" srcip="192.168.1.13" dstip="98.240.173.93" proto="6" length="60" tos="0x00" prec="0x00" ttl="63" srcport="80" dstport="34122" tcpflags="ACK SYN"


This thread was automatically locked due to age.
  • 0
    Hi ,

    The example you show it's a full NAT.
    Use a regular NAT from external interface to the internal server and check the box automatic packet filter rule.
    Make sure your internal LAN in masqueraded to the external interface WAN.
    This should do the work.

    All my best .

    Gilipeled
  • 0
    It looks like the firewall is dropping the connection cause there is no rule for that .
    That's why enable the checkbox of automatic packet filter rule will solve it.

    Gil
  • 0
    Like Gilipeled said, the lines you show represent an access from inside your network.  You might be interested in Accessing Internal or DMZ Webserver from Internal Network where his repair of your solution is discussed as well as the alternative of using a 'Static Entry' in DNS for the FQDN of your web server.

    Cheers - Bob
  • 0
    Hi,
    You're doing double-NAT.
    Bridging the DSL device (and configure the firewall's external interface for PPPoE if needed) would make your life easier.

    Barry
  • 0
    Thanks for the replies.

    I believe I tried using PPPoE on v8.*** and had problems with all of my wireless devices. When I set the DSL device to DSL Modem, none of the wireless devices could access the internet. Also, if I am not mistaken, I read somewhere, maybe here in the forum, that if I set the W723V to DSL Modem, then the WLAN would not be protected.

    At this time, since port forwarding is working on the DSL devices, I'm thinking about setting up a ruleset to allow access to the webserver and maybe using Web Server Protection.

    I just have to put on my 'investigative hat' and try things out. What I noticed in tcpdump is that the connection is coming in, but is being blocked when going out or the packets aren'T sure when to go.

    Anyway. I will continue experimenting.

    Greetings from Stuttgart.

    Jasperf
  • 0
    Jasperf, if you want to pursue the issue that Barry rose, please start a new thread in the "Hardware, Installation, ..." forum.

    Cheers - Bob
  • 0 in reply to BAlfson
    IT WORKS[:)][:P]!

    I use the following setup.

    Speedport W723V - forwards http to eth0 (WAN port on UTM9)

    UTM9 Forwards http to web server using NAT. NAT rule is:

    DNAT
    traffice selector ANY -> http -> External Address (WAN)
    Destination: Webserver 
    Service: 
    Automatic Firewall rule: checked
    Log traffice: checked

    I found the solution for getting around the double natting (forwarding the port to the external (WAN) interface) on the internet and the DNAT rule was found here:

    https://community.sophos.com/products/unified-threat-management/astaroorg/f/54/t/41041

    To all of you, thank you for your help.

    Have a nice day.