Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 2 subscribers
  • Views 2510 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web server access from internet: Why doesn't this work?

jasperf
Hi,

I am trying to figure out why I am not able to reach the web server behing my UTM9 (Home) Firewall. Everything appears to be setup correctly, but I keep receiving "...could not open the page because the server stopped responding." I can reach the web server internally, but when I try to reach it over the internet, it doesn't want to work.


My setup:

internet -> W723V (VDSL) -> UTM9.100.16 -> web server

Port forwarding is being done on the W723V and I am able to reach the webadmin without any problems. I'm probably missing something very small [:S] and it's frustrating.

The connection is reaching the webserver (see packets coming in using tcpdump on the webserver). I've tried practically every solution here in the portal without success :frown:.

Any help would be greatly appreciated.

THank you.

jasperf

Here is the NAT Rule

Position: 2
Rule Type: DNAT
Matching Condition
For traffic from: Any
Using service: HTTP
Going to: Freeman-Ext (WAN) (Address)
Action
Change the destination to: NASBD636B


And the service to: HTTP
Automatic Firewall rule NO
Comment:
Advanced
Log initial packets YES

The RULESET

ANY ->HTTP->WebServer

This is what I am seeing in the logs.

2013:06:06-16:36:26 JMFUTM9 ulogd[4989]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth0" srcip="192.168.1.13" dstip="98.240.173.93" proto="6" length="60" tos="0x00" prec="0x00" ttl="63" srcport="80" dstport="34122" tcpflags="ACK SYN"
2013:06:06-16:36:26 JMFUTM9 ulogd[4989]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth0" srcip="192.168.1.13" dstip="98.240.173.93" proto="6" length="60" tos="0x00" prec="0x00" ttl="63" srcport="80" dstport="34122" tcpflags="ACK SYN"
2013:06:06-16:36:27 JMFUTM9 ulogd[4989]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth0" srcip="192.168.1.13" dstip="98.240.173.93" proto="6" length="60" tos="0x00" prec="0x00" ttl="63" srcport="80" dstport="34122" tcpflags="ACK SYN"
2013:06:06-16:36:29 JMFUTM9 ulogd[4989]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth0" srcip="192.168.1.13" dstip="98.240.173.93" proto="6" length="60" tos="0x00" prec="0x00" ttl="63" srcport="80" dstport="34122" tcpflags="ACK SYN"
2013:06:06-16:36:29 JMFUTM9 ulogd[4989]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth0" srcip="192.168.1.13" dstip="98.240.173.93" proto="6" length="60" tos="0x00" prec="0x00" ttl="63" srcport="80" dstport="34122" tcpflags="ACK SYN"
2013:06:06-16:36:30 JMFUTM9 ulogd[4989]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth0" srcip="192.168.1.13" dstip="98.240.173.93" proto="6" length="60" tos="0x00" prec="0x00" ttl="63" srcport="80" dstport="34122" tcpflags="ACK SYN"
2013:06:06-16:36:30 JMFUTM9 ulogd[4989]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth0" srcip="192.168.1.13" dstip="98.240.173.93" proto="6" length="60" tos="0x00" prec="0x00" ttl="63" srcport="80" dstport="34122" tcpflags="ACK SYN"
2013:06:06-16:36:33 JMFUTM9 ulogd[4989]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth0" srcip="192.168.1.13" dstip="98.240.173.93" proto="6" length="60" tos="0x00" prec="0x00" ttl="63" srcport="80" dstport="34122" tcpflags="ACK SYN"
2013:06:06-16:36:36 JMFUTM9 ulogd[4989]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth0" srcip="192.168.1.13" dstip="98.240.173.93" proto="6" length="60" tos="0x00" prec="0x00" ttl="63" srcport="80" dstport="34122" tcpflags="ACK SYN"
2013:06:06-16:36:38 JMFUTM9 ulogd[4989]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth0" srcip="192.168.1.13" dstip="98.240.173.93" proto="6" length="60" tos="0x00" prec="0x00" ttl="63" srcport="80" dstport="34122" tcpflags="ACK SYN"


This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to BAlfson
    IT WORKS[:)][:P]!

    I use the following setup.

    Speedport W723V - forwards http to eth0 (WAN port on UTM9)

    UTM9 Forwards http to web server using NAT. NAT rule is:

    DNAT
    traffice selector ANY -> http -> External Address (WAN)
    Destination: Webserver 
    Service: 
    Automatic Firewall rule: checked
    Log traffice: checked

    I found the solution for getting around the double natting (forwarding the port to the external (WAN) interface) on the internet and the DNAT rule was found here:

    https://community.sophos.com/products/unified-threat-management/astaroorg/f/54/t/41041

    To all of you, thank you for your help.

    Have a nice day.
Children
No Data