This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT IPv6 outside IPv4 inside, packet dropped

Hi all,

I'm trying to reach my webserver, wich is behind a UTM 9.308.
The WAN side of the UTM is IPv6, and the LAN side is IPv4.

I've added a DNAT rule, to change the destination that reaches my UTM on port 80, to the internal network.

I've also added an Any to Any allow rule in the Firewall (for excluding the firewall from this problem). But I still get an Default Drop.

When I search on the internet, I've found some website that tells me that my DNAT rule isn't good. But I don't really see the problem, can you guys help me out?

See the attached image for the UTM settings / logs.

Thanks (again),
Bart

Network:
Host (::5) WAN UTM (::11) LAN UTM (192.168.22.1) Server (192.168.22.12)

This thread was automatically locked due to age.

Parents

0 Bart van Kampen over 9 years ago

Hello Bob,

Thanks for your quick respons.
I've changed the DNAT rule from Going to: WAN (Network) to WAN (Address) according to Rulz #4. But still I get a Default Drop.

The WAN interface has also an IPv4 adress for testing purpose, and if I connect to the IPv4 address, no Default Drop is show.
See the Firewall log below:


IPv6 (Default Drop)
2015:06:10-23:54:13 fw2-2 ulogd[6828]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62002" initf="eth0" srcmac="00:0c:29:32:69:12" dstmac="00:1a:8c:f0:66:e0" proto="6" length="72" srcip="2001:***:***:***:***::5" dstip="2001:***:***:***:***x::11" hlim="64" srcport="49174" dstport="80" tcpflags="SYN" 
2015:06:10-23:54:13 fw2-2 ulogd[6828]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="00:0c:29:32:69:12" dstmac="00:1a:8c:f0:66:e0" proto="6" length="72" srcip="2001:***:***:***:***::5" dstip="2001:***:***:***:***x::11" hlim="64" srcport="49174" dstport="80" tcpflags="SYN" 
2015:06:10-23:54:14 fw2-2 ulogd[6828]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62002" initf="eth0" srcmac="00:0c:29:32:69:12" dstmac="00:1a:8c:f0:66:e0" proto="6" length="72" srcip="2001:***:***:***:***::5" dstip="2001:***:***:***:***x::11" hlim="64" srcport="49174" dstport="80" tcpflags="SYN" 
2015:06:10-23:54:14 fw2-2 ulogd[6828]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="00:0c:29:32:69:12" dstmac="00:1a:8c:f0:66:e0" proto="6" length="72" srcip="2001:***:***:***:***::5" dstip="2001:***:***:***:***x::11" hlim="64" srcport="49174" dstport="80" tcpflags="SYN" 
2015:06:10-23:54:16 fw2-2 ulogd[6828]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62002" initf="eth0" srcmac="00:0c:29:32:69:12" dstmac="00:1a:8c:f0:66:e0" proto="6" length="68" srcip="2001:***:***:***:***::5" dstip="2001:***:***:***:***x::11" hlim="64" srcport="49174" dstport="80" tcpflags="SYN" 
2015:06:10-23:54:16 fw2-2 ulogd[6828]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="00:0c:29:32:69:12" dstmac="00:1a:8c:f0:66:e0" proto="6" length="68" srcip="2001:***:***:***:***::5" dstip="2001:***:***:***:***x::11" hlim="64" srcport="49174" dstport="80" tcpflags="SYN" 

IPv4 (No Default Drop)
2015:06:10-23:58:45 fw2-2 ulogd[6828]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62002" initf="eth0" srcmac="00:0c:29:32:69:12" dstmac="00:1a:8c:f0:66:e0" srcip="10.10.10.2" dstip="10.10.10.1" proto="6" length="52" tos="0x02" prec="0x00" ttl="128" srcport="49176" dstport="80" tcpflags="SYN"

IPv6 is killing me [8-)]

Reply

0 Bart van Kampen over 9 years ago


IPv6 (Default Drop)
2015:06:10-23:54:13 fw2-2 ulogd[6828]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62002" initf="eth0" srcmac="00:0c:29:32:69:12" dstmac="00:1a:8c:f0:66:e0" proto="6" length="72" srcip="2001:***:***:***:***::5" dstip="2001:***:***:***:***x::11" hlim="64" srcport="49174" dstport="80" tcpflags="SYN" 
2015:06:10-23:54:13 fw2-2 ulogd[6828]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="00:0c:29:32:69:12" dstmac="00:1a:8c:f0:66:e0" proto="6" length="72" srcip="2001:***:***:***:***::5" dstip="2001:***:***:***:***x::11" hlim="64" srcport="49174" dstport="80" tcpflags="SYN" 
2015:06:10-23:54:14 fw2-2 ulogd[6828]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62002" initf="eth0" srcmac="00:0c:29:32:69:12" dstmac="00:1a:8c:f0:66:e0" proto="6" length="72" srcip="2001:***:***:***:***::5" dstip="2001:***:***:***:***x::11" hlim="64" srcport="49174" dstport="80" tcpflags="SYN" 
2015:06:10-23:54:14 fw2-2 ulogd[6828]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="00:0c:29:32:69:12" dstmac="00:1a:8c:f0:66:e0" proto="6" length="72" srcip="2001:***:***:***:***::5" dstip="2001:***:***:***:***x::11" hlim="64" srcport="49174" dstport="80" tcpflags="SYN" 
2015:06:10-23:54:16 fw2-2 ulogd[6828]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62002" initf="eth0" srcmac="00:0c:29:32:69:12" dstmac="00:1a:8c:f0:66:e0" proto="6" length="68" srcip="2001:***:***:***:***::5" dstip="2001:***:***:***:***x::11" hlim="64" srcport="49174" dstport="80" tcpflags="SYN" 
2015:06:10-23:54:16 fw2-2 ulogd[6828]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="00:0c:29:32:69:12" dstmac="00:1a:8c:f0:66:e0" proto="6" length="68" srcip="2001:***:***:***:***::5" dstip="2001:***:***:***:***x::11" hlim="64" srcport="49174" dstport="80" tcpflags="SYN" 

IPv4 (No Default Drop)
2015:06:10-23:58:45 fw2-2 ulogd[6828]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62002" initf="eth0" srcmac="00:0c:29:32:69:12" dstmac="00:1a:8c:f0:66:e0" srcip="10.10.10.2" dstip="10.10.10.1" proto="6" length="52" tos="0x02" prec="0x00" ttl="128" srcport="49176" dstport="80" tcpflags="SYN"

IPv6 is killing me [8-)]

Children

No Data

DNAT IPv6 outside IPv4 inside, packet dropped

Submitted a Tech Support Case lately from the Support Portal?