Drop packages

Aresh, alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post one line corresponding to those above.

Cheers - Bob

Hi Bob,

Thanks for the reply,

I already check the Firewall log and I have to say I cannot find any extra information, this is the firewall log that corresponding to the live logs,

Also I cannot see that droped packages are udp. or I am looking in the wrong logs?

2017:02:07-14:39:03 securitysrv1-1 ulogd[11961]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="54:e0:XX:XX:76:9a" dstmac="00:1a:XX:f0:XX:a0" srcip="132.XX.XX.2" dstip="62.XX.XX.184" proto="17" length="1260" tos="0x00" prec="0x00" ttl="119" srcport="51822" dstport="4012"

Thanks

Ah, I see now, thanks, Aresh.  My guess is that the Host object "-----server" in 'Change the destination to' is not defined correctly. Take a look at #3 in Rulz.  The clue is fwrule="60002" in the log line.

Cheers - Bob

No that is the way it should appear in the Firewall Log. You there should see a connection FROM external IP using Port 4002 TCP / UDP with DESTINATION internal IP. I couldn't quote correctly yesterday as I was writing my iPad and that doesn't seem to like selecting the logs here.

2017:03:28-13:36:33 securitysrv1-2 ulogd[18968]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62005" initf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="217.XX.XX.30" dstip="62.XX.XX.184" proto="6" length="52" tos="0x00" prec="0x00" ttl="119" srcport="54085" dstport="4002" tcpflags="SYN"

2017:03:28-13:36:33 securitysrv1-2 ulogd[18968]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62005" initf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="217.XX.XX.30" dstip="62.XX.XX.184" proto="17" length="1260" tos="0x00" prec="0x00" ttl="119" srcport="61972" dstport="4002"

Hi Guy's,

Thank you for your explanation, I really appreciate it.

Just to be sure that I didn't misconfigured my NAT rule please check my config, the olny thing has been change isthe internal IP of the server. it is now 241.

It's not the NAT rule itself, Aresh, it's the Host definition to which it forwards the traffic.  As I said above, #3 in Rulz tells you what to do.

Cheers - Bob

Hi Bob,

Thank you again for the update,

Sorry but rule # 3 says:

Never create a Host/Network definition bound to a specific interface. Always leave all definitions with 'Interface: <<Any>>'. 

If you look at my last screenshot you will see that the Host definition is not bound to any specific interface. and interface is <<ANY>>

Or I untrstood it wrong?

Thanks

Hi Aresh,

you need a dnat rule for RDP (tcp/udp 3389).

regards

mod

No, he is using 4002 external, that is the Port to be DNATed for TCP and UDP.

I would never mix up TCP rules with UDP rules and apart from a Port Range like 4000:4200 would also never use one DNAT entry for more than exact one port at a time.
Maybe only a spleen of mine but in this case I would set up 2 DNAT rules, one for "any using tcp4002 going to..." and one for "any using udp4002 going to..."

Hi kerobra,

in the screenshot that aresh have deleted, you can see drops from the external client for port udp 3389.

Here the screenshot from my clipboard.

regards

mod

What he needs is:

- a DNAT rule from any using port 4002 to external IP, translated to port 3389 and to the internal IP. This has to be done both for TCP4002 and UDP4002.
- the firewall rule has then to allow "any to internal IP with port 3389 on TCP and UDP" as the NAT translation is already done, when the packetfilter gets involved.

Hi Guy's,

Thank you all for your help and suggestions,

@Kevin,

Right now I have only 2 service definitions, one is TCP/UDP for port 4002 (for using service) and also one TCP/UDP for 3389 (for service to).

If I understood you correctly you want me to separate these TCP/UDP service definitions, and I should create separate TCP 4002 and UDP 4002 and also create separate TCP 3389 and UDP 3389 is this correct?

this way I have to create 4 DNAT rules!! one for each of above. or is it possible to group services and just create a single DNAT rule?

Thanks

Hi Guy's,

Thank you all for your help and suggestions,

@Kevin,

Right now I have only 2 service definitions, one is TCP/UDP for port 4002 (for using service) and also one TCP/UDP for 3389 (for service to).

If I understood you correctly you want me to separate these TCP/UDP service definitions, and I should create separate TCP 4002 and UDP 4002 and also create separate TCP 3389 and UDP 3389 is this correct?

this way I have to create 4 DNAT rules!! one for each of above. or is it possible to group services and just create a single DNAT rule?

Thanks

You can use one for both protocols as well as one for each protocol. The default definition on the UTM only covers the TCP protocol.

As in your picture here

you can easier see which part of the rule is making problems when you are using two different DNAT rules (see the the white entries in your pic, these are only displayed when "log initial packets" is ticked).

For the firewall part you need only one rule for TCP / UDP using port 3389 for each server. Therefore I wouln'd tick the "automatic firewall rule" thing.

Hi Kevin,

I did follow your suggestion and you are right, now I dont see anymore UDP dropted packages. just one more question can I use the same  Service dedenition that I just created for both TCP/UDP remote desktop for other Firewall Rule? I think it should be passible just to be sure.

Hi,

the service definitions can be used in other rules, sure. If you had a) another external IP with b) another DNAT rule to c) another internal Terminalserver you can use your TCP/UDP definition for port 4002 another time, too.

What I meant with "turn automatic firewall rule off" goes in the same direction. I guess the UTM software logic would be clever enough to only create one firewall rule for a sum of DNAT rules using the same destination port and IP (10.0.10.241:3389 in your case).

If you created the firewall rule manually you need only one "Internet IPv4 using TCP/UDP 3389 to 10.0.10.241" entry, as it covers all DNAT rules (if they are set correctly) that might exist with the external IP and external ports from 3389 to 4052 for example.

When everything works like planned I would recommend unticking the "log initial packets" checkbox in the DNAT rule, because it only fills up your logs more than they already do ;-)

To troubleshoot you can re-enable it.

Hi Kavin,

Maybe I didn't explain myself correctly in my pervious replay,

What I meant was, we will use the same External IP but different port nummber, e.g. port 4003, to a different internal server 2012 e.g. 10.0.10.242

a. Create a new definition service TCP/UDP for port 4003, 

b. Create a new DNAT rule , here use the service definition for port 4003, and change the service to TCP/UDP 3389 (that we have already used for 4002)

c.  Create a manuall firewall Rule and use the same service defenition TCP/UDP 3389 that we have already used for FW rule for port 4002.

Thanks

Should work without any problems.

You could even use the new 4003 port to connect to the same external IP/internal server as used for the 4002 port. E.g. for a different user (if it is a "real" terminalserver that supports more than 1 RDP connection at a time). In that case you don't need a new firewall rule for that new 4003 DNAT enty.

Any definitions can be used more than one time, they are not bound to a specific host. Except all kind of host/network definitions, that you COULD bind a to a specific UTM interface but that is definitely not recommended.

Hi Kavin,

I would lik to let you know that it looks like that UTM dont like the UDP being used for the RDP connection. I did change the the rules for all of our server 2012R2 (8 servers in totaal) and RDP connection become very unstable and we lost the RDP connection every 5 minutes or so but connection was established again.

I had to put the servers back to the old DNAT rules, after that connection become stable again.

Thanks