Drop packages

Aresh, alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post one line corresponding to those above.

Cheers - Bob

Hi Bob,

Thanks for the reply,

I already check the Firewall log and I have to say I cannot find any extra information, this is the firewall log that corresponding to the live logs,

Also I cannot see that droped packages are udp. or I am looking in the wrong logs?

2017:02:07-14:39:03 securitysrv1-1 ulogd[11961]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="54:e0:XX:XX:76:9a" dstmac="00:1a:XX:f0:XX:a0" srcip="132.XX.XX.2" dstip="62.XX.XX.184" proto="17" length="1260" tos="0x00" prec="0x00" ttl="119" srcport="51822" dstport="4012"

Thanks

Hi Guy's,

Thank you for your explanation, I really appreciate it.

Just to be sure that I didn't misconfigured my NAT rule please check my config, the olny thing has been change isthe internal IP of the server. it is now 241.

It's not the NAT rule itself, Aresh, it's the Host definition to which it forwards the traffic.  As I said above, #3 in Rulz tells you what to do.

Cheers - Bob

Hi Bob,

Thank you again for the update,

Sorry but rule # 3 says:

Never create a Host/Network definition bound to a specific interface. Always leave all definitions with 'Interface: <<Any>>'. 

If you look at my last screenshot you will see that the Host definition is not bound to any specific interface. and interface is <<ANY>>

Or I untrstood it wrong?

Thanks

Hi Aresh,

you need a dnat rule for RDP (tcp/udp 3389).

regards

mod

No, he is using 4002 external, that is the Port to be DNATed for TCP and UDP.

I would never mix up TCP rules with UDP rules and apart from a Port Range like 4000:4200 would also never use one DNAT entry for more than exact one port at a time.
Maybe only a spleen of mine but in this case I would set up 2 DNAT rules, one for "any using tcp4002 going to..." and one for "any using udp4002 going to..."

Hi kerobra,

in the screenshot that aresh have deleted, you can see drops from the external client for port udp 3389.

Here the screenshot from my clipboard.

regards

mod

What he needs is:

- a DNAT rule from any using port 4002 to external IP, translated to port 3389 and to the internal IP. This has to be done both for TCP4002 and UDP4002.
- the firewall rule has then to allow "any to internal IP with port 3389 on TCP and UDP" as the NAT translation is already done, when the packetfilter gets involved.

Hi Guy's,

Thank you all for your help and suggestions,

@Kevin,

Right now I have only 2 service definitions, one is TCP/UDP for port 4002 (for using service) and also one TCP/UDP for 3389 (for service to).

If I understood you correctly you want me to separate these TCP/UDP service definitions, and I should create separate TCP 4002 and UDP 4002 and also create separate TCP 3389 and UDP 3389 is this correct?

this way I have to create 4 DNAT rules!! one for each of above. or is it possible to group services and just create a single DNAT rule?

Thanks

You can use one for both protocols as well as one for each protocol. The default definition on the UTM only covers the TCP protocol.

As in your picture here

you can easier see which part of the rule is making problems when you are using two different DNAT rules (see the the white entries in your pic, these are only displayed when "log initial packets" is ticked).

For the firewall part you need only one rule for TCP / UDP using port 3389 for each server. Therefore I wouln'd tick the "automatic firewall rule" thing.

Hi Kavin,

I think I starting to understand you :)

My NAT rule has no problem, because I already create a dedentition for both TCP/UDP for port 4002. Problem is with Auto firewall rule and if I understand you coreclty the FW auto rule it just allow the TCP portion of 3389 to the internal IP (internal server)

I should create a new DNAT rule with already in place TCP/UDP def. for port 4002 and then clear "create FW auto" , then create a firewall rule manually that looks like this:

I have create a service for the firewall rule that allow TCP/UDP. am I on right track?

The Rule that drop the UDP part was created with auto FW and the services is blanck.

Hi Kavin,

I think I starting to understand you :)

My NAT rule has no problem, because I already create a dedentition for both TCP/UDP for port 4002. Problem is with Auto firewall rule and if I understand you coreclty the FW auto rule it just allow the TCP portion of 3389 to the internal IP (internal server)

I should create a new DNAT rule with already in place TCP/UDP def. for port 4002 and then clear "create FW auto" , then create a firewall rule manually that looks like this:

I have create a service for the firewall rule that allow TCP/UDP. am I on right track?

The Rule that drop the UDP part was created with auto FW and the services is blanck.