Drop packages

Hi Kevin,

Thanks for the replay,

I am 100% with you regarding the Rdgateway, we have already Rdgateway in place and our new customers using it. but the older users still want to use the RDP with the port nummber dont ask why.

If you look at my first screenshot when the UDP port still was close you can see that the UDP packeges droped, why UDP I have no idea. we see this behavior only with our servers 2012 R2.

So I did setup a test machine, create a new service definition with TCP/UDP and port 4002, then create a one more new service service definition  that also use TCP/UDP for port 3389 and then create the DNAT rule. untill here everything as Sophos suggested.

Why in the log we see that the exteranl IP try to access the internal server directly that is realy streang and I would also like to know why.

Thanks

Ah, I see now, thanks, Aresh.  My guess is that the Host object "-----server" in 'Change the destination to' is not defined correctly. Take a look at #3 in Rulz.  The clue is fwrule="60002" in the log line.

Cheers - Bob

No that is the way it should appear in the Firewall Log. You there should see a connection FROM external IP using Port 4002 TCP / UDP with DESTINATION internal IP. I couldn't quote correctly yesterday as I was writing my iPad and that doesn't seem to like selecting the logs here.

2017:03:28-13:36:33 securitysrv1-2 ulogd[18968]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62005" initf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="217.XX.XX.30" dstip="62.XX.XX.184" proto="6" length="52" tos="0x00" prec="0x00" ttl="119" srcport="54085" dstport="4002" tcpflags="SYN"

2017:03:28-13:36:33 securitysrv1-2 ulogd[18968]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62005" initf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="217.XX.XX.30" dstip="62.XX.XX.184" proto="17" length="1260" tos="0x00" prec="0x00" ttl="119" srcport="61972" dstport="4002"

Hi Guy's,

Thank you for your explanation, I really appreciate it.

Just to be sure that I didn't misconfigured my NAT rule please check my config, the olny thing has been change isthe internal IP of the server. it is now 241.

It's not the NAT rule itself, Aresh, it's the Host definition to which it forwards the traffic.  As I said above, #3 in Rulz tells you what to do.

Cheers - Bob

Hi Bob,

Thank you again for the update,

Sorry but rule # 3 says:

Never create a Host/Network definition bound to a specific interface. Always leave all definitions with 'Interface: <<Any>>'. 

If you look at my last screenshot you will see that the Host definition is not bound to any specific interface. and interface is <<ANY>>

Or I untrstood it wrong?

Thanks

Hi Aresh,

you need a dnat rule for RDP (tcp/udp 3389).

regards

mod

No, he is using 4002 external, that is the Port to be DNATed for TCP and UDP.

I would never mix up TCP rules with UDP rules and apart from a Port Range like 4000:4200 would also never use one DNAT entry for more than exact one port at a time.
Maybe only a spleen of mine but in this case I would set up 2 DNAT rules, one for "any using tcp4002 going to..." and one for "any using udp4002 going to..."

Hi kerobra,

in the screenshot that aresh have deleted, you can see drops from the external client for port udp 3389.

Here the screenshot from my clipboard.

regards

mod

What he needs is:

- a DNAT rule from any using port 4002 to external IP, translated to port 3389 and to the internal IP. This has to be done both for TCP4002 and UDP4002.
- the firewall rule has then to allow "any to internal IP with port 3389 on TCP and UDP" as the NAT translation is already done, when the packetfilter gets involved.