Firewall – WatchGuard Port Forwarding / Static NAT

firewallport-forwardingwatchguard

I'm trying to forward a specific port on my WatchGuard firewall to an internal host in a specific VLAN. My setup is roughly as follows:

 INTERNET
    vv
WatchGuard
    vv--------vv--------vv
  [VLAN1]   [VLAN2]   [VLAN3]
              vv
            Server

I've setup a SNAT rule from Any-External to the IP address of the internal server without port translation. Then, I added a firewall policy with

  • Action: Allow
  • a custom filter on port tcp:10000
  • from any source
  • to my snat rule

This is all as recommended by the documentation, but when trying to access it from an outside ip, the port remains filtered and is logged as unhandled (xxx being the external client and yyy the ip of the firewall):

Process=firewall  Disposition=Deny  Policy=Unhandled External Packet-00  Source IP=xx.xx.xx.xx  Destination IP=yy.yy.yy.yy  Source Interface=0-External  Destination Interface=0-External  Source Port=19852  Destination Port=10000  Protocol=webmin/tcp

I've been playing around with port translation, more specific interface settings for the SNAT and proxy instead of filter actions, but I simply cannot get it to work. What am I missing?

Edit (2015-06-16): Here are my config screens:

Interfaces
SNAT Rule
Firewall Policy I
Firewall Policy II

Port Check from internal network:

$ nmap -sT -p 10000 192.168.79.100
[...]
PORT      STATE SERVICE
10000/tcp open  snet-sensor-mgmt
[...]

Port Check from external network (on the ip yyy of the internet connection, xxx being a known open management port):

user@extServer:~# nmap -sT -p xxx,10000 yyy.yyy.yyy.yyy
[...]
PORT      STATE    SERVICE
8089/tcp  open     unknown
10000/tcp filtered snet-sensor-mgmt
[...]

Best Answer

If you used 'Any-External' in the SNAT rule, than you made the error here.

Select the external IP address(es), that you will actually be using for this SNAT rule instead of the alias 'Any-External' and things will start working.

Still you may use 'Any-External' in the filter rule.

The problem is in the understanding of the alias 'Any-External'. All IP address-es, that are configured on your ports on the firewall are covered by the Alias 'Firebox', while the 'Any-External' begins beyond that with the gateway IP address of your provider. You could create an Alias 'external-ports' - that would than work fine in SNAT rules, but not the 'Any-External'.

Related Topic