Help - NAT/PortForwarding - Franklin Fuel Monitor and Watchguard t30 Firebox - 1 static IP

Hello all. Thank you for reading my request for help.
We have 1 static IP. The device (FranklinFuelMonitor) was the only device on that static and directly connected. It has a web interface login on port 80 and 443. It is used for a remote company to pull fuel status on a tank through the internet.
The Trucking company added line under ground to their main office and eliminated the public ip and dedicated internet connection. Now the fuel monitor is behind the watchguard and not directly connected to the internet. Then they called their IT Company, us, and said its not working anymore. XD

No problem. We port forwarded 80 and 443 to the device and gave it a static ip on the network and a SNAT rule, white listed the company's static range for added security and done right?
Nope... they have exchange on prem... so 80 and 443 (at least 443 for sure) is not available. Okay, we will use a port redirect so they can hit the device on any port they choose - 10001 - in this case, and redirected that via SNAT to the internal device on 443. Great! They can access the web interface now! BUT -- Their poling software cannot.
Hold on - dont jump ahead of me here. They CAN specify what port in the poling software to hit the device on, and we DID get it to work ONE TIME on 443 redirected from the outsides 10001 port via the snat rule. But that was it, one time, hasnt worked since.
Its a TCP connection, and their poling software is not being stateful! Grumble
So we disabled the requirement on the watchguard to maintain stateful TCP connections and they connected the one time.
I am still seeing in the traffic log errors however regarding how the data is flowing, its not looking good at all.

Everything here is unsanitized except our public ip with the opening. 1.1.1.1 = our public ip.

2021-09-16 16:28:31 Allow 209.237.118.66 1.1.1.1 80/tcp 53346 10001 External Trusted Allowed 52 119 (TankMonitor-00) proc_id="firewall" rc="100" msg_id="3000-0148" dst_ip_nat="192.168.1.250" dst_port_nat="80" tcp_info="offset 8 S 4287807118 win 8192" geo_src="USA" geo_dst="USA"

2021-09-16 16:29:33 Allow 209.237.118.66 1.1.1.1 80/tcp 53350 10001 External Trusted Allowed 52 119 (TankMonitor-00) proc_id="firewall" rc="100" msg_id="3000-0148" dst_ip_nat="192.168.1.250" dst_port_nat="80" tcp_info="offset 8 S 4137576640 win 8192" geo_src="USA" geo_dst="USA"

2021-09-16 16:30:37 Allow 209.237.118.66 1.1.1.1 80/tcp 53355 10001 External Trusted Allowed 52 119 (TankMonitor-00) proc_id="firewall" rc="100" msg_id="3000-0148" dst_ip_nat="192.168.1.250" dst_port_nat="80" tcp_info="offset 8 S 111956872 win 8192" geo_src="USA" geo_dst="USA"

2021-09-16 16:30:38 Deny 192.168.1.250 209.237.118.66 53346/tcp 80 53346 Trusted Firebox tcp invalid connection state 40 64 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 5 AF 3695095256 win 473"

2021-09-16 16:31:38 Allow 209.237.118.66 1.1.1.1 80/tcp 53381 10001 External Trusted Allowed 52 119 (TankMonitor-00) proc_id="firewall" rc="100" msg_id="3000-0148" dst_ip_nat="192.168.1.250" dst_port_nat="80" tcp_info="offset 8 S 2876179816 win 8192" geo_src="USA" geo_dst="USA"

2021-09-16 16:32:36 Allow 209.237.118.66 1.1.1.1 80/tcp 53383 10001 External Trusted Allowed 52 119 (TankMonitor-00) proc_id="firewall" rc="100" msg_id="3000-0148" dst_ip_nat="192.168.1.250" dst_port_nat="80" tcp_info="offset 8 S 3184032092 win 8192" geo_src="USA" geo_dst="USA"

2021-09-16 16:32:42 Deny 192.168.1.250 209.237.118.66 53355/tcp 80 53355 Trusted Firebox tcp invalid connection state 40 64 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 5 AF 644293183 win 473"

2021-09-16 16:33:35 Deny 192.168.1.250 209.237.118.66 53381/tcp 80 53381 Trusted Firebox tcp invalid connection state 40 64 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 5 AF 187248997 win 473"

2021-09-16 16:33:35 Allow 209.237.118.66 1.1.1.1 80/tcp 53388 10001 External Trusted Allowed 52 119 (TankMonitor-00) proc_id="firewall" rc="100" msg_id="3000-0148" dst_ip_nat="192.168.1.250" dst_port_nat="80" tcp_info="offset 8 S 1923307081 win 8192" geo_src="USA" geo_dst="USA"

2021-09-16 16:34:33 Deny 192.168.1.250 209.237.118.66 53383/tcp 80 53383 Trusted Firebox tcp invalid connection state 40 64 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 5 AF 759945542 win 473"

2021-09-16 16:34:33 Allow 209.237.118.66 1.1.1.1 80/tcp 53394 10001 External Trusted Allowed 52 119 (TankMonitor-00) proc_id="firewall" rc="100" msg_id="3000-0148" dst_ip_nat="192.168.1.250" dst_port_nat="80" tcp_info="offset 8 S 1122269686 win 8192" geo_src="USA" geo_dst="USA"

2021-09-16 16:35:33 Deny 192.168.1.250 209.237.118.66 53388/tcp 80 53388 Trusted Firebox tcp invalid connection state 40 64 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 5 AF 1529082110 win 473"

2021-09-16 16:35:39 Allow 209.237.118.66 1.1.1.1 80/tcp 53401 10001 External Trusted Allowed 52 119 (TankMonitor-00) proc_id="firewall" rc="100" msg_id="3000-0148" dst_ip_nat="192.168.1.250" dst_port_nat="80" tcp_info="offset 8 S 3538758637 win 8192" geo_src="USA" geo_dst="USA"

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @BlakeThoennes

    It looks like the firewall is allowing the traffic based on your logs. If the issue persists, please consider opening a case with support so we can help determine where the traffic might be going.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.