Problems with SNAT / DMZ

I think I have a misconception about the configuration and I need some help.
The request:
An external portal (fixed IP) needs access to an application that works as a bridge and access to the database server.
According to the requirements, port 50600 must be open in both directions.
So the data has to go from the router to the Watchguard to the server in the DMZ and back again.

Srv-1 Database server is in the internal LAN 1 (Trusted) as well as all clients.
Srv-2 with the bridge application is in the DMZ (optional LAN 2)

Router:
192.168.200.254 Dynamic (WAN) V4 IP
Port forwarding via DynDNS from the IP address of the web portal on port 50600 to 192.168.200.20 (Watchguard).
It is working.

Firewall Watchguard T40:
External 192.168.200.20
LAN 1 (Trusted) 192.168.123.254
LAN 2 (Optional) 192.168.133.254 Name "DMZ"
Current firmware

Srv-2
192.168.133.253, Windows Server 2022 Essentials, Eset Security Business - has internet. Internal FW: 50600 open in both directions, 3050 open out.
Has access to Srv-1's database.
It is working.

2 SNAT rules:
Ratio DB (database access) - Any Optional  192.168.123.253 (Srv-1)
RatioApp (Web Portal) - DMZ  192.168.133.253 (Srv-2)

2 firewall policies:
Ratio DB (Database Access) - Allowed – (Policy Type: Ratio DB) TCP 3050
From: DMZ To: 192.168.123.253 (Srv-1)
Enable intrusion prevention, enable Tor exit node blocking, enable send a log message

RatioApp (Web Portal) - Allowed – (Policy Type: RatioApp) TCP 50600
From: External To: 192.168.133.253 (Srv-2)
Enable intrusion prevention, enable Tor exit node blocking, enable send a log message

As written accessing the database from Srv-2 to Srv-1 works.
Only the bridge application only shows timeout...
Since the forwarding from the router to the Watchguard works, the rule (RatioApp) must have an error?!
In the message log (traffic) filtered to the external IP of the web portal, no deny is displayed...

Where's the mistake?

I hope I have described everything understandably.

Thank you for your help …

Drive

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Drive

    It looks like your upstream IP is also an RFC1918 private IP address (meaning something upstream is NATing too.) Have you verified your traffic is making it to the firewall?

    If the firewall is denying this traffic you should see a red deny message in traffic monitor for that traffic (it'll likely help to search by port or source IP.)

    If you see a green allow message, the log line should mention what IP and port this is being sent to -- does this match up with what you expect?

    -James Carson
    WatchGuard Customer Support

  • edited June 2023

    hey @james.carson ...

    Thanks for Re

    I was only able to test today...
    There is actually a deny...
    Isn't there actually a rule for this?
    But the rule doesn't apply.

    Router forwards request from external fixed IPV4 to T40 via port 50600...
    It is working.

    Rules on T40 as described above... Still this error.
    The public IP is correct.

    2023-06-02 15:10:02 Deny x.x.x.x 192.168.200.20 50600/tcp 36230 50600 External Firebox Denied 60 56 (Unhandled External Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148" tc p_info ="offset 10 S 68775080 win 4210" geo_src="ENG"

    Where am I wrong in my thinking?

  • RatioApp (Web Portal) - Allowed – (Policy Type: RatioApp) TCP 50600
    From: External To: 192.168.133.253 (Srv-2)

    Should be To: SNAT RatioApp (Web Portal), not to 192.168.133.253

Sign In to comment.