Domotica server not reachable

Hi there,

We can not reach our domotica server outside our network.
wifi works fine, but from outside I'm not able to get an connection.

setup is as follow:
internet --> orange (modem/router) DMZ --> firebox T15 --> domotica server

policies as follow:
from: Any-external to IP server
port: UDP/TCP 443
connections: allowed

Thanks in advance,
Dave

Comments

  • To allow incoming access to an internal device which has a private IP addr, you need to use NAT. Most often SNAT is used.
    Are you using NAT on this policy ?

  • I didn't have the NAT configured.
    I just configured the NAT 1 to 1 and I think this was the trigger.
    The VOIP (other post) just worked.

    Thanks

  • Hi Bruce,

    I setup the NAT (but I'm a bit of an amateur ;-) on this).
    Perhaps you can help me out here.
    I made the setup as following:
    Orange modem/router IP x.x.203.1 (no port forwards here)
    put this router in DMZ pointing to x.x.203.2

    In the firebox I conf. the interface as mixed routing
    external x.x.203.2/30
    trusted x.x.2.3/24

    the NAT 1 to 1
    external (NAT BASE)x.x.203.0/24 (REAL BASE)x.x.2.0/24

    firewall policy:
    any-external to x.x.2.103
    port UDP/TCP 443
    under the advance tap: NAT 1to1 is selected

    Thats about it I guess,
    Thanks in advance,
    Dave

  • edited October 29

    How many public IP addrs do you have? /30 suggests just 2.
    Is x.x.203.0 a valid public IP addr ?
    FYI - you should not include the firewall external interface IP addr in a 1-to-1 NAT setup.
    So for external access to x.x.203.2, you should really be using SNAT, not 1-to-1 NAT

  • edited October 29

    Also, are you using the Web UI or WSM Policy Manager here ?

    The NAT settings on the Advanced tab are more often used for outgoing policies. Normally these do not need to be modified, but can be useful for special situations.

  • Hi,
    I have just two IP's on public site x.x.203.1 & 2 (Just to be sure in my amateurism: provider internet IP 94.71.x.x that comes to the modem/router and there I put the modem in DMZ with IP x.x.203.1 and direct to the x.x.203.2).
    I use the Web UI for setup

    So if I understand right, setup an SNAT and use this SNAT in the policy.
    And what about the traffic coming form the router x.x.203.2 don't I need a NAT to direct the traffic to my network x.x.2.0? Sorry for the stupid questions ;-)

    Thanks,

  • edited October 30

    Your ISP device is a packet forwarder - forwarding packets from the Internet to your firewall, and forwarding packets from your firewall to the Internet.
    Doubtful that many/any packets actually originate from your ISP router which need to go to some device inside your firewall.
    Note that reply packets are always allowed, and you do not need any special policy or NATs to allow reply packets.

  • I was just experimenting on the NAT.
    I'm only able to make connection to internet with an 1-to-1 NAT with
    nat base x.x.203.0/24 and real base x.x.2.0/24.
    If I try x.x.203.0/30 there is no connection
    if I try to setup an Dynamic NAT, no connection.

    I made a scheme of the setup, and the problems i encounter.

    imageSchermafbeelding 2019-10-30 om 14.06.41" alt="" title="" />

  • edited October 30

    DO not use 1-to-1 NAT here. Use SNAT, PLEASE, and use your firewall public IP addr in the SNAT.
    Dynamic NAT is primarily for outgoing sessions.

  • Review this example:
    Set Up a Public Web Server Behind a Firebox
    https://www.watchguard.com/help/configuration-examples/snat_web_server_configuration_example_(en-US).pdf

  • GREAT, got it working. THANKS. due to my dummieness I was mixing things up.

Sign In to comment.