HELP - Problem Troubleshooting Connection to Private Web Server from External Network
Hi Everyone.
I'm new to the forum, so I hope I've come to the right place to seek help.
I have a Watchguard XTM 515 in a test lab. It's been reset.
I've setup an inbound http-proxy with SNAT, so I can connect a PC on the external network to an ISS web server on the Optional network. Everything is configured as per the technical material, but I cannot access the web server.
The firebox traffic monitor shows the inbound connection is Allowed. I ran Wireshark packet capture at the PC and webserver and noticed SYN,ACK retransmissions at the web server interface, but after many hours I cannot find the problem. The link contains a schematic of the architecture and screenshot of the configuration.
I have since discovered I cannot browse the Internet from a device on the internal interface, neither can I ping the external interface or Internet router. I can ping the interfaces from inside the firewall.
If anyone can offer help I would be grateful.
https://1drv.ms/b/s!Apq0JsRgrJX6lHUMFNXT2QxrDNyh?e=1kueKG
Comments
Have you added the Feature Key to your firewall ?
I factory reset the Watchguard XTM 5 and tried browsing out to the Internet but nothing. I tried pinging the gateway router nothing, so I tried then tried pining the external interface card, but nothing. I set logging to show ping and Dynamic traffic and nothing.
Yes, it appears it found the Feature Key itself.
Look at the Feature Key in your config.
Summary should show Model, Serial Number, Software Edition & Signature all filled in. If not, then your firewall does not have an imported feature key.
. Web UI -> System
Check the Web UI -> System Status -> ARP table. Look for an entry for 192.168.1.233
You can turn on Logging (Send a log message) on the default Outgoing policy to see packets allowed by it in Traffic Monitor.
Did you modify or delete any of the 3 default Dynamic NAT entries?
Network -> NAT -> Dynamic NAT
It looks like port 0 is only a 10/100 interface. Make sure that this is not an issue for your connection to the Internet router (switch?) port
Hi Bruce, thank you for your suggestions. I have taken all of the and created a simpler test where I factory reset the firewall then try to browse a website on the external network from a PC on the trusted network The default outgoing policy should allow this, but its not working. I then try pinging various interfaces, enabling logging and capturing activity in the Watchguard Traffic Monitor to see if I can discover the cause of the problem. Unfortunately, I this problem is beyond my ability to diagnose. The link shows the architecture, tests and results. It would be wonderful if you or any other smart firewall engineer could offer a solution. Thanks in advance.
https://1drv.ms/b/s!Apq0JsRgrJX6lHbIi3lIBr-C4ej1?e=cZwF1Z
Most puzzling.
You can do packet captures on a firewall interface using TCP DUMP.
It looks like this feature is not available in the Web UI in V11.9.1.
You would need to download WSM System Manager and use WSM Firebox System Manager to do the TCP DUMP on a specific interface.
Look at the TCP DUMP section here:
Run Diagnostic Tasks to Learn More About Log Messages
https://www.watchguard.com/help/docs/wsm/XTM_11/en-US/index.html#en-US/fsm/log_message_learn_more_wsm.html?TocPath=Monitor%20Your%20Device|Use%20Firebox%20System%20Manager%20(FSM)|_____4
The oldest version of WSM that noticed for downloads is here:
http://cdn.watchguard.com/SoftwareCenter/Files/WSM/11_12_4/WSM11_12_4.exe
This version should be able to manage and access V11.9.1
Hi Bruce, I will try to do later today. In the meantime I just received Watchguard XTM 330 11.10.10.2 from eBay. I factory reset it. Set up the the external interface to be part of my home network and set the gateway address to my Internet router. I tried browsing Google from a PC on the trusted network and got exactly the same results as for the XTM 5. I'm completely stuck. I have an XTM 2 arriving tomorrow and I bet I will get the same result.
Although it says services expired, it looks like all the essential services are available and only the advanced services need a new license.
Make sure that you have a link light on your firewall external interface and on the ISP router port.
Some firewall models have auto MDIX ports and some don't and thus require the correct Ethernet cable type - straight through or cross-over.
Normally one uses a cross-over cable from the firewall to an ISP device port.
Have you registered your newly acquired firewalls with Watchguard?
You should do so if the firewall model is not End of Life.
An XTM 330 goes EoL on 07 Sep 2020
An XTM 515 goes EoL on 31 Dec 2020
XTM 21-23 went EoL on 30 Jun 2017
An XTM 25 & 26 go EoL on 01 Jul 2021
https://www.watchguard.com/wgrd-resource-center/end-of-life-policy
This way you can get a good feature key, and sometimes it is a limited time feature key which allows one to upgrade to the newest version of the XTM software for the unit.
Hi Bruce, there is a switch between the external interface and my internet router. The link lights are on and I can ping google.com using the Watchguard diagnostics ping tool. So, that interface is operational.
I discovered something very odd. I enabled interface2, trusted, 10.0.2.1 to see if I could ping Interface1, trusted, 10.0.1.1. What I discovered is Interface1 cannot ping Interface2, but Interface2 can ping Interface1. I also discovered I can browse the Internet from Interface2. The both look to be setup the same. So, on both firewalls after a factory reset you cannot ping or browse the Internet from Interface1, which is set to 10.0.1.1, but you can browse the Web UI.
The ARP table has entries for all interfaces. I have WSM 11.12.4 running, but couldn't find TCP dump. As Interface1 is the default for managing the Watchguard, is there setting to prevent external connectivity?
Tomorrow I will look closely at the two PC 's connected to the interfaces
Hi Bruce, problem sorted. When I put a different PC on Interface1 it work. The problem was the adaptor on the PC. I ran the Windows trouble shooter and it corrected a problem that was reported as invalid address. I don't know what that meant, because the PC was receiving its IP address from the dhcp server on the firewall. I look bad at how I approached the testing and assumed the problem was the firewall, as it was an unknown device. The PC's used were new builds and trusted. The problem was only identified after trying to get two PC's to ping each other on the trusted LAN to eliminate elements of the firewall. One PC didn't respond to the ping, but could ping its gateway, the firewall. I test approach was to eliminate all problem at the interfaces first using ping and Wireshark packet capture. I assumed the ping problem was caused by the firewall and not the PC adaptor. Next time I need ensure I the PC adaptors are working correctly. A lesson learned from this exercise.
Thank you for your contribution, and maybe there s something you can learn from this as well.