New Internet Service SNAT Not Working

I have setup a new internet service and I want to use one of the new IPs to route traffic on a port to an internal workstation. This works correctly using the old internet service/IP.

I can access the internet on the new service. I can ping the new external IP and see the traffic being blocked on the WatchGuard. When I attempt to access the service on the Port using the new IP nothing is logged (connections on the old IP were logged). I have created the new SNAT and saved changes to the Firebox and that is the only change in the policy.

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @gveld

    Do you see any logs appear in traffic monitor when you attempt to use the new SNAT?

    -If it's unhandled, the firewall isn't matching a rule at all. Check for typos.
    -If there's no logs, try turning on "send log message" in your policy with the SNAT. Do you see allow logs now?
    -If you're seeing allow logs, are there any software firewalls on the machine that the traffic is being delivered to that may be denying traffic?

    -James Carson
    WatchGuard Customer Support

  • Make sure that you have Logging enabled on the new policy.
    It is not enabled by default, thus you will not see anything in Traffic Monitor for allowed packets without logging being enabled.

  • Thanks for the responses:

    1. I am not seeing any typos. Checked the interface/policy/SNAT and connecting device. Everything looks correct
    2. 'Send log message' was enabled for the policy.
    3. I am not seeing any allows logged for the new IP. I can see allows for the old IP.
  • Contact your ISP, and see if there is an issue for the port in use here.
    Normally you should see either either see an allow or a deny in Traffic Monitor .

    Do note for TCP packets, if the internal dest device does not respond (no TCP handshake), then you won't see an allow log entry in Traffic Monitor. So make sure that this is not being blocked on the internal device.

  • james.carsonjames.carson Moderator, WatchGuard Representative
    edited November 2022

    @gveld You may not see a log message if it's a TCP connection and it's not completing.

    You can use TCPDUMP to verify if the traffic is being passed to the machine internally.

    Open WatchGuard System Manager, and log in to your firewall.
    -Launch Firebox System Manager.
    -Go to Tools -> Diagnostic tasks, select TCP Dump from the drop down menu.
    -Select the advanced options checkbox.
    -In the arguments field, type "-i eth1 (host 10.0.1.50 and port 443) or arp"
    (change "eth1" to whatever the interface the server you're forwarding to lives on, change the IP to the IP of that machine, and change the port to the port that you're sending to.

    -Click start task.

    -Attempt to send traffic to that server.

    -If you just see traffic with [S] in the log line, that means the firewall is forwarding the TCP connection to the server, but it is not responding for some reason.
    -If you just see ARP traffic for that server, it is not responding or not responding correctly.
    -If you see [R] or [RST] the server is sending resets to kill the connection.

    You can use the same command on your external to see if the traffic is even making it to the firewall. Just change the IP to the one you're coming from, and the interface to the external one.

    -James Carson
    WatchGuard Customer Support

  • TCP Dump was showing no traffic on the external address. I was able to contact the ISP this morning and found out that incoming traffic was turned off.

    Didn't realize that was a thing for business accounts.

    Thanks for your assistance in working through the issue.

Sign In to comment.