Firewall Policies - RustDesk
Hello there,
I have a problem with my firewall configuration.
I configured a RustDesk server for my company.
I can connect to the server from external and internal IPs (cable connection - 192.168.XX.XX) without any problems, but I have a problem with the internal Wi-Fi IP (172.22.XX.XX).
Where I should start?
0
Sign In to comment.
Answers
Look at Traffic Monitor - what do you see when this access is tried?
Any denies? If so, you may need a policy to allow this access.
How is your wi-fi device connected to your firewall?
What type of wi-fi device is this? An access point, a router???
Hey,
Traffic Monitor log for RustDesk Srv IP when I'm trying to connect via WiFi
2023-09-27 14:57:58 Deny 192.168.7.89 XX.XX.XX.XX 21114/tcp 58118 21114 Trusted Firebox Denied 60 64 (Unhandled Internal Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 10 S 3974275497 win 64240"
WiFi device is an Ubiquiti AP
You said that the wi-fi IP addrs are 172.22.XX.XX.
The log that you posted is not from 172.22.XX.XX, so it is of no help understanding your issue.
To where is the Ubiquiti AP connected?
If to a firewall interface, what is the interface type set to? Trusted, Optional, or perhaps as guest ?
Are the wireless users trying to access the private IP addr of the server?
If the rust server IP addr is from the same subnet as the Trusted PCs, then access to the rust server from the Trusted PCs to the server go directly to it and not via the firewall.
You could try adding a specific policy From: the wi-fi subnet To: the rust server IP addr.
You can turn on Logging on a policy to see packets allowed by it in Traffic Monitor. This can often help in understanding connection issues.
Hey,
There is no logs in relation WiFi IP (my laptop) and Rust Srv in Traffic Monitor.
Add a policy, with Logging
Care to answer all of my questions?
Client configuration for rust server has an external IP because if users require help e.g. working from home then they have to connect to the server and external IP`s have no problem with this connection.
Zone Trusted
Link Status Up
Enabled Yes
IPv4 Address 192.168.XX.XX/24
Corporate WiFi [Up]
Zone Custom
Link Status Up
Enabled Yes
IPv4 Address 172.22.X.XX/24
I'm a new firewall user and I've never had any experience with it, and unfortunately there's no one here who could give me any tips or teach me, so I'm basically learning everything on my own.
To access the external IP of the server from behind the firewall, you need to use NAT loopback.
NAT Loopback and Static NAT (SNAT)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/nat/nat_loopback_static_c.html
Thank you very much @Bruce_Briggs for all your help.
I added 1-to-1 NAT Configuration
Map Type - Single IP
Interface - Corporate WiFi
NAT Base - XX.XXXXXX
Real Base - 192.168.XX.XX
All working fine now, I can connect without any problems.
Thank you once again !
If you have a single public IP addr, then you really should not use 1-to-1 NAT for that IP addr, as doing so will prevent you from allowing Internet access to any other internal device. One can't use SNAT & 1-to-1 NAT on the same public (external) IP addr.
SNAT is recommended when there is a single public IP addr.
And one would use SNAT loopback to allow internal users to access the SNAT device via the pubic IP addr.
All you need to do is to add the appropriate subnet or firewall interface to the From: field of the already existing SNAT incoming policy.
You should only use 1-to1 NAT on additional, not primary, external IP addrs
I'm a bit lost. I removed 1-to-1 but under
NETWORK > Interfaces
I can't add anything.
I have this rule in firewall:
What and where I should add something to make it work ?
Look up SNAT on the Help site.
You add a policy with a SNAT action to allow access to the server from the Internet