Domotica server not reachable
Hi there,
We can not reach our domotica server outside our network.
wifi works fine, but from outside I'm not able to get an connection.
setup is as follow:
internet --> orange (modem/router) DMZ --> firebox T15 --> domotica server
policies as follow:
from: Any-external to IP server
port: UDP/TCP 443
connections: allowed
Thanks in advance,
Dave
0
Sign In to comment.
Comments
To allow incoming access to an internal device which has a private IP addr, you need to use NAT. Most often SNAT is used.
Are you using NAT on this policy ?
I didn't have the NAT configured.
I just configured the NAT 1 to 1 and I think this was the trigger.
The VOIP (other post) just worked.
Thanks
Hi Bruce,
I setup the NAT (but I'm a bit of an amateur ;-) on this).
Perhaps you can help me out here.
I made the setup as following:
Orange modem/router IP x.x.203.1 (no port forwards here)
put this router in DMZ pointing to x.x.203.2
In the firebox I conf. the interface as mixed routing
external x.x.203.2/30
trusted x.x.2.3/24
the NAT 1 to 1
external (NAT BASE)x.x.203.0/24 (REAL BASE)x.x.2.0/24
firewall policy:
any-external to x.x.2.103
port UDP/TCP 443
under the advance tap: NAT 1to1 is selected
Thats about it I guess,
Thanks in advance,
Dave
How many public IP addrs do you have? /30 suggests just 2.
Is x.x.203.0 a valid public IP addr ?
FYI - you should not include the firewall external interface IP addr in a 1-to-1 NAT setup.
So for external access to x.x.203.2, you should really be using SNAT, not 1-to-1 NAT
Also, are you using the Web UI or WSM Policy Manager here ?
The NAT settings on the Advanced tab are more often used for outgoing policies. Normally these do not need to be modified, but can be useful for special situations.
Hi,
I have just two IP's on public site x.x.203.1 & 2 (Just to be sure in my amateurism: provider internet IP 94.71.x.x that comes to the modem/router and there I put the modem in DMZ with IP x.x.203.1 and direct to the x.x.203.2).
I use the Web UI for setup
So if I understand right, setup an SNAT and use this SNAT in the policy.
And what about the traffic coming form the router x.x.203.2 don't I need a NAT to direct the traffic to my network x.x.2.0? Sorry for the stupid questions ;-)
Thanks,
Your ISP device is a packet forwarder - forwarding packets from the Internet to your firewall, and forwarding packets from your firewall to the Internet.
Doubtful that many/any packets actually originate from your ISP router which need to go to some device inside your firewall.
Note that reply packets are always allowed, and you do not need any special policy or NATs to allow reply packets.
I was just experimenting on the NAT.
I'm only able to make connection to internet with an 1-to-1 NAT with
nat base x.x.203.0/24 and real base x.x.2.0/24.
If I try x.x.203.0/30 there is no connection
if I try to setup an Dynamic NAT, no connection.
I made a scheme of the setup, and the problems i encounter.
DO not use 1-to-1 NAT here. Use SNAT, PLEASE, and use your firewall public IP addr in the SNAT.
Dynamic NAT is primarily for outgoing sessions.
Review this example:
Set Up a Public Web Server Behind a Firebox
https://www.watchguard.com/help/configuration-examples/snat_web_server_configuration_example_(en-US).pdf
GREAT, got it working. THANKS. due to my dummieness I was mixing things up.