Skip to main content
blackhawk
blackhawk
New Member
May 29, 2018
Question

Help with partially working port forwarding

  • May 29, 2018
  • 1 reply
  • 7930 views

I am struggling to find the source of a failure to port forward.   Most likely a dumb user error, but I just can't see where the issue is.   

 

I have set up 3 virtual IPs from a WAN interface to a local interface forwarding three different ports, tied them to a VIP group and then put in a policy to enable the routing.    So far so good.

 

On one of the ports, I can telnet from WAN and get a response from the destination server, but on the other ports, I get nothing back.  From the LAN, I can hit all three ports just fine; so it does not appear to be a problem with the destination server.

 

When I try to telnet to port 6281 from the WAN I get the following sniffer output  (three retries with no response)

 

FG100D3G14800997 # diag snif packet lan 'port 6281' 4
interfaces=[lan]
filters=[port 6281]
5.186717 lan -- 192.168.25.130.59321 -> 96.xx.xx.xx.6281: syn 1061727477 
8.188726 lan -- 192.168.25.130.59321 -> 96.xx.xx.xx.6281: syn 1061727477 
14.192043 lan -- 192.168.25.130.59321 -> 96.xx.xx.xx.6281: syn 1061727477

 

But doing the telnet to port 22, you can see that it is routing is working.

 

FG100D3G14800997 # diag snif packet lan 'port 22' 4
interfaces=[lan]
filters=[port 22]
3.549354 lan -- 192.168.25.130.59296 -> 96.xx.xx.xx.22: syn 583024486 
3.549446 lan -- 192.168.25.2.59296 -> 192.168.25.21.22: syn 583024486 
3.549642 lan -- 192.168.25.21.22 -> 192.168.25.2.59296: syn 4254475213 ack 583024487 
3.549705 lan -- 96.xx.xx.xx.22 -> 192.168.25.130.59296: syn 4254475213 ack 583024487 
3.550396 lan -- 192.168.25.130.59296 -> 96.xx.xx.xx.22: ack 4254475214


 

The VIP and the policies are all in the same rule....what am I missing here?

 

 

 

 

    1 reply

    blackhawk
    blackhawkAuthor
    New Member
    May 29, 2018

    I finally figured out where the issue is coming from but not sure why...

     

    The issue turned out to be when I created the services for the other two ports.   I set the source and destination ports the same; so in service 1, I created it with port 6281 as the source and destination and did the same with service 2 port 6690.

     

    The problem is that when the source port is specified, traffic is blocked.   

     

    My question then is, if I have a VIP coming into a specific port and being routed to a server using the same port, why does the source have to be blank?    Why does it not work to have the source and destination both specified?

     

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    May 29, 2018

    What do you mean by "source" and "destination" in the context "service" creation? Can you share the actual config after masking some sensitive parts?

    blackhawk
    blackhawkAuthor
    New Member
    May 30, 2018

     I have included an image of the source and destination ports in the Firewall Objects -> Service -> Services.

     

    Given that my from and to are both the same port...not sure why source must be blank. 

     

     

     

    Terms & ConditionsAccessibility statement