Page 1 of 2 12 LastLast
Results 1 to 10 of 18
  1. #1
    Newbie
    Join Date
    Jan 2019
    Posts
    13

    Default Question about allowing traffic from the WAN to the LAN

    Hello guys

    newbie speaking here. I tried to figure this out by myself, but had no luck unfortunately. I came from a different firewall (OPNSense) which is a completely different product and has a completely different approach to the configuration.

    So in short, my question would be: How do I correctly setup a rule that allows traffic from specific devices sitting in the WAN to access some LAN resources? What I've done so far:
    • Made sure the routing works fine
    • I can ping such a LAN device from Untangle
    • I can reach the firewall WAN interface from the WAN device (connected to a router where the WAN Untangle interface is connected to as well
    • Created a rule (for testing) that allows traffic from all WAN devices to the LAN interface


    Result: all traffic from WAN devices are still being blocked. These connections show up in the blocked sessions (I enabled the logging) and they seem to be blocked by the default policy.

    What am I missing here? Please let me know if you need further details

    Thanks a lot !!!!

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    7,560

    Default

    Quote Originally Posted by Carva View Post
    [*]Created a rule (for testing) that allows traffic from all WAN devices to the LAN interface
    What rule did you create?

    You need a port forward rule to have inbound traffic traverse the NAT of the WAN to LAN. Rule should have the following conditions:

    - Source Address is <list of Internet IPs allowed in>
    - Destined Local is True
    - Destination Port is <List of ports to forward>
    - New Destination <LAN IP of the device to access>
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Newbie
    Join Date
    Jan 2019
    Posts
    13

    Default

    Quote Originally Posted by jcoffin View Post
    What rule did you create?

    You need a port forward rule to have inbound traffic traverse the NAT of the WAN to LAN. Rule should have the following conditions:

    - Source Address is <list of Internet IPs allowed in>
    - Destined Local is True
    - Destination Port is <List of ports to forward>
    - New Destination <LAN IP of the device to access>
    Hi! Thanks for the quick reply. I think I missed to post these additionail details:

    The reason why I didn't setup any forwarding rule is because the WAN interface doesn't have a public IP set. It's just directly connected to my router, that means it's part of its LAN network:
    • My router's LAN subnet is 10.0.0.0/24
    • the WAN interface of Untangle firewall is 10.0.0.6


    With the above being said, do I still need the forwarding rule?

    By the way, this is the rule I set up:
    2019-01-03 15_16_30-Untangle - firewall.png

  4. #4
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    7,560

    Default

    Post a screen capture of /admin/index.do#config/network
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Newbie
    Join Date
    Jan 2019
    Posts
    13

    Default

    Quote Originally Posted by jcoffin View Post
    Post a screen capture of /admin/index.do#config/network
    Here you go:

    2019-01-03 15_25_48-Untangle - firewall.png

    The client I'm trying to connect from is listed in the ARP section of the WAN interface.

  6. #6
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    7,560

    Default

    The setup has a double NAT which is not ideal. Is there a reason transparent mode was not chosen during the setup wizard so there is not two separate networks ( 10.0.0.0/24 and 192.168.3.0/24)?

    The upstream router/modem is NAT'ing the traffic to the 10.0.0.0/24 network. Are you trying to allow access from the 10.0.0.0/24 network to the 192.168.3.0/24 network? If yes, then the port forward rule is needed. If you are trying to allow access from the Internet to the 192.168.3.0/24 network, the Untangle port forward is needed along with a port forward rule on your upstream device to the Untangle IP.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  7. #7
    Newbie
    Join Date
    Jan 2019
    Posts
    13

    Default

    Quote Originally Posted by jcoffin View Post
    The setup has a double NAT which is not ideal. Is there a reason transparent mode was not chosen during the setup wizard so there is not two separate networks ( 10.0.0.0/24 and 192.168.3.0/24)?

    The upstream router/modem is NAT'ing the traffic to the 10.0.0.0/24 network. Are you trying to allow access from the 10.0.0.0/24 network to the 192.168.3.0/24 network? If yes, then the port forward rule is needed. If you are trying to allow access from the Internet to the 192.168.3.0/24 network, the Untangle port forward is needed along with a port forward rule on your upstream device to the Untangle IP.
    Yeah that's why I said coming from a different product is misleading me. Basically with the other firewall I had this very similar setup and the WAN interface was basically being treated as an "internal" NIC, so it was able to route traffic properly without any port forward rule.

    As of the reason why I didn't choose transparent mode is because I wanted to use Untangle as DHCP server for my LAN network 192.168.3.0/24 (same for the "DMZ" 192.168.4.0/24) to keep it separately and not directly visible from the WAN 10.0.0.0/24

    Do you see any issue with this configuration ?

    Ps Thanks a lot for your help

  8. #8
    Newbie
    Join Date
    Jan 2019
    Posts
    13

    Default

    In addition to the previous post I wanted to share this info:

    2019-01-03 16_03_23-Untangle - firewall.png

    This is how the device is showing up in the report. Additionally I made one more test after I created the port forward rule and that didn't seem to help much.

  9. #9
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    7,560

    Default

    Post your port forward rule.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  10. #10
    Newbie
    Join Date
    Jan 2019
    Posts
    13

    Default

    Quote Originally Posted by jcoffin View Post
    Post your port forward rule.
    2019-01-03 17_56_31-Untangle - firewall.png

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2