downloading files on LAN through WAN URL makes UT angry!

[carboncow]

That ought to get your attention!

So we have a Synology server in house that I'm starting to host our marketing teams photos and video files on. If we access that server via a local IP there is no problem..blazing fast downloads and access.

But...if they access it through our public URL while still inside our LAN the firewall blocks access for 10-15 seconds. What happens is I cannot ping the UT or the internet...it (the UT) clearly blocking until the download fails and then the UT's access comes back online.

I believe I'm ruled out the Synology being the issue in anyway as it's only when our internal request go through our public domain name that points right back at our internal network.

If I try to download those same video files from my home through our WAN address to the Synology there is no problem.I think this is because the download is dramatically slowed down but when I try to access those files inside the LAN the data is moving so quickly or so large in a way the UT says..."nope".

What app/service might be controlling what is shutting off the network?

I'll include a screenshot to my rack setup as well as a screencast of an attempted download and the pings failing to the UT and outside world.

Screencast: https://www.dropbox.com/s/po1wwppo79...09-18.mp4?dl=0


2022-03-12_11-02-54.jpg

[dashpuppy]

That ought to get your attention!

So we have a Synology server in house that I'm starting to host our marketing teams photos and video files on. If we access that server via a local IP there is no problem..blazing fast downloads and access.

But...if they access it through our public URL while still inside our LAN the firewall blocks access for 10-15 seconds. What happens is I cannot ping the UT or the internet...it (the UT) clearly blocking until the download fails and then the UT's access comes back online.

I believe I'm ruled out the Synology being the issue in anyway as it's only when our internal request go through our public domain name that points right back at our internal network.

If I try to download those same video files from my home through our WAN address to the Synology there is no problem.I think this is because the download is dramatically slowed down but when I try to access those files inside the LAN the data is moving so quickly or so large in a way the UT says..."nope".

What app/service might be controlling what is shutting off the network?

I'll include a screenshot to my rack setup as well as a screencast of an attempted download and the pings failing to the UT and outside world.

Screencast: https://www.dropbox.com/s/po1wwppo79...09-18.mp4?dl=0

Are you port forwarding to your nas to be able to access it externally ?

[sky-knight]

Your port forward isn't sane, and it's not that UT's locked up... it's that the system you're testing from is forcing the use of a malformed port forward rule, possibly running into service port limitations.

This is hairpin NAT disaster number 1, been around for decades, and the same fix applies... smack your Untangle so that the public name resolves to the private IP address.

*edit* also, if you're not shoveling those sessions into their own policy, you need to be bypassing it.

[TirsoJRP]

This is hairpin NAT disaster number 1, been around for decades, and the same fix applies... smack your Untangle so that the public name resolves to the private IP address.

Still amazed every time I see this, mainly the CCTV people.

[dashpuppy]

Still amazed every time I see this, mainly the CCTV people.

I always get the phone calls at work hey we installed a new security system can you please open port 8000 443 and 80 for the NVR. My reply is NOPE! I can't.. You can use the application and scan the qr code, but i need to put the camera NVR on a different subnet and isolate it first.

[sky-knight]

I always get the phone calls at work hey we installed a new security system can you please open port 8000 443 and 80 for the NVR. My reply is NOPE! I can't.. You can use the application and scan the qr code, but i need to put the camera NVR on a different subnet and isolate it first.

My favorite part is how they say... hey... open 8000, 443, and 80 for the NVR please.

Direction? nope...
Protocol? No idea...

That's literally 100% of the documentation, open these ports 8000, 443, and 80.

Then people land on forums like this one, and we see screen shots of port forward rules with TCP and UDP checked. And zero of them were started by people that even considered that EGRESS those ports were open by default. So what are we opening again? Why? And then yes, the omnipresent isolation of said system because the vendor hasn't even heard of software updates, much less security patches and a means to readily deliver them.

[Kyawa]

I always get the phone calls at work hey we installed a new security system can you please open port 8000 443 and 80 for the NVR. My reply is NOPE! I can't.. You can use the application and scan the qr code, but i need to put the camera NVR on a different subnet and isolate it first.

I specifically went with Untangle to address cameras. I have UT personally and at 4 of my clients.

[TirsoJRP]

CCTV company: Hi, we need to setup a dynamic dns service and open ports #### xxxxx's, could you please give us access?
Me: Bro they already have VPN...
CCTV: Ok

Same guys different office: OMG you have a public PBX/CCTV/Everything !!!
Me: No, I have an internal DNS configured...

[carboncow]

Dashpuppy...yes I am using port forwarding and although googling "hairpinning" hasn't offered me much of a solution in understanding why my forwarding is "malformed" from any other way I've done this in the past. Maybe someone can shed some light on how determine the malformation I have created?

What was helpful is the digression you guys had into using other ways to connect to the server which I can do with Synologies direct connect but I would like to understand better why the port forwarding is not working. Sky-Knight has proven to be cryptic at times in all his wisdom so I'm not sure what my "port forward isn't sane". Are we claiming I've created some loop?

[sky-knight]

Carboncow you understood perfectly! You don't give yourself enough credit.

NAT Hairpinning is a technical term to refer to a NAT translation process where an internal device hits the external IP of a router, which is then translated back inside. Think hairpin turn on mountain road! It's a situation you do all the time without thinking about it, but there are some applications where this process becomes a huge performance issue.

Untangle makes removing a NAT Hairpin easy, because you have it's DNS. You can resolve a public name, with a private address and internal devices will just go straight to the device in question. No NAT needed, and it resolves so many issues.

Untangle's shield feature will eat your lunch if you're doing a file transfer via NAT Hairpin, because in many ways it's two sessions instead of one. Make a DNS record to get that traffic out of the port forward, it should clear your issue up.

Why is this happening?

You have a file server on the network and you're sucking files off it at gigabit speeds. But, the connection you're making is being handled by the internal NIC of the router thanks to NAT Hairpin. Once that NIC is full, it can't do anything else.

So by downloading a file, you're actually DOS'ing your Untangle off the LAN!