topic Re: Incoming Web Traffic Not Forwarding in Spark Firewall (SMB)

Incoming Web Traffic Not Forwarding

Jon_AK — Sun, 01 Sep 2024 14:12:04 GMT

Good morning. With a Spark 1575 locally managed runningU version R81.10.10 (996002945). How can I get incoming web traffic to forward to a designated internal server? I have a server object set as a web server using the default ports of 80 & 443 & Nginx installed on the internal Ubuntu 24.04 server. Utiilizing this setup, no traffic gets forwarded & cannot see the incoming traffic while monitoring the security log. If I set a secondary port - 8081 - it will work each & every time & can see the incoming traffic but, that requires having end users adding the :8081 to the web address. I have went as far as adding manual firewall rules but to no avail. How to correct? Simple fix or have to contact TAC?

Re: Incoming Web Traffic Not Forwarding

AkosBakos — Sun, 01 Sep 2024 17:04:49 GMT

Hi @Jon_AK

What is the traffic flow?

Internet -> Public IP > NAT > internal IP of the ubuntu?

Ákos

Re: Incoming Web Traffic Not Forwarding

Jon_AK — Sun, 01 Sep 2024 17:13:53 GMT

Hopefully I understand your question correctly, let me know if I missed the boat...

Your traffic flow depiction is correct.

At the moment, the public IP is dynamic & hasn't changed in over a year but, I checked it to ensure it matched what is recoreded in our registrar's DNS recored.

NAT is set Hide behind the gateway & the internal IP address of the server the traffic is to route to is correct.

Re: Incoming Web Traffic Not Forwarding

AkosBakos — Sun, 01 Sep 2024 17:24:01 GMT

Hi @Jon_AK

Two things came into my mind:

Maybe tcp443 and tcp80 is a restricted port for the SMB appliances from outside, therefore the connection won't work for them, and work only for tcp8081.
If we talk about reaching servers from outside, I use Static NAT setting.

Types of NAT Methods

Static:

The Security Gateway changes the source IP address of all connections from a source to the IP address your configure.

Notes:

When you configure Static NAT, the Security Gateway allows external traffic to access internal resources.
If you enable this configuration in an object that represents one IP address (a Host object), then this gives you a one-to-one address translation.

If you enable this configuration in an object that represents many IP addresses (a Network object, an Address Range object), then this gives you a many-to-one address translation.

The Security Gateway translates each internal IP address to a different external IP address.

Important - The range of the translated IP addresses is the same as the range of the source IP addresses.

Cheers,

Akos

Re: Incoming Web Traffic Not Forwarding

Jon_AK — Sun, 01 Sep 2024 17:29:35 GMT

Interesting. I am still learning the functionality of the Spark 1575. I was wondering if all incoming port 80 traffic was ignored by default. I will certainly dive into this when I get back in a couple hours & will post back with my results. Thanks you for the detailed explanation.... Old guys like me need a bit of "help" now & again 😉

Re: Incoming Web Traffic Not Forwarding

Jon_AK — Sun, 01 Sep 2024 23:07:56 GMT

Akos, I reviewed the article along with the settings for this 1575. Since this is a locallly manaaged device & does not have the corporate configuration interface, the configuration settings seem to be very limited with respect to the corporate interface. I tried the static NAT address along with several variations of this & still cannot get this to answer incoming web traffic that is not specificallly bound for port other than 80. 8081, 8086, 8080 all work first go around. I do not see any other place in this interface for configuring a static NAT as shown in this screen capture

Re: Incoming Web Traffic Not Forwarding

Chris_Atkinson — Sun, 01 Sep 2024 23:27:24 GMT

In the advanced options for remote access their will be a setting for reserving the port for NAT and or changing the port for remote access to avoid conflicts.

Re: Incoming Web Traffic Not Forwarding

Jon_AK — Mon, 02 Sep 2024 00:12:54 GMT

I'm afraid you're going to have to help me out here. I'm failing to both find the setting you're indicating & why I would be changing a remote access setting to allow traffic to a web page.

Re: Incoming Web Traffic Not Forwarding

Chris_Atkinson — Mon, 02 Sep 2024 00:23:00 GMT

Device > Advanced > Advanced Settings (search for 443)

Re: Incoming Web Traffic Not Forwarding

Jon_AK — Mon, 02 Sep 2024 00:44:11 GMT

I found that but didn't make sense to me so I didn't change it first time around. I changed it from its default value of 8443 to 80 but still no joy with website access. Should have also included, I disabled the setting also but still no access.

Re: Incoming Web Traffic Not Forwarding

Chris_Atkinson — Mon, 02 Sep 2024 00:48:01 GMT

If you want 443 to work from outside you'll need to tick the box to "reserve" it else the remote access service of the appliance itself will absorb those connections.

Re: Incoming Web Traffic Not Forwarding

Jon_AK — Mon, 02 Sep 2024 00:50:48 GMT

Appreciate your continued input for this Chris. I am not trying to use HTTPS for the web page access, just plain jane HTTP.

Re: Incoming Web Traffic Not Forwarding

Chris_Atkinson — Mon, 02 Sep 2024 01:54:12 GMT

Noted. To confirm nothing seen in tcpdump?

Are you using wireless or bridge interfaces on this appliance...

What value is returned when you run the following from the CLI (via SSH):

fw ctl get int fwx_bridge_use_routing

Re: Incoming Web Traffic Not Forwarding

Jon_AK — Mon, 02 Sep 2024 01:20:44 GMT

No wireless or bridge. The 1575 is the 1st demarc, no ISP provided modem to bridge. As for inputting the cli command, I have no idea how to access that.

Re: Incoming Web Traffic Not Forwarding

Chris_Atkinson — Mon, 02 Sep 2024 02:04:53 GMT

To confirm are you seeing the connection redirected in the browser?

For that command (possibly low likelihood / relevance), you'll need to connect via SSH or Serial Console into the appliance using a tool like PuTTy etc.

Re: Incoming Web Traffic Not Forwarding

Jon_AK — Mon, 02 Sep 2024 02:11:22 GMT

No redirection, no action occurs. Response from the requested command is: fwx_bridge_use_routing = 2 Also, I modified the virtual server configuration file to reflect an ssl connection. I get no response out of that either. Thought that may help narrow down what may be the issue here.

Re: Incoming Web Traffic Not Forwarding

AkosBakos — Mon, 02 Sep 2024 07:35:35 GMT

Hi, it seems this is the static NAT setting

Re: Incoming Web Traffic Not Forwarding

garrod — Tue, 03 Sep 2024 01:59:25 GMT

Hi Jon,

Good to provide the tcpdump OR fw monitor, so that we can see if the traffic is being NATed correctly?

Re: Incoming Web Traffic Not Forwarding

Jon_AK — Mon, 02 Sep 2024 13:04:50 GMT

tcpdump file is attached. I set the IP to the static NAT in the server configuration.

Re: Incoming Web Traffic Not Forwarding

garrod — Tue, 03 Sep 2024 02:04:19 GMT

better to provide two tcpdump, one from internal, one from external