topic ISP advance DMZ getting rejected on 1570 in Spark Firewall (SMB)

ISP advance DMZ getting rejected on 1570

MrDazanaCom — Sat, 11 Jan 2025 15:03:33 GMT

Good morning Experts,

When I enable this feature, the WAN port on the 1590 receives the external IP of the modem but my internet stops working because the firewall sees it as an address spoofing.

Normal DMZ would assign me an internal address and that works fine. I want to move away from using the PPPoE client on the firewall all together.

Anyway I can disable this without disabling it globally ?

Thanks

Re: ISP advance DMZ getting rejected on 1590

the_rock — Sat, 11 Jan 2025 13:58:00 GMT

I cant sadly confirm this, as I dont have smb to test, but, if its centrally managed, you can do this via network settings on the object, like you would on regular fw. If its locally managed, I remember seeing before command from clish -> set antispoofing

You can tab once you type that and see what options it gives you.

Andy

Re: ISP advance DMZ getting rejected on 1590

Chris_Atkinson — Sat, 11 Jan 2025 14:09:17 GMT

Are you able to share some more details of the IP addresses used and the drop traffic log perhaps?

Also which version of software is used with the 1590?

Re: ISP advance DMZ getting rejected on 1590

MrDazanaCom — Sat, 11 Jan 2025 15:00:50 GMT

Sure thing. My bad, its a 1570 not a 1590

running R81.10.10 (996002993)

After the Advance DMZ is activated, the interface gets the modems ip address

Re: ISP advance DMZ getting rejected on 1590

MrDazanaCom — Sun, 12 Jan 2025 15:13:08 GMT

When I run the command set interface WAN antispoofing off i get Bad parameter starting at 'antispoofing off'

show configuration only shows the following for antispoofing

# Anti-spoofing
set antispoofing advanced-settings global-activation "true"

set vpn remote-access advanced-settings office-mode single-om-per-site "false" om-perform-antispoofing "false"

I don't see an interface where its enabled just enabled global

Re: ISP advance DMZ getting rejected on 1590

the_rock — Sun, 12 Jan 2025 15:39:01 GMT

I totally see what you are saying, thats unfortunate : - (. I just created tech point spark lab and seems that is indeed the case. Maybe someone else can confirm for sure if its possible...did you ever end up opening TAC case?

Andy

Re: ISP advance DMZ getting rejected on 1590

MrDazanaCom — Sun, 12 Jan 2025 16:35:49 GMT

No I never did open a TAC case

Re: ISP advance DMZ getting rejected on 1590

the_rock — Sun, 12 Jan 2025 16:38:23 GMT

I more asked just to see if you got their feedback, but I really dont believe its possible. Even in web UI, I went through all the settings for WAN interface, there is absolutely nothing for antispoofing.

Andy

Re: ISP advance DMZ getting rejected on 1590

MrDazanaCom — Sun, 12 Jan 2025 17:36:03 GMT

I disabled the Anti spoofing globally, I get an external wan address from the isp modem and it still doesn't work. No errors in the logs this time around only stuff like can't resolve host names. Very odd. Thanks for your input

Re: ISP advance DMZ getting rejected on 1590

the_rock — Sun, 12 Jan 2025 19:31:04 GMT

So when you say it stil does not work, I assume you mean Internet access does not work? If so, what are the errors now in the logs?

Andy