- CheckMates
- :
- Products
- :
- Quantum
- :
- SMB Gateways (Spark)
- :
- Re: Incoming Web Traffic Not Forwarding
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Incoming Web Traffic Not Forwarding
Good morning. With a Spark 1575 locally managed runningU version R81.10.10 (996002945). How can I get incoming web traffic to forward to a designated internal server? I have a server object set as a web server using the default ports of 80 & 443 & Nginx installed on the internal Ubuntu 24.04 server. Utiilizing this setup, no traffic gets forwarded & cannot see the incoming traffic while monitoring the security log. If I set a secondary port - 8081 - it will work each & every time & can see the incoming traffic but, that requires having end users adding the :8081 to the web address. I have went as far as adding manual firewall rules but to no avail. How to correct? Simple fix or have to contact TAC?
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wanted to pass along that the issue has been resolved. It was not any setting in the 1575 appliance but was due to my ISP blocking ports 80, 443 & 8080. I realized all too late that this has always been the practice of most ISP's when your account is strictly a dynamic IP & do not pay them for a static IP. Thanks everyone for working to help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Jon_AK
What is the traffic flow?
Internet -> Public IP > NAT > internal IP of the ubuntu?
Ákos
\m/_(>_<)_\m/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hopefully I understand your question correctly, let me know if I missed the boat...
Your traffic flow depiction is correct.
At the moment, the public IP is dynamic & hasn't changed in over a year but, I checked it to ensure it matched what is recoreded in our registrar's DNS recored.
NAT is set Hide behind the gateway & the internal IP address of the server the traffic is to route to is correct.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Jon_AK
Two things came into my mind:
- Maybe tcp443 and tcp80 is a restricted port for the SMB appliances from outside, therefore the connection won't work for them, and work only for tcp8081.
- If we talk about reaching servers from outside, I use Static NAT setting.
Static:
The Security Gateway changes the source IP address of all connections from a source to the IP address your configure.
Notes:
When you configure Static NAT, the Security Gateway allows external traffic to access internal resources.
If you enable this configuration in an object that represents one IP address (a Host object), then this gives you a one-to-one address translation.
If you enable this configuration in an object that represents many IP addresses (a Network object, an Address Range object), then this gives you a many-to-one address translation.
The Security Gateway translates each internal IP address to a different external IP address.
Important - The range of the translated IP addresses is the same as the range of the source IP addresses.
Cheers,
Akos
\m/_(>_<)_\m/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interesting. I am still learning the functionality of the Spark 1575. I was wondering if all incoming port 80 traffic was ignored by default. I will certainly dive into this when I get back in a couple hours & will post back with my results. Thanks you for the detailed explanation.... Old guys like me need a bit of "help" now & again 😉
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Akos, I reviewed the article along with the settings for this 1575. Since this is a locallly manaaged device & does not have the corporate configuration interface, the configuration settings seem to be very limited with respect to the corporate interface. I tried the static NAT address along with several variations of this & still cannot get this to answer incoming web traffic that is not specificallly bound for port other than 80. 8081, 8086, 8080 all work first go around. I do not see any other place in this interface for configuring a static NAT as shown in this screen capture
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the advanced options for remote access their will be a setting for reserving the port for NAT and or changing the port for remote access to avoid conflicts.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm afraid you're going to have to help me out here. I'm failing to both find the setting you're indicating & why I would be changing a remote access setting to allow traffic to a web page.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Device > Advanced > Advanced Settings (search for 443)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found that but didn't make sense to me so I didn't change it first time around. I changed it from its default value of 8443 to 80 but still no joy with website access. Should have also included, I disabled the setting also but still no access.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want 443 to work from outside you'll need to tick the box to "reserve" it else the remote access service of the appliance itself will absorb those connections.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Appreciate your continued input for this Chris. I am not trying to use HTTPS for the web page access, just plain jane HTTP.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Noted. To confirm nothing seen in tcpdump?
Are you using wireless or bridge interfaces on this appliance...
What value is returned when you run the following from the CLI (via SSH):
fw ctl get int fwx_bridge_use_routing
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No wireless or bridge. The 1575 is the 1st demarc, no ISP provided modem to bridge. As for inputting the cli command, I have no idea how to access that.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To confirm are you seeing the connection redirected in the browser?
For that command (possibly low likelihood / relevance), you'll need to connect via SSH or Serial Console into the appliance using a tool like PuTTy etc.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No redirection, no action occurs. Response from the requested command is: fwx_bridge_use_routing = 2 Also, I modified the virtual server configuration file to reflect an ssl connection. I get no response out of that either. Thought that may help narrow down what may be the issue here.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, it seems this is the static NAT setting
\m/_(>_<)_\m/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jon,
Good to provide the tcpdump OR fw monitor, so that we can see if the traffic is being NATed correctly?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tcpdump file is attached. I set the IP to the static NAT in the server configuration.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
better to provide two tcpdump, one from internal, one from external
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The dump I sent earlier is from the external side. For internal, do you want no filters?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Internal & external dumps attached.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
What is your
1. server internal IP
2. server external IP
3. client source IP
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Server IP 192.168.1.13
External IP 147.160.173.125
Client source 192.168.1.100 Internal IP of the machine I was using when logging into the 1575
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wanted to pass along that the issue has been resolved. It was not any setting in the 1575 appliance but was due to my ISP blocking ports 80, 443 & 8080. I realized all too late that this has always been the practice of most ISP's when your account is strictly a dynamic IP & do not pay them for a static IP. Thanks everyone for working to help.