SonicWall TZ105 NAT Rule

Discussion in 'Networking & Security' started by PiERiT, Mar 13, 2018.

  1. PiERiT

    PiERiT 2[H]4U

    Messages:
    2,298
    Joined:
    Oct 8, 2010
    I feel dumb for not being able to figure this out. I swear all of these settings are correct and it's simply not working.

    X1 (WAN): External address
    X0 (LAN): 192.168.168.168/24, device that's plugged into it is configured as 192.168.168.50/24 with .168 as the gateway
    X3 (LAN): Port shielded to X0, device that's plugged into it is configured as 192.168.168.167/24 with .168 as the gateway

    With the above, I can browse from the X0 device (a laptop) to the web interface of the X3 device (a media decoder) by going to http://192.168.168.167. The end goal is to make that web interface, and also a couple TCP and UDP ports, accessible over the internet, but only from a certain outside IP. So to start small and test just HTTP I have a NAT rule:

    Original Source: External address at another location (also tried Any)
    Translated Source: Original
    Original Destination: WAN Primary IP (X1)
    Translated Destination: 192.168.168.167
    Original Service: HTTP (will eventually be more but I can't even get HTTP to work)
    Translated Service: Original
    Inbound Interface: X1 (also tried Any)
    Outbound Interface: Any (can't select anything else for a DNAT)

    Then I have a firewall rule:

    From Zone: WAN
    To Zone: LAN
    Service: HTTP (as above, will eventually be more)
    Source: External address at another location (also tried Any)
    Destination: WAN Primary IP (X1)
    Users Allowed: All
    Schedule: Always on
    Enable Logging: checked
    Allow Fragmented Packets: checked

    With these rules in place, I cannot hit the web interface of the device from the "external address at another location". I can hover over the statistics icon for both rules and both are being triggered but only TX packets are shown, no RX packets. So it's as if the traffic is making it in but not back out. I started up a packet capture and nothing is being blocked or dropped. I altered both rules to make them wide open and no change. If I take the TZ105 out of the mix and program the X3 device (media decoder) with the external IP address and allow it to go straight out, it works. So I must be missing some setting or have something misconfigured above.

    Any help would be appreciated. I've made NAT rules for so many floppin' things on Ciscos and SonicWalls and Sophos and never had an issue, so I'm leaning towards the decoder being at fault, but I can't see how that would be the case when it works with the TZ105 removed from the chain.
     
    Last edited: Mar 16, 2018
  2. boss6021

    boss6021 Limp Gawd

    Messages:
    322
    Joined:
    Oct 11, 2006
    You need a reflexive rule on the NAT policies page. I would recommend using the built in wizard to create this since it will create all 3 rules needed (the third rule is for hairpin NAT). This will give you what you are looking for. You could then review the rules that are created to see what you need in the future.
     
    bman212121 and Spartacus like this.
  3. Spartacus

    Spartacus [H]ard|Gawd

    Messages:
    1,866
    Joined:
    Apr 29, 2005
    What boss said, or you could also do a VPN.

    Nothing wrong with it, but kind of odd to see your gateway as .168 in the subnet.

    ETA: Wait a second..... are you trying to access a device on your 192.168.168.0 subnet directly over the internet?
    If so, you can't do that. You have to NAT to a second public IP, or port forward using first public IP, or VPN.

    You can't route private IP addresses over the internet.

    .
     
    Last edited: Mar 14, 2018
  4. PiERiT

    PiERiT 2[H]4U

    Messages:
    2,298
    Joined:
    Oct 8, 2010
    I will try that. I've seen that reflexive checkbox but have never had to do it for any other NAT rule. Will also try the wizard if that doesn't work -- I didn't even know there was a wizard.

    One other thing that came to mind last night, I didn't setup the firewall initially and for all I know none of the LAN devices can route outbound. I assumed they could seeing as how the laptop could reach the internet, but then it was on a separate WiFi network as well and may have been going out that way.

    I'm NATing the first and only external address to what will eventually be the only internal address. I'm only doing a couple ports.
     
    Last edited: Mar 16, 2018
  5. Spartacus

    Spartacus [H]ard|Gawd

    Messages:
    1,866
    Joined:
    Apr 29, 2005
    I'm not sure you can NAT the IP assigned to the WAN port to another device.

    Try setting up rules to allow those ports from WAN to LAN and then forward them.
    You should be able to do what you want without any extra NATing.

    ETA: If you are sending all port 80 to the one internal IP, then other internal devices
    may not be able to surf (no http).

    .
     
    Last edited: Mar 14, 2018
  6. PiERiT

    PiERiT 2[H]4U

    Messages:
    2,298
    Joined:
    Oct 8, 2010
    Finally had time to look at this again today, turns out I just had to reboot the TZ105. :|

    giphy.gif
     
    Vengance_01 likes this.