Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Unable to connect to subdomain webserver with TZ300

Hello everyone,

recently I've bought myself for steal-deal used TZ300 series firewall for my homelab. However, ever since installing this new firewall unit into my network, I do have two issues and after setting port-forwarding for my web-server VM, I am unable to reach subdomain on that server.

  1. On previous setup, with ASUS RT-AC1200G+, port-forwarding works flawlessly and I am able to reach main website on www.mydomain.cz and subdomain service site on www.service.mydomain.cz ; with TZ300 I am able to reach only the main domain website, even though both sites lies on the same server. Any ideas on what might be the issue? Internal server IP: 192.168.1.100, port-forwarded ports: 80, 443.
  2. TZ300's DHCP server is working even on WAN port, which is something I really do not want. Any easy way to restrict DHCP service for LAN ports only? I may also just use the DHCP service on my 1200G+, or install DHCP server on one of the Windows server VMs, but thermal pump web interface is kinda not working on this one, so just curious if this is something that can be resolved easily.

And also, got third question (not issue with this one, just curious); what is port labeled as "Console" being used for?

Thank you in advance for any kind of advice.

Category: Entry Level Firewalls
Reply
Tagged:

Answers

  • MitatOngeMitatOnge Cybersecurity Overlord ✭✭✭

    Hi @HaRD


    1) If you can access to main domain and subdomain uses same ports there is no problem on the sonicwall. check IIS logs

    2) there is no DHCP Server service on WAN interface. you missed something. WAN interfaces have DHCP client services.

    for SonicOS6 Contemporary GUI /Manage/Network/DHCP Server and disable or delete other dhcp applied interfaces.


    for SonicOS6 Clasic GUI / Network/DHCP Server

    3) this question I didn't understand. where is the console lable? can you show menu details with screenshot

  • HaRDHaRD Newbie ✭
    edited January 23

    Hi @MitatOnge !

    1. I am running my website services on Rocky Linux 8.5 using Nginx, thus unable to check IIS. Both server blocks for primary domain and subdomain are configured correctly and both have valid Let's Encrypt certificate; and yes, both sites are using same ports. If this configuration works literally everywhere else, then I am not sure for what reason is TZ300 refusing to allow connection with the subdomain services. Maybe creating a separate webserver and use of internal DNS server on my homelab ADDC would solve this issue?
    2. I agree that there should NOT be DHCP server service on X1 / WAN interface. However if that is the case, how do you explain that on my TZ300 DHCP server leases (exactly the screenshots you've provided) are devices, which are NOT part of my LAN network? Can see bunch of devices, Mikrotik routerboards (do not have a single Mikrotik device in my own LAN network) and WiFi APs; some of them even named by my ISP to identify end clients (literally my neighbours!). And yes I connected cable from ISP into X1 port and TZ300 was reseted into factory settings. I am really curious what I might have missed here. And no, it is not accidental connection to my WiFi; that one is secured via strong password and also via RADIUS server.
    3. It is literally physical port on TZ300 labeled "Console". But since my original question I've done some digging and found out that this is used with RS-232 <-> RJ-45 cable for firewall configuration via console.
  • MitatOngeMitatOnge Cybersecurity Overlord ✭✭✭

    Hi @HaRD


    if you want to local test for subdomain.

    create hosts file on the pc and assign subdomainname and ip

    Linux :


    Windows :


    Did you Check dhcp server details on machine interface detail? if you use windows it shows under network sharing center /interface details. DHCP server ip adresses.

    Check DHCP server page under the page it shows leased ip address, mac address, and vendor details. is there any devices behind WAN X1 interface.


    with wireshark install a pc and plug lan network and filter DHCP packet listen all packet and save capture file. after try same process on wan network.

  • HaRDHaRD Newbie ✭

    Hi!

    1. Local test is not an issue; locally everything works flawlessly due to DNS records on ADDC. The issue is however when I need to access the subdomain from outside (WAN). Thus a test via editing hostfile serves not much of a purpose here. Public DNS A records are setted up for my public IP address (yes, in my case I am hosting several services under the same IP address). With current setup - all OK. When I plug-in TZ300 in front of my router (on which I then disable NAT and set it to work only in switch / AP mode) and setup portforwarding on TZ300 - only primary address www.ghostbusters.cz is then available (yes, that is the website I am running - just basic phpBB forum on primary domain). Access to my cloud service on address www.nextcloud.ghostbusters.cz then does not work. And YES - I did try that even with hosts file edited. Nextcloud site simply does not load and even Nextcloud client can't connect. For some reason, Nginx server block with subdomain is unnaccessible.
    2. Will play with it when I'll have more time to play with network topology structure; might be possible that I have accidentaly created a bridge somewhere. Can't rule that out. Will dig into it and report back with results.


Sign In or Register to comment.