Help redirecting port/service to LAN server
I've spent several hours reading documentations and trying different things, but I'm not able to allow connections from WAN to specific IPs inside the LAN.
This is the first time I configure a firewall like this, but I have basic knowledge of basic concepts like port/service redirection or translation, etc. From what I see, it shouldn't be that hard, and I think it should work with what I've done so far but... it doesn't work.
The Firewall I'm trying to configure is a TZ 300, with SonicROM 5.6 and SafeMode 6.2.
What I want to achieve is:
Using the public IP address of our office, allow external connections to a SQL Server we host here. The idea is to allow only connections from our physical shops (they use a custom app to connect to our office to handle sells, invoices, etc.).
Currently we are using a VPN connection, but apparently it's having some issues and my boss wants to change it and use the firewall.
What I've done so far:
1) Redirected the port 1433 on the ISP router (also 21 for some other tests) and point it to the public SonicWall IP (X1)
2) I have created 3 address objects:
- The LAN private IP for the server.
- The LAN public IP for the server.
- My cellphone 4G IP for testing (currently trying with Android SQL Client)
3) Also, I created a NAT Policy.
Original Destination: Public (192.168.1.31)
Translated Destination: Private (192.168.0.102)
4) And finally I added the Firewall rule.
Destination: Public (192.168.1.31)
When trying to connect, the Android app reports ECONNREFUSED.
I also tested an FTP connection:
To void playing dangerous games with a working firewall and database with traffic, I've tried something similar but with FTP service, redirecting the traffic to my computer. I've tried both from my cellphone, and also with another "address object" with our public IP and connecting using Filezilla on my computer.
In any case, I noticed that the NAT Policy reports +5 usage count everytime I try to connect (with ECONNREFUSED too), but the Firewall rule reports "0" usage.
I also disabled the Firewall rule that said "WAN to LAN, Deny Any".
I'm completely lost here.
What am I missing?
While checking things, I saw that "X1 IP" is defined as 192.168.1.30.
Using Android Fing App to search for devices, it reports 192.168.1.30+2 as a SonicWall Router (NSA 3500)
On our office we use 192.168.0.3 as the Internet gateway (configured as "X0 IP" on the SonicWall panel).
Also, the SQL Server is listening on 1433 port. I've also opened my computer's port 21 on the Windows firewall.
If you need any other information please let me know.
Thanks in advance for any reply.
Did you create reverse NAT?
I don't know exactly what a reverse NAT is.
I checked the NAT policies, and I see there's a rule for the SQL Server:
Other than that, I don't see any rule that brings my attention.
Is that the reverse NAT you mean, or is it something else?
The other rules I created are the ones I mentioned on the original question.
You have to create Bidirectional NAT and Loopback NAT for internal user accessing from Public ip.
Server To Wan
Wan To Server
Lan To Server Public IP
Please refer to the below Knowledgebase article as that might help you to configure the same.
How can I enable port forwarding and allow access to a server through the SonicWall? | SonicWall
If you want to restrict the source to particular IP addresses, you can configure address objects for those IP addresses in the WAN zone, create an address group of those IPs and use that as a source in the NAT policy and the access rules.
Hope this helps!!!
Follow the below step in your NAT policy. Sometime your local server will reject the NAT rule and accept only from LAN (Some legacy server). So if your LAN is X0 where the Server is reside, configure the NAT policy as same as below;
@AJISHLAL Thanks for the reply.
I will report back when I try it, because currently they decided to postpone this change.
We managed to fix the VPN connection (we had configured a range for 10 IPs only, and we needed more), so this is not something with priority right now.
Anyway, they told me that they would like to stop using Netextender and just use firewall rules in the future, so when the time comes, I will try what you suggested here.
I saw that "X1 IP" is defined as 192.168.1.30
looks like your ISP router is also doing NAT instead of having the X1 with a non RFC1918 address, you will also have to create the apporpriate NAT rules on the ISP router.