Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Cannot Access Internal Web Server From Internet

GuacIsExtraGuacIsExtra Newbie ✭
edited August 2020 in Entry Level Firewalls

Disclaimer, I am not a Networking guy and definitely can be classified as a Newbie. With that said I'm hoping I've missed something obvious and the communities collective brain power is able to assist!

System Info:

Running an olllld NSA E5500 on 5.9.1.5-16o

Issue:

Cannot access Internal Web Server with Public IP from the Internet.

Seeing dropped packets in the captures. Drop Code 34 (Bounce traffic detected, Module Id: 25(network)

What I've done so far:

Following the guidance of numerous KB articles I've setup NAT Policies, Firewall Rules, Address Objects, etc..

I am able to access the Web Server via the Public IP from Internally (My LAN), but not over the Internet.

The Web Server resides on a VLAN hanging off of a Virtual Interface.

When I update a NAT Policy or change a setting on the WAN or LAN Zones I can temporarily (approx. 30 secs) access the Web Server over the Internet.

Any thoughts? Suggestions? Other than buy a newer Sonicwall =)

Thanks,

Category: Entry Level Firewalls
Reply

Answers

  • @GuacIsExtra,

    Welcome to SonicWall community.

    Have you configured the port forwarding for one of the usable IP addresses from WAN interface and not the interface IP itself?

    I have seen certain situations where the upstream device does not send us the packets on the usable IP due to lost ARP entry for the usable address.

    Could you please change the following setting on diag page and then test it out?

    To visit the diag page, navigate to https://<mgmt_ip>/diag.html

    Click on Internal settings and enable the option:

    Periodically broadcast system ARPs every 10 minutes. under ARP Settings. This would proactively send the system ARPs to the upstream device with that time interval.

    Let me know how it goes.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services


  • As you suggested I enabled the "Periodic broadcast system ARPs every 10 minutes", but unfortunately the issue persists.

    However now every 10 minutes packets get through for approx. 10 seconds before dropping.


    Here is a bit more info about my setup:

    My WAN interface is on X1 using a Public IP. I have an Internal Web Server residing on a VLAN Subnet hanging off of a sub-interface (X6:V105)

    I have a second Public IP (lets call it "Public IP 2") that I want to use to NAT to the Private IP.

    Address Objects:

    Public IP 2 -> Host -> WAN

    Private IP -> Host -> LAN

    Private Subnet -> Network -> LAN


    NAT Policies:

    Source Original/Source Translated /Des. Orig. /Des. Trans./Service Orig./ Service Trans./Interface In/ Interface Out

    Private IP -> Public IP 2-> Any -> Original -> Any -> Original -> Any -> Any

    Any -> Original -> Public IP 2 -> Private IP -> Any -> Original -> Any -> Any


    Firewall Rules:

    WAN -> LAN -> Any -> Public IP 2 -> Any -> Allow

    LAN -> WAN -> Any -> Any-> Any -> Allow

  • @GuacIsExtra,

    Your configuration on the firewall looks absolutely correct. On the SonicWall side, we are now proactively trying to broadcast our system ARPs to the upstream device.

    I would suggest reaching out to the ISP and having them configure a static ARP to bind the usable IP with the X1 interface MAC.

    That should take care of this issue, this problem is actually not due to the firewall itself.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • Thank you, I’ll open a ticket with my ISP.

    I am curious though, if it is an ISP issue how is it that I’m able to get temporary access every time I make a change to the NAT policies or Zones on the Interfaces?

    I’ve also recently tried the Packet Monitor and can see the packets dropping from the Sonicwall. I’ve also tried to comb through the logs and have encountered messages involving my “Public IP 2” address and my “Private IP”. Alerts saying packets are being dropped due to “Land Attack” and “IP Spoofing”?
  • @GuacIsExtra,

    I wasn't aware that you are seeing packet drops due to land attack or IP spoof.

    Usually when you update the NAT policy or zones, it prompts the SonicWall to send a system ARP out that I requested to enable earlier on the diag page. That is the reason that this works temporarily.

    Perhaps there is more to this. I would suggest reaching out to our Support team so that we can check in real-time what could be the problem.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

Sign In or Register to comment.