Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[fperez]

Hi,

I have the following scenary:

- ADSL ROUTER with public address 10.10.10.10 and with local address 192.168.0.1
- DFL-860 with WAN1 connected to router and LAN connected with addresses:
              · wan1_ip : 192.168.0.2
              · wan1_gw: 192.168.0.1
              · lan_ip: 192.168.1.1
- In the address book I have too:
              · server: 192.168.1.2

"Server" (192.168.1.2) is running a RDP server (a.k.a. Terminal Server) and I want to access from the Internet, so I created thse rules:

· Rule "TerminalServer" => SAT Rule, FROM Iface=wan1 and net="all-nets" TO Iface=core and NET=wan1_ip, in the SAT tab I defined as "destination IP" and choose "Server" as destination.
· Rule "TerminalServer2" => Allow RUle with the same info as above.

I also have Web Content Filter (WCF) configured and working properly.

In theory, I could have access to the RDP Server (server is working well, I can access from a local computer), but I can't access. Having a look at the log, I find this:

RULE  PROTO SRC.IF DST.IF SRC.IP             DST.IP           SRC.P   DST.P  EVENT/ACTION
============================================================================
Ts2    TCP      wan1    lan     87.217.124.11   192.168.0.2    60004   3389    conn_open
X      TCP      wan1    lan     87.217.124.11   192.168.1.2    60004   3389    mismatching_tcp_window_scale / adjust
TS2    TCP      wan1   lan       87.217.124.11  192.168.0.2    60004   3389   conn_close / close

I don't know if the "mismatching" error is changing something in the packets and the connection is not working well.

I also have another rule that permits "allservices" FROM the LAN1,LANNET to the WAN1,ALLNETS.

Please, help.
Regards.

[fperez]

Hi,

I solved the issue changing the ALLOW rules to NAT rules. That sounds weird for me , because I have another client, using a DFL-800, with the same configuration of my original post and working properly. Any expert can give some light to understand this?

Regards.

[fperez]

OK, the anwer for everything is: 42
Not, seriously, the answer for every problem today is: DON'T FORGET CONFIGURING THE GATEWAY ADDRESS OF THE COMPUTERS. That was the problem.

Let's explain:

Until yesterday, the router address was 192.168.1.254. As the firewall was configured from here, the IT guy in the client I'm talking about changed the IP of he router to 192.168.0.1, put it behind the firewall. Now the gateway address is 192.168.1.1 (firewall lan ip), and it was changed iun the DHCP server, so the clients were able to connect to the Internet, BUT, they didn't changed it in the server.
So, the server received the connections, but tried to response using the old gateway. Changing the rules from ALLOW to NAT solved the issue, because of the translation.

So, what have we learnt today?
1.- Check everything, including the stupidest things
2.- Never let a monkey to do a man's job ()

I hope this would help someone, anyway.

Regards!!