Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[lira3122]

I have a webserver inside our firewall which is working fine.  The outside world can see the pages just fine.  The problem now is the internal network cannot get to any of those pages.  When I look at the log for the dfl-210 I see

2009-08-21
12:40:29    Warning    RULE
6000051    IfaceIPCollision    TCP    wan
xx.xxx.xx.226  46514                     (NAT address)             
xx.xxx.xx.228  80                           (webserver IP address)
ruleset_drop_packet
drop
ipdatalen=32 tcphdrlen=32 syn=1

What rule do i have put in to allow our internal network to see the websites.

Fast help on this would be greatly appreciated.

Thank you in advance.

[Fatman]

Ensure that the LAN interface is included in the source interface for your IP rules.

That aid I have not seen IfaceIPCollision before for this issue, so I would look into that long and hard.

[dhcarter]

We have the same issue.  Hosted websites are visible from outside but not on the inside.  We can access the internet from the inside but not the webservers behind the wan port.


lan-to-wan - ip rule #1
Action=SAT
SourceInterface=any
SourceNetwork=workstation lan ip address
DestInterface=any
DestNetwork=all-nets
Service=http-all
SAT tab
  Translate Source IP=flagged
  New IP=workstation wan ip address

lan-to-wan - ip rule #2
Action=Allow
SourceInterface=any
SourceNetwork=workstation lan ip address
DestInterface=any
DestNetwork=all-nets
Service=http-all

wan-to-lan - ip rule #1
Action=SAT
SourceInterface=any
SourceNetwork=all-nets
DestInterface=any
DestNetwork=server wan ip address
Service=http-all
SAT tab
  Translate Destination IP=flagged
  New IP=server lan ip address

wan-to-lan - ip rule #2
Action=Allow
SourceInterface=any
SourceNetwork=all-nets
DestInterface=any
DestNetwork=server wan ip address
Service=http-all


We've looked at the documentation and tried many different combinations, but we still don't get it.  The websites are found using DNS host headers (xxx.yyyy.com) rather than static IP addresses.  The best we've been able to do is successfully get to the correct ip via DNS but the connection fails when it is opened.

Log message:
2009-09-09 00:45:41
Error
CONN 600001
Allow_LanUser_ip8 (lan-to-wan - ip rule #2 above)
TCP
lan "workstation lan ip address"  1599
wan "server wan ip address" 80
conn_open
satsrcrule=SAT_LanUser_ip8 (lan-to-wan - ip rule #1 above)
conn=open 

Once we get this working, we'll need to replicate the rules for another two servers and three workstations.

Many thanks in advance...

[Fatman]

Those first 2 rules are unnesccesarry and flawed, remove them.

Then respond if you are still having issues.

[dhcarter]

Thanks for responding.  We removed the offendinig rules and still are unable to connect to our webservers from inside the lan.

Is there a FAQ on this topic - we found the one about rdp very helpful earlier.

If a FAQ is not available, do you have a recommendation on how to troubleshoot this issue?

Thanks again.

[Fatman]

We don't have any specific documentation.  It would be best to have someone who knows this product down to the nuts and bolts take a look.


Have you tried a NAT instead of an Allow for your second rule at any point?

[webnem]

We have the same issue, helpdesk was unable to resolve our problem...

From outside our network we are able to access our internal servers, from within the network we are unable to establish connection receiving the error message "IfaceIPCollision" in the status log.

We have several lan-to-wan rules, however included in those rules are:

nat all services lan-> any interface
     all nets -> all nets destination

allow all services lan-> any interface
        lan -> all nets destination

Between those two I'm not sure why any requests from the lan would get shut down?

[danilovav]

What do you mean by "the same issue"?

As i see, you have only LAN -> WAN rules, and it's not fully correct
1. Change NAT rule to lan/lannet wan/all-nets (don't use any in IP rules)
2. Remove Allow rule, it's useless

[webnem]

Same issue as OP. I can connect to my servers from outside of our network without a problem. If I try to connect to the same servers external IP from within my network, the router kill the connection, showing that error message IfaceIPCollision.

I've tried a number of different rules just to see if I could get it to work. The allow services rule may not be doing anything but it wasn't causing this problem...

The nat rule it doesn't make a difference if you have it set to wan or any for the interface. I removed the allow rule, and change the NAT rule to:

 allow_standard  NAT  All_Lan  internal_lans  wan  all-nets  all_services

tia

[danilovav]

Make NAT loopback additionaly for your SAT+Allow (destination NAT) rules

SAT lan/lannet core/wan_ip yourpublicservice (SAT: New destination = yourprivatehost)
NAT lan/lannet core/wan_ip yourpublicservice

Usually, i am making common rules for all (external and internal) interfaces like below

1. Interfaces > Interface groups
Add group wan_lan = all wan and lan interfaces (ex. wan + lan)

2. Objects > Services
Add service group (ex., allowed_server) with all allowed services for publication

3. Make rules
SAT wan_lan/all-nets core/wan_ip allowed_server (SAT: New destination = yourprivatehost, All-to-One Mapping: rewrite all destination IPs to a single IP)
Allow wan/all-nets core/wan_ip allowed_server
NAT lan/lannet core/wan_ip allowed_server

By this way, you will need just 3 rules for any wan interface and public services count

[webnem]

We're still getting that same error message, the way I had the rule set up previously was for any/all instead of having a group/objects for lan/wan/etc...

[danilovav]

NAT+Allow for lan/lannet->core/wan_ip is not correct. Should be SAT+NAT for this direction.

[webnem]

After working with tech support, the way we were able to get the loopback working was by creating a route from the public IP to the core then setting the SAT and NAT rules destination interface to the core.
Routing
 -Routing Tables
  -main

Add route:
Type   Interface   Network
Route  core          Public_IP of server

Then for the rules:

Action   Source interface  Source network  Destination interface  Destination network   Service
SAT      any                   all-nets             core                        Public_IP of server     desired_service
NAT      any                   all-nets             core                        Public_IP of server     desired_service

Only thing now is we cant connect to the public IP of the server from a client on the VLAN network, all though everything from the lannet works great

*Edit - by changing the allow to NAT we were able to get the VLAN network to work as well!