Unable to accomplish a simple DMZ setup for port forward.

Comments

17 comments

  • Avatar
    Michael Bierman

    Did you check Network Manager > NAT Settings > NAT Passthrough > SIP (ON)

    0
    Comment actions Permalink
  • Avatar
    Kael Hankins

    Thanks for the response. We have tried enabling SIP passthrough in the past but as far as we can tell it made no difference to the flows being blocked. We disabled it again as the provider frowns upon using SIP ALGs. We will give it a try again though.

    0
    Comment actions Permalink
  • Avatar
    Kael Hankins

    After trying this again there is no difference in th blocking on the device.

    Our issue seems very similar to this: https://help.firewalla.com/hc/en-us/community/posts/5299868620947-Trying-to-allow-a-single-IP-in-through-WAN-is-this-possible-with-the-default-block-traffic-from-internet-rule-

    0
    Comment actions Permalink
  • Avatar
    Kael Hankins

    We have determined that it does work in emergency mode.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @Kael, 

    I would recommend port forwarding not DMZ here. Can you check the following: 

    1. Check to make sure the protocol is correct. UDP/TCP. If you need both you will need separate port forwarding rules.
    2. Create your port forwarding. Adjust the internal port if it is different than the external port. 
    3. Forward to the device (or LAN IP address). 
    4. For Ingress Firewall select the IP or IP range you want to allow. 


    0
    Comment actions Permalink
  • Avatar
    Kael Hankins

    This is exactly what we have done. Screenshot below.

    We also found that after enabling emergency mode for 15 minutes it worked and continue working after that 15 minutes until the firewalla was rebooted. After the reboot we tried enabling emergency mode again and it no-longer worked. We really cannot make any sense out of how this device seems to operate.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    O.K. that sounds like a different issue. The Port Forward allows traffic through the door. What rules do you have on the MS-ESIP-1 or the Group it is in (if any) as well as the network that it is connected to? 

    0
    Comment actions Permalink
  • Avatar
    Kael Hankins

    Thank you for assisting us with this. There are no groups and no network rules. There are only the default internet and active protect rules as well as the rules auto-generated by the port forwards on the device at this time. 5060UDP for the SIP connection and 10k-12kUDP for the RTP audio. 

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Hmmm. Here are some ideas:

    1. Check if there is double NAT.
    2. Check that you have a public WAN IP.
    3. Check to see if MS-ESIP-1 has any firewall in place.
    4. If you have any other device you can test with, create a port forward to that and see if port forwarding has any challenges with that device. 

     

    0
    Comment actions Permalink
  • Avatar
    Kael Hankins

    Thanks for your suggestions. I can speak to some of these from past attempts.

    1. There is no double/ CG NAT. 

    2. We have a static public IP which can be reached directly from the internet. 

    3. MS-ESI-1 has no firewall in place and operates correctly with the same WAN different firewall/router devices. (I've tested with enterprise grade Barracuda firewall and terrible old netgear SOHO router)

    4. If I have time today I will try another device, probably a simple test web server

     

    A side note, we have gotten this to work with firewall at times in the past (without engaging emergency mode) but typically it only works until the Firewalla device was rebooted or lost power. 

    I even have the exact same setup working at another location. Resetting an copying that config exactly did not help, nor did use the "Migrate from other box" features.  I'm just completely at a loss. We are also engaging support on this issue.

    0
    Comment actions Permalink
  • Avatar
    Kael Hankins

    Port forwarding for a test web server worked immediately.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @Kael, Interesting. So what's different? 

    1. Different ports. Seems unimportant. 
    2. Different device. Seems unimportant, unless the device has some kind of firewalll which you say it doesn't.
    3. For the test, were you using the same public IP or is MS-ESIP-1 on a different public IP? I assume the port is not blocked by the ISP? 

     

     

    0
    Comment actions Permalink
  • Avatar
    Kael Hankins

    Same public IP, it really seems like SIP is treated differently some how.

    0
    Comment actions Permalink
  • Avatar
    Kael Hankins

    Port is not blocked by the ISP as we can always see the firewalla blocking the flows.

    0
    Comment actions Permalink
  • Avatar
    Kael Hankins

    Thanks very much for your help. We ended up moving to a different vendor which did not have this issue and worked immediately. 

    We worked in parallel with Firewalla support for a week but we were never able to reliably get 5060 open to the internet. Port 80 was no problem and just worked as described in the documentation. We were also unable to figure out the inconsistent behavior around port 5060 and the Emergency Access mode. 

    My only theory is that there is some bug in the implementation of the SIP passthrough that causes issues specific to port 5060. Unfortunately this makes the product unsuitable to our use case.

    Thanks especially to @Michael Bierman for all the work on this.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Sorry to hear you are moving on. Out of curiosity in addition to the port forward did you turn on SIP passthrough? 

    0
    Comment actions Permalink
  • Avatar
    Kael Hankins

    We did on several occasions but we were never able to get any different results. 

    0
    Comment actions Permalink

Please sign in to leave a comment.