ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

Port forwarding failing despite following KB4740 and three-step guide

[ Edited ]
a week ago

Hello all,

 

I've tried setting up port forwarding through my SSG5 which I just acquired.

I'm not an IT-er by trade, but an educator/teacher of mathematics & entry-level IT. I managed to set up port forwarding on my network succesfully without the SSG5, but after adding the device between my router and PC acting as server, I can't seem to get it to work.

 

I set up custom services for the ports I need open and forwarded under 'Policies > Policy elements > Services > Custom', added policies to allow traffic from modem's IP through SSG5 client IP to the PC, with specified services/ports specified.

Under DHCP, SSG5 has Untrust IP set to DHCP client (I've reserved the IP in modem) and I've set the client IP of the PC as reserved.

Under interfaces, for Untrust I've added a VIP (using untrust client IP) forwarding the ports to the PC's client IP.

 

However when I check if the ports are open (with open port checker/portforward), they stay closed.

I've added my config file to this post, hoping someone can guide me to the solution.

 

I followed the steps given here:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB4740

http://www.howtonetworking.com/Routers/ssgportforward0.htm

 

 

16 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

a week ago
added policies to allow traffic from modem's IP through SSG5 client IP to the PC, with specified services/ports specified.

The policy should be from a source of  any address not the address of the modem interface. 

And the destination should select the vip option in the web interface

As shown in step 13 of the linked kb article.

 

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

[ Edited ]
a week ago

Thank you for your answer. That must be where I mixed up the two guides.

I have updated the policies as per your instructions, however the ports still show as closed.

I have attached my updated configuration.

ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

a week ago

The configuration looks good.  What is the ip address on eth0/0 and how is any forwarding to that address done on your modem?

 

You mention that it has a dhcp reservation, so I am wondering if this is actually an rfc1918 private address that is not internet routable.  Which would require a forwarding setup on the modem to this address too.

 

Or do you have bridge mode setup on the modem and get an actual public address?

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

[ Edited ]
a week ago

The modem has public external IP and DHCP server and eth0/0 gets IP from the modem.

On the modem I have set forwarding for the ports from external ip as follows:

Src 3300/29328/55611, to eth0/0 and dst 3300/29328/55611.

 

This setup worked when I had the ports forwarded to my previous router, before I replaced that with the SSG5.

ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

a week ago

The configuration seems to be fine on the FW. We need to first confirm if the traffic is being sent to the FW or not and also if it is sent then why it getting failed, Can you please collect the below debug logs for further troubleshooting :

 

Commands:

unset ff  #-( run this till you see 'invalid id' output)
set ff src-ip X.X.X.X dst-ip <E0/0-IP>
set ff src-ip <E0/0-IP> dst-ip X.X.X.X

clear db

debug flow basic 

# Initiate traffic 
# press 'esc' key on keyboard to stop both debug

get db st   #--(will provide you the output)

 

Also collect the "get tech" and attach it.

 

Regards,

Rishi 

JTAC

 

 

ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

[ Edited ]
Thursday

I used telnet to access the SSG5 as I do not have a console set up.

I was able to get the 'get tech' output, and set ffilter for traffic, however I got no output from the 'debug flow basic' command.

Am I missing something, or is it saved to a particular location?

 

I included the get tech info.

ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

Thursday

I forgot to ask if you turned off "server auto detect" when you created the VIP forwarding ports.  this requires that a ping test work before it will forward traffic and can take your vip offline in error.

 

For the debug flow basic these are some more detailed instructions.  we do need to see the traffic flow.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB5536

 

If nothing can be found by debug flow basic try using snoop on the external interface to do a basic packet capture.  This will verfiy if the packets are arriving or not.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB5411

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

[ Edited ]
Friday

Allright, I ran the debug and got this as output. I hope it's enough, I can run the debug longer if needed.

And I have indeed had the auto-detect turned off.

 

EDIT: Additionally, I snooped the ports and IP for a while. Also added.

ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

Friday

I think I see the error.  Your custom service objects set BOTH the source and destination ports.  You need to remove the source port restriction.  They will be sourced from any random port but will have the fixed destination port.

 

set service "MN AEG" protocol tcp src-port 29328-29328 dst-port 29328-29328
set service "MN AEG" + udp src-port 29328-29328 dst-port 29328-29328
set service "MN AEG" timeout never
set service "MN MRQ" protocol tcp src-port 55611-55611 dst-port 55611-55611
set service "MN MRQ" + udp src-port 55611-55611 dst-port 55611-55611
set service "MN MRQ" timeout never
set service "MN WORX" protocol tcp src-port 3300-3300 dst-port 3300-3300
set service "MN WORX" + udp src-port 3300-3300 dst-port 3300-3300
set service "MN WORX" timeout never

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

[ Edited ]
Friday

[It appears it's not completely fixed, see edit below]

You are right indeed, the port now shows as open! Thank you both, for all the help and insight.

I will go through all data again myself and make sure I understand why the errors occured, so I can fix them myself the next time.

Really appreciate it!

 

EDIT: It appears the ports are only open for TCP, not for UDP. Does UDP require a different setup?

ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

Friday

TCP and UDP are separate service objects.  When you create a service you are seleting both the protocol and the port.  So fi you need both then you need to create two services.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

Friday

I've tried that, however when I wanted to assign services to the VIP, I could only attach either the TCP ór the UDP service to the designated port.

They just replaced eachother when I added them seperately.

ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

Saturday

In your custom service creation add both tcp and udp to the custom service profile.

ssgservice.png

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

[ Edited ]
Saturday

I have, as shown in my configuration file. I verified with my ISP that those ports are not blocked.

And without the SSG5, they forward fine. I have added the service to the VIP as per earlier instructions, 

The weird thing is, only UDP remains closed, TCP works fine. I'm looking through the ScreenOS reference guide as we speak, but have not found an entry about this yet

1.jpg

ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

Saturday

Sounds like a bug then.  Are your running the latest ScreenOS 6.3.0r25?

 

Also are you sure the application needs both tcp and udp on the same port?

That is pretty unusual.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

Sunday

It appears my search has to end here. Since there's no active support contract from my employer, I'm not allowed the single upgrade to latest firmware.

I was hoping to use this device, with my other devices, to show differences among manufactures, but I can't do that in good conscience if I cannot get it working.

If someone is willing to provide me a direct download link to the 6.3.0r25 firmware so I can see if it is indeed a bug, that would be great.