ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

Port forwarding failing despite following KB4740 and three-step guide

[ Edited ]
‎07-11-2018 11:37 AM

Hello all,

 

I've tried setting up port forwarding through my SSG5 which I just acquired.

I'm not an IT-er by trade, but an educator/teacher of mathematics & entry-level IT. I managed to set up port forwarding on my network succesfully without the SSG5, but after adding the device between my router and PC acting as server, I can't seem to get it to work.

 

I set up custom services for the ports I need open and forwarded under 'Policies > Policy elements > Services > Custom', added policies to allow traffic from modem's IP through SSG5 client IP to the PC, with specified services/ports specified.

Under DHCP, SSG5 has Untrust IP set to DHCP client (I've reserved the IP in modem) and I've set the client IP of the PC as reserved.

Under interfaces, for Untrust I've added a VIP (using untrust client IP) forwarding the ports to the PC's client IP.

 

However when I check if the ports are open (with open port checker/portforward), they stay closed.

I've added my config file to this post, hoping someone can guide me to the solution.

 

I followed the steps given here:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB4740

http://www.howtonetworking.com/Routers/ssgportforward0.htm

 

 

34 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

‎07-11-2018 03:00 PM
added policies to allow traffic from modem's IP through SSG5 client IP to the PC, with specified services/ports specified.

The policy should be from a source of  any address not the address of the modem interface. 

And the destination should select the vip option in the web interface

As shown in step 13 of the linked kb article.

 

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

[ Edited ]
‎07-12-2018 12:20 AM

Thank you for your answer. That must be where I mixed up the two guides.

I have updated the policies as per your instructions, however the ports still show as closed.

I have attached my updated configuration.

ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

‎07-12-2018 02:54 AM

The configuration looks good.  What is the ip address on eth0/0 and how is any forwarding to that address done on your modem?

 

You mention that it has a dhcp reservation, so I am wondering if this is actually an rfc1918 private address that is not internet routable.  Which would require a forwarding setup on the modem to this address too.

 

Or do you have bridge mode setup on the modem and get an actual public address?

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

[ Edited ]
‎07-12-2018 03:11 AM

The modem has public external IP and DHCP server and eth0/0 gets IP from the modem.

On the modem I have set forwarding for the ports from external ip as follows:

Src 3300/29328/55611, to eth0/0 and dst 3300/29328/55611.

 

This setup worked when I had the ports forwarded to my previous router, before I replaced that with the SSG5.

ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

‎07-12-2018 03:35 AM

The configuration seems to be fine on the FW. We need to first confirm if the traffic is being sent to the FW or not and also if it is sent then why it getting failed, Can you please collect the below debug logs for further troubleshooting :

 

Commands:

unset ff  #-( run this till you see 'invalid id' output)
set ff src-ip X.X.X.X dst-ip <E0/0-IP>
set ff src-ip <E0/0-IP> dst-ip X.X.X.X

clear db

debug flow basic 

# Initiate traffic 
# press 'esc' key on keyboard to stop both debug

get db st   #--(will provide you the output)

 

Also collect the "get tech" and attach it.

 

Regards,

Rishi 

JTAC

 

 

ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

[ Edited ]
‎07-12-2018 08:56 AM

I used telnet to access the SSG5 as I do not have a console set up.

I was able to get the 'get tech' output, and set ffilter for traffic, however I got no output from the 'debug flow basic' command.

Am I missing something, or is it saved to a particular location?

 

I included the get tech info.

ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

‎07-12-2018 03:52 PM

I forgot to ask if you turned off "server auto detect" when you created the VIP forwarding ports.  this requires that a ping test work before it will forward traffic and can take your vip offline in error.

 

For the debug flow basic these are some more detailed instructions.  we do need to see the traffic flow.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB5536

 

If nothing can be found by debug flow basic try using snoop on the external interface to do a basic packet capture.  This will verfiy if the packets are arriving or not.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB5411

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

[ Edited ]
‎07-13-2018 01:43 AM

Allright, I ran the debug and got this as output. I hope it's enough, I can run the debug longer if needed.

And I have indeed had the auto-detect turned off.

 

EDIT: Additionally, I snooped the ports and IP for a while. Also added.

ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

‎07-13-2018 03:00 AM

I think I see the error.  Your custom service objects set BOTH the source and destination ports.  You need to remove the source port restriction.  They will be sourced from any random port but will have the fixed destination port.

 

set service "MN AEG" protocol tcp src-port 29328-29328 dst-port 29328-29328
set service "MN AEG" + udp src-port 29328-29328 dst-port 29328-29328
set service "MN AEG" timeout never
set service "MN MRQ" protocol tcp src-port 55611-55611 dst-port 55611-55611
set service "MN MRQ" + udp src-port 55611-55611 dst-port 55611-55611
set service "MN MRQ" timeout never
set service "MN WORX" protocol tcp src-port 3300-3300 dst-port 3300-3300
set service "MN WORX" + udp src-port 3300-3300 dst-port 3300-3300
set service "MN WORX" timeout never

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

[ Edited ]
‎07-13-2018 03:15 AM

[It appears it's not completely fixed, see edit below]

You are right indeed, the port now shows as open! Thank you both, for all the help and insight.

I will go through all data again myself and make sure I understand why the errors occured, so I can fix them myself the next time.

Really appreciate it!

 

EDIT: It appears the ports are only open for TCP, not for UDP. Does UDP require a different setup?

ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

‎07-13-2018 05:28 PM

TCP and UDP are separate service objects.  When you create a service you are seleting both the protocol and the port.  So fi you need both then you need to create two services.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

‎07-13-2018 11:39 PM

I've tried that, however when I wanted to assign services to the VIP, I could only attach either the TCP ór the UDP service to the designated port.

They just replaced eachother when I added them seperately.

ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

‎07-14-2018 03:56 AM

In your custom service creation add both tcp and udp to the custom service profile.

ssgservice.png

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

[ Edited ]
‎07-14-2018 04:12 AM

I have, as shown in my configuration file. I verified with my ISP that those ports are not blocked.

And without the SSG5, they forward fine. I have added the service to the VIP as per earlier instructions, 

The weird thing is, only UDP remains closed, TCP works fine. I'm looking through the ScreenOS reference guide as we speak, but have not found an entry about this yet

1.jpg

ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

‎07-14-2018 04:21 AM

Sounds like a bug then.  Are your running the latest ScreenOS 6.3.0r25?

 

Also are you sure the application needs both tcp and udp on the same port?

That is pretty unusual.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

[ Edited ]
‎07-22-2018 05:23 AM
I was able to update the firmware after all, so bug is probably out of the question. UDP still shows as closed. Not sure how to proceed from here. Application appears to use one protocol for data and one as backup.
All insights are welcome.
ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

‎07-22-2018 09:59 AM

Since you have updated to the latest firmware you have verified that the bug has not been fixed yet.

 

This could mean that no one has reported it through JTAC or that it is still pending.  We don't have a public bug database for screenos like there is for Junos.  So the only way to be sure is to open a support case and get it into the system.  But that would take having an active support contract to do.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

‎07-22-2018 07:53 PM

Hi,

 

I think, you need to debug it as per Rishi's update and check the flow, this will help us to identify whether traffic is reaching to firewall and further flow processing on the firewall. e.g. route, NAT,Policy lookup etc

 

Thanks,

Vikas

ScreenOS Firewalls (NOT SRX)

Re: Port forwarding failing despite following KB4740 and three-step guide

‎07-23-2018 05:45 AM

Hi,

Can you please also collect the packet capture and provide us with the output of the same. This will help us to confirm if the traffic is coming on the device or not:

# Login the device via root user and execute the below commands:

++snoop filter del
++unset ff( run this till you see 'invalid id' output)
++set ff src-ip <Client> dst-ip <server>
++set ff src-ip <server> dst-ip <Client>
++snoop filter ip src-ip <Client> dst-ip <server>
++snoop filter ip src-ip <server> dst-ip <Client>

++clear db
++Snoop detail(make sure you are logged in as the root admin)
++snoop detail len 1514
Please start the wireshark capture on both client and  servers at this point
++debug flow basic
++snoop (enter and press Y)

press 'esc' key on keyboard to stop both snoop and debug
++get db s (will provide you the output)

once the output is taken, run following commands to clear filters.
++snoop filter del

Kindly let me know if you face any issues.

Regards,
Rishi

 JTAC