Traffic Problems

  1. Why can't I access my DMZ from the outside?
  2. Why can't I access my web server/email server from the inside via my relay?
  3. Why doesn't my Ingate Firewall receive packets sent to one of its relays?
  4. Why does my firewall reply to pings sent to its inside IP address when I ping from the Internet, even though there are no firewall rules to allow ping through the firewall?
  5. Why is some web/e-mail traffic rejected, even though I opened for all such traffic?

Why can't I access my DMZ from the outside?

Problem description

The public IP addresses you received from your ISP were divided into two groups, one of which is used on your DMZ and one on the outside of the firewall. When this configuration is applied, the DMZ computers can't be accessed from the outside.

What to do

The probable cause to this is that the router acting as default gateway for the firewall doesn't know that the DMZ IP addresses should be routed through the firewall. Contact your ISP for reconfiguration of the router.

Why can't I access my web server/email server from the inside via my relay?

Problem description

On the firewall, there is a relay forwarding packets from the outside to a server on the inside or on a DMZ. This works from the outside, but I can't access the server from the inside using the public IP or the server name.

What to do

The probable cause to this is that you haven't allowed the computers on the office network to use the relay. Do this:

  • Go to the Networks and Computers page under Network and create a network which contains both the Internet and the office network. In some cases, you might already have such a network. To create it, create a new row with two groups in it. Select the Internet and the office network as subgroups (you probably have them as networks already). Select "-" as Interface/VLAN for both, and enter no IP addresses.
  • Go to the Relays page under Rules and Relays and find out which relay handles the traffic you have problems with. Change Allow access from for this relay to the network you just created.
  • Go to the Save/Load Configuration page under Administration and apply the changes.

Why doesn't my Ingate Firewall receive packets sent to one of its relays?

Problem description

A server was placed directly connected to the Internet, but now the firewall is moved in between. This has resulted in packets not arriving to the IP address formerly used for this server, now for the firewall.

What to do

The probable cause to this is that the router acting as default gateway for the firewall locks the IP address to the MAC address of the server. This is reset when the router times out or is rebooted.

Why does my firewall reply to pings sent to its inside IP address when I ping from the Internet, even though there are no firewall rules to allow ping through the firewall?

Problem description

My firewall has a public IP address on the outside interface and a private IP address on the inside interface. If I try to ping the inside IP address from a computer located outside the firewall, it replies to ping even when no firewall rules have been set up.

Explanation

Rules in the firewall only affect traffic addressed through the firewall, not traffic to the firewall. The firewall always listens for traffic to all its IP addresses on all interfaces. It replies to ping in the described manner because the setting Policy For Ping to Your Ingate Firewall is set to Reply to ping to all IP addresses. If you want the outside interface to only reply to ping to the public outside IP address, you should change the setting into Only reply to ping to the same interface. If you don't want the firewall to reply to ping at all, select Never reply to ping.

Why is some web/e-mail traffic rejected, even though I opened for all such traffic?

Problem description

Look for this kind of sequence in the log (shown with Show newest on top):

The significant sequence is an accepted S flag followed by rejected R flags.

This is caused by the connecting software sending flags in an inappropriate order. The Dynamic session management in the firewall rejects flags which aren't in the correct order.

What to do

  1. Change to Packet filter for the affected services.
  2. Notify the sending server administrator about the defect software.
TOPICS
SIP problems
VPN problems
Traffic problems
Certificate problems
Administration problems
Log questions
RESOURCES
Web account login
Register web account
 Support?  |  Helpdesk!  
 Rissneleden 45 SE-174 44 Sundbyberg Sweden  |  +46-(0)8-600 77 50 (no support on this number! See Helpdesk above!) |  info@ingate.com  |  Contact us  |  Home  
  How Ingate uses cookies