V4.32 NAT port 80 and 443 not allowed

PeterUK
PeterUK Posts: 2,655  Guru Member
First Anniversary 10 Comments Friend Collector First Answer
edited April 2021 in Security

So your stopping the use of 80 and 443 from WAN or OPT to a NAT IP? This seems like a silly idea?   

This idea needs to be done correctly as I have a rule in place that works with it saying its conflicting when its not for a Virtual interface on LAN1. I can understand its to stop people from doing a NAT rule on LAN1 directly that stops them logging in but its too strict.

    

Accepted Solution

«1

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @PeterUK  

    It is because the port 80 has been used in ZyWALL HTTP server.

    You can change default HTTP server port as others, then there is no this problem.

    Configuration > System > WWW > HTTP server port.


  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited September 2018

    But you don't have too the rule works fine without changing the ZyWALL HTTP server. You can run a web server on port 80 with ZyWALL HTTP server on port 80.


  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    just an update this is still a problem in V4.33

  • OneZyUser
    OneZyUser Posts: 10  Freshman Member
    First Anniversary Friend Collector First Comment
    edited February 2019
    @Zyxel_Stanley, the problem is if I disable admin access to port 443 (https, or 80 http) from WAN (so that only admins can access it from within the LAN), I should be able to free up that port for a virtual server behind NAT (when coming from WAN, and nat_loopback disabled).
    Another corner case is, as it happened to me, if I have a group of static IPs (all terminating at the same physical port), this rule will prevent me from running another server on the same port (even if I use a different static WAN IP).


  • jonatan
    jonatan Posts: 143  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    For example, it is possible to do so

  • RaphaelOIiveria
    RaphaelOIiveria Posts: 35  Freshman Member
    First Anniversary Friend Collector First Answer First Comment
    Hi.You can use the "Redirect Service" to public a web service.
    You need create a security police allow this traffic (Wan to Serverxxx Allow)
  • I just got a new firewall for a customer and I have the same issue. I don't mind the warning if my Nat rule was set to answer on my firewall IP, but I have a block of 5 IP's and I get this error even if I set the nat rule to answer on a different IP address, I think this is pretty dumb as the only way to resolve seems to be to change the device ports to something else... not a deal breaker but a pain. if this is the way it will be you should default the firewall access ports to something besides 80 and 443 out of the box. like 8080 and 4433 (as most other firewalls already do this) but I still don't understand why this would happen when setting nat rule to answer on an IP other than my firewall interface ip.
  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited March 2019

    Its said that this will be fixed at some point but what you can do is Edit the config file to force to the ports you want.


  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    @michael3767
    This case already solved in the patch firmware, so which model are you using?
    I will private message firmware to you.
    Charlie

Security Highlight