WinGate Forums

[KRIS]

Hi,

I'm running wingate 5.2.3 (build 901). I have wingate installed on my gateway machine 192.168.2.1 and have an internal network of 192.168.2.x

I am running ZoneAlarm Pro and allow TCP OUT on port 1433.

All clients have a fixed IP and a gateway of 192.168.2.1

Internet browsing is fine. However I am trying to run a VB application that attempts to connect to a remote SQLSERVER on port 1433.
I have enabled ENS, with GPIS and support for multiple routers and have ensured LAN =>Internet port access is allowed , and Internet => LAN is allowed on ports 1024-4096.

The App will work fine directly from the gateway machine,but will not from a client ( i dont have wingate client on any machine just fixed IP and fixed gateway).

The NAT Log says "firewall relay tcp src 192.168.2.x:4460 dst 209.208.x.x:1433" but it wont connect. The app fails with "TCP/IP Sockets access denied" (etc) errors.

Is this symptomatic of NAT not working? I am baffled, spent a day now trying to get this to work!

[labull]

Try disabling ZoneAlarm to see if that clears up the problem.

If it does maybe someone can figure out how to make them play nicely together.

Larry

[KRIS]

Thanks for the reply.

I've tried that - switched zonealarm off completely to make sure it wasnt some firewall shenanigans. No result.

Frankly i'm a bit baffled. Has anyone else encountered this?

[KRIS]

would help if i hadn't chopped off the first bit of the NAT log entry

"Authorisation Failure: NAT STATUS": firewall allow TCP src 192.168.etc"

so there is an authorisation failure (whatever that means)

[labull]

In Extended Networking - Policies - do you have Everyone listed as a recipient?

Also - Default System Rights - are ignored?

Larry

[KRIS]

just checked - yes its as you say!

[KRIS]

Any Qbik Support ? is something wrong with NAT (i.e. it doesn't work) generally? there seems to be a lot of posts about not getting NAT working!

[Nil Einne]

Sorry misread your original statement.

One thing I think you should check is make sure that your VB app client does not need to act as a server at any time. If it does, this will not work without portforwarding redirection.

The second thing is I suggest you totally uninstall Zone Alarm and make sure it is 100% removed. I've heard some bad things about it interfering even when disabled which you might want to look up on. If you need a personal firewall, perhaps look for a different option. I've heard good things (but never tried myself) about Kerio Personal Firewall 2.0 and it's free even if somewhat hard to find...

Also of course, make sure you haven't inadvertly enable Windows XP built in firewall at any time

[KRIS]

i'm loathe to take the firewall down even for a minute!
The vb app is purely a client, it just connects to a remote sqlserver database.

[Nil Einne]

Simple. Download a decent firewall (Kerio is the one I've heard of but I'm sure there are others that are okay), one which isn't know to cause problems with programs when it shouldn't (unlike ZoneAlarm which is known to cause problems when it shouldn't) & download instructions on how to remove ZoneAlarm properly.

Then unplug the computer from the network (if it's wireless, either take down the wireless network if possible or disable/take out/unplug the wireless card) remove ZoneAlarm, install the firewall you downloaded. You'll never be exposed without a firewall but you'll end up with a decent firewall rather then something which is known to cause problems with a number of apps, despite being set up properly...

However, I thought you already tried disabling the firewall once? Did you get some worm or something when you did? Just a bit surprised if you did it not that long ago, you're not willing go try again (well this time you will be totally removing it but in theory they it should be the same thing as disabling ZoneAlarm even though in practice people have found this is not the case).

It's up to you. I would personally recommend you get a better firewall (there are free ones, so the only cost would be to learn how to use it) but if you aren't willing, you should at least try totally removing ZoneAlarm even just for a while to make sure it's okay. If you aren't willing to do it a second time around, then your only option would be to (remove ZA) install Kerio or similar temporarily, as recommended, then go back to ZoneAlarm when you've either confirmed that the problem either is or isn't with ZoneAlarm.

[labull]

Getting back to this.

I guess we should check some basic functionality first.

Can you browse the internet via NAT?

There is no traffic at this site about NAT not working.

I guess we need to be sure if it's NAT or a configuration problem.

Larry

[KRIS]

I have now completely uninstalled zonealam pro, and am relying on the wingate firewall configured as part of extended networking. (it doesn't seem to stealth port 113 which is a bit naff but i guess it isnt adaptive like ZA)

app still doesn't work.

I have to be honest that i am unsure how to test / tell that NAT is working properly. how would i do this ? (i'm an oracle dba, not a networking type!)

[labull]

Set up a client computer behind WinGate.

Set it's default gateway to point to the WinGate server.

Browser should not have proxy set.

Browser should then be able to surf the net.

That may be over simplified but is a start.

Larry

[KRIS]

I really appreciate the help you are giving me.

I have fired up IE, gone to "connections=>lan settings" and removed the proxy. The browser no longer surfs the net but gets "a couldnt open the seacrh page" error. I guess this means that NAT isnt working.??

If i go to wingate on the gateway machine, click on "Extended network Driver" and go to "General" , all the tick boxes are ticked and the firewall is set to "custom".

"Routing Pane" = all ticked.
"Port Security" = connections FROM internet TCP are denied EXCEPT 113,
default deny
= lan TO internet are allowed 1024-8888, port 80 redirected,
default allow
"Policies" = Everyone unrestricted rights, (system policies ignored)

[labull]

Could just mean that the DNS for that client is not configured.

Either point it to the WinGate Server or to the DNS used by the WG server.


Larry

[KRIS]

tried both, same result. the DNS server is a different server on the lan, th gateway machine is secondary ( i dont know why,its a legacy!).

However i tried what you suggested and set the DNS to the gateway machine running wingate, and then the dns used by the gateway machine (the isp).

No result, browser wont browse!

[labull]

Well Dang!

Are there any entries in the firewall tab of GateKeeper indicating connections being blocked?

Larry

[KRIS]

theres nothing at all on show for the clients IP, just external internet ones that were all blocked.

[KRIS]

can noone help me with this? all i want is to get NAT working!!!

[erwin]

Hi there Kris,

I too havent seen many posts about NAT not working correctly, merely configuration issues.

I realise it has been reiterated through out this post and that you /everyone probably knows this but for the benefit of other readers, and a safety/sanity check for us.... :-)

Simple NAT functionality is achieved by the following:

On the client Machine -

-Both Gateway and DNS entries should be pointing to the WinGate server's internal IP address (both are required to be set for basic Internet Access (via NAT) ).
(Usually if you are using the WinGate DHCP service service and its set to "Fully automatic" mode it will assign these details for the clients.)

-Setting a Proxy server address in IExplorer will tell ONLY that application to use the particular server for Internet access, it will not help with Internet access for any other app running on that client machine. Which is why NAT method is so efficient as it handles/sends all Internet requests from the client machine to the WinGate Server.

On the WinGate Server -

LAN interface should have Internal IP (same IP address listed as GATEWAY and DNS entry on the client machine).

No Gateway or DNS entries should be listed on this interface.

On the Internet Interface/Connection - DNS server can be set to the IP address either internal (the DNS server on your LAN) or usually the DNS server assigned to the connection by the ISP.(usually more simple).

The DNS/Wins resolver in Gatekeeper lets you specify the DNS server WinGate will try first, before attempting to use any other DNS server.

When a client connects via NAT (regardless of whether its FTP, HTTP etc) it will show up literally as a "NAT Connection...." in the activity screen of Gatekeeper. And it will usually list what ports etc the client is making the connection on.

WinGate ENS/Firewall

If your client machine is making the connection to the external Database server then WinGate will open up the appropriate port automatically to let the client request out onto the Internet.

Since WinGate is aware of this connection already it will automatically allow the reply data through the firewall back to the LAN and to the original machine. There should be no port direction required.

If (as was in your case) that there is also ZA firewall in front of WinGate, then you will possibly need to open/redirect the port on ZA to allow this traffic in/out.
(You'd need to read ZA help on how ZA handles working in front of another Proxy Server/firewall scenario).

It may be the case that since ZA is a firewall and NOT a NAT Solution it needs to be told where to send the replying info that comes in from the DB Server on the Internet (i.e. which client machine on the LAN it should go to.)

We have tested Client >>(NAT)WinGate >> Internet DB Server scenarios and found that they work fine as long as the configuration is correct.

Port Stealth/cloaking can be enabled for a particular port/range at the bottom of the Port security Tab in ENS.

Sorry for the novel length reply but it should help you in getting NAT sorted.

Regards
Erwin

[KRIS]

"No Gateway or DNS entries should be listed on this interface. "


this was it! the internal gateway IP address had a gateway set up pointing to itself. D'oh!

thanks alot, problem solved!