Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 5 answers
  • Subscribers 28 subscribers
  • Views 13395 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Customized port forwarding doesn't work

dominusdj

Hi, my name is Kevin, I have installed the last version of Sophos XG (SFOS 17.0.6 MR-6) and port forwarding doesn't work.
I have configured a customized port forwading form 667 WAN port to 443 LAN port but don't work.
I have follow DNAT/Full NAT/Load Balancing online tutorial  https://community.sophos.com/kb/en-us/122976#what%20to%20do

but the connection is refused.

If I delete a customized service but inset a general HTTPS service (with all port open 1:65535) work, but I don't want open all port but only those I need.

Where is the error?

Thanks a lot



This thread was automatically locked due to age.
  • 0

     Hi,

     

    you need to use 1:65535 as origine port, and your port as destination when creating the service.

    In fact you d'ont need to create a specific service.

    Then is the DNAT rule you can indicate the accessed port and destination port.

    Destinazione & servizio : wan ethernet port (port 2 from your example), port 667

    Server protetto : nas principale port 443

     

  • 0 in reply to Fabien Martinet

    Sorry but i don't understand...

    I don't understand where i can put 667 port if is not necessary create a service, and why i shoul use range 1:65535 if I want use only one port in incoming.

    Probably my software version is different from that of the tutorials.

    I have 10 single port to forwarding like this, 1 port in in (wan) ==> 1 port in out (LAN).

    I come from ClearOS before and the Fortinet but this kind of rules are very easy to setup, now I'm in trouble with this SO.

    Thanks for replay

  • 0 in reply to dominusdj

    Hi dominusdj ,

     

    It would seem you may need to retrace the traffic flow. The rule that you have configured is correct i.e. The source port of the traffic is 667: TCP and destination port 443:tcp. 

    If the traffic came from a different source the traffic will not be forwarded. 

    Simply check on the console via SSH. 

    command >  tcpdump 'port 443 and host <Traffic initiated WAN address> 

    If the source port is exactly the same then it will be forwarded. 

     Under Normal circumstances the Source Port is variable 

  • 0 in reply to Aditya Patel

    Thanks a lot, I figured I had done the right configuration, the interface is quite simple.
    I did what you asked me, I hope I did right.
    I do not know the addresses that I have obscured.

    P.s.: the forwarding of the various servers I have always worked with a simple port configuration TCP WAN ==> TCP LAN.
    Now I wanted to try Sophos for a possible firewall change and I can no longer access it from the outside    .

    it is right?

     

    Thanks a lot

  • 0 in reply to dominusdj

    Hi dominusdj ,

    Based on the traffic the Source port is 48505 for the first transition and 52431 for another transition. As this would change to each time a new session is connecting/established. 

    If you wish to deny access your HTTPS connection to your internal server we have options to add Allowed Host which would help you configure them accordingly. 

    In other words, due to the nature of the traffic, the Source Port cannot be set which would specifically fall under the service you have configured. So the configuration for source port would be * or 1:65535 and destination port would be 443 TCP.

  • 0 in reply to Aditya Patel

    Thanks Aditya Patel for the reply, but this thing is incomprehensible, who gives the order to establish the initial connection on those two doors? Can not disable this option?
    Now I have disabled HTTPS connection by LAN but the problem remain.However, if desired, I can change the lan port of this server
    Others server with other port (not 443) on LAN have the same problems, I can't connect to them by WAN.
    Thanks a lot


    Ps.: First you said that under normal circumstances the port is variable, so if you have 20 different servers how do you hijack the traffic? should you keep all the doors open?
    In the realities I know every server has an open port on the WAN that is hijacked to the right address by the firewall.


    So just keep the necessary ports open


    For example:
    https: \\ xyz.com:666

    on WAN

    is managed by the firewall and diverted to LAN:
    https: \\ 192.168.1.1:443

  • 0 in reply to dominusdj

    Hi dominusdj ,

     

    If that is the scenario that you wish to have a customized port then you may try this option 

     

    https: \\ xyz.com:666  > WAN  > LAN  > Server  https: \\192.168.3.2:443

     

    For this, you may create a Custom Service 

    TCP >  Source 1:65535 Destination: 666

     

    Create a Firewall rule DNAT/FullNAT/load balancing

    Source WAN , Allowed Client Networks (Specify or ANY )  Blocked Client Networks(If any).

    Destination Host Network > LAN PORT connected to Server   

    Service > Custom Service 

    Forward to Protected Servers > Specify the IP address of the server i.e 192.168.3.2

    Enable Change Destination Ports to TCP:443

    Protected ZOne <Server / interface ZOne>

     

    Apply IPS (Recommended)

    Routing 

    Rewrite source address (Masquerading)

     

    Save.

    Let me know if that is what you are looking for...

  • 0 in reply to Aditya Patel

    Hi Aditya Patel,great!!! work!!! From your utorial I have modified only "Destination Host Network > LAN PORT connected to Server" with "Destination Host Network > WAN PORT connected to Server".

    Now I can connect to my servers from outside (WAN)

    I'don't know what is IPS... the other configuration in the screen are ok?

    I have a lot of fear for the security , with "1:65535" are open all port ? or it's only a formality and the only open external port is 666?

     

  • 0 in reply to dominusdj

    Hi dominusdj ,

    It is usually is a formality to allow Source Port 1:65535 as explained earlier. The packet contains 4 elements which need to be considered. 

    1. Source Address 2. Source Port 3. Destination Address 4. Destination port. 

    3 is known to a user i.e 1,3 & 4. The Source port use Ephemeral port which a range of Private ports and is random in nature and is determined by the Operating system. You can change the range if you wish but that is a system based configuration which is not recommended.

    We have provided this option to allow the user to set the range needed. 

    As for IPS, the policy is used to prevent attacks from an unknown as it is signature-based detection.