Routing from WAN to LAN - Some help needed

Hello Jimmy Le man

  If you want to forward traffic coming on WAN interface to  your LAN system you need to create Business rule and note a Usee/Network Rule.

Kindly refer How to DNAT to internal server

Cheers, Good Luck!!!

Regards,Ronak.

Hello guys, thanks for the replies.

But I'm a bit confused now, I did all of the above, but its not working. 
Is it because I didn't create a "route" to the internal server?

Hi Jimmy Le man

You are using sophos XG as gateway or bridge mode?  Also share the screenshot of you XG network interfaced details and are you trying to access server from LAN, WAN or both?

Regards, Ronak.

As a gateway. Don't be fooled by the 192.168.0.107 WAN IP. Its normal because of the providers modem/router device.

I'm trying the access it from the WAN on the LAN.

The goal is to access my media servers (again) to stream my personal music on my phone and access my Nextcloud database.

Try this:

Verify if the traffic is actually hitting the firewall by SSHing to the backend and selecting Option 5 > 3 to go to Advanced Shell.

Run tcpdump -i Port2 port <Subsonic Port>

While this is running, try accessing the service externally and see if there are packets flowing. If you could show a screenshot, that would be great.

Hello Jimmy Le man,

That is fine to have a private IP on the WAN interface. Your business rule is incorrect.

1. Go to Host and Service > Service and add a service with source port "1:65535" and destination port "1994" "35665" " 35666" and "35661"
2. Go to Firewall and create a business rule as following
   • Source Zone: WAN / LAN
   • Allowed Client Network: Any
   • Destination Port: #Port2-192.168.0.107 from the dropdown
   • Service: Select the above service
   • Protected Server: Server to which you want to forward your traffic
   • protected Zone: LAN
   • Change Destination Port: disable
   • Rewrite source address (Masquerading): disable, if not working enable it.

Good Luck!!!

Regards, Ronak.

Hello Jimmy Le man,

That is fine to have a private IP on the WAN interface. Your business rule is incorrect.

1. Go to Host and Service > Service and add a service with source port "1:65535" and destination port "1994" "35665" " 35666" and "35661"
2. Go to Firewall and create a business rule as following
   • Source Zone: WAN / LAN
   • Allowed Client Network: Any
   • Destination Port: #Port2-192.168.0.107 from the dropdown
   • Service: Select the above service
   • Protected Server: Server to which you want to forward your traffic
   • protected Zone: LAN
   • Change Destination Port: disable
   • Rewrite source address (Masquerading): disable, if not working enable it.

Good Luck!!!

Regards, Ronak.

Hello Ronak,

I tried that and changed a few other things as well, but its not working, so I'm giving up.

I really appreciate your time and help, and the help of this awesome community! But I just don't have the time anymore to figure everything out. I wanted something easy to configure so i can continue with my other tasks (my LPIC exams) but apparently my Firewall knowledge is to limited.
In my professional life I mainly use Fortinet and Barracuda, so its probably best for me to stick with these brands for now until I gather more time and knowledge to dive into a new platform.

Thanks again,
Jimmy