Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 20 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 11752 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT is not working for Public IP aliases

Sin Master

Hello All

We had a cyber-roam but got burnt so we decided to replace it with XG 115

In Cyberroam we used Virual Hosts to do the PUBLIC IP to LOCAL and was working fantastic.

We tried to Follow Every KB and community thread we find even in this very community but in vain.

 

What we have:

5 Public IP addresses and gateway.

IP 1 in the range is used for Browsing

IP 2, 3, 4, 5 are used for other Services hosted within the network.

We create the aliases in Port2 and we ended up with

Port2:0 IP2

Port2:1 IP3

Port2:2 IP4

Port2:3 IP5

 

And then created a business rule as suggested in the following KB Sophos XG Firewall: How to DNAT to an internal server

And of course we tried all other possibilities Like ANY to ANY

Note:Browsing is fine and all other options are working perfectly (To the extent of usage).

If anyone kind enough to pin point something we missed, I'd appropriate that! I have 4 services down since I switched from my normal router (yeah because Cyberoam burnt)

 

Thank you in advance,



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to LuCar Toni

    Tried all except the dump

    Both servers are accessible locally on the network with firewall down and up (windows machines)

    There is something Wired with Xg when I worked with it before (installed on HP server) way more better!!

    I Don't understand what are they trying to Achieve with this turn around!

    The attempts are not even being logged though all rules has log checked.

Children
  • 0 in reply to Sin Master

    I honestly never have issues with DNAT right now. 

    But maybe there is something wrong with your DNAT in the current stage. If the Rule is not hitting and no Logging is done, most likely it does not match the traffic.

    So i would recommend to perform a Dump of your traffic and check, if it is matching or not. 

  • 0 in reply to LuCar Toni

    Hi Toni,

    tcpdump -i Port2 -n host 197.X.X.X3 -X -w /tmp/log.pcap -b

    Dump had only "ò?^B^@^D^@^@^@^@^@^@^@^@^@`^@^@^@^A^@^@^@"

    After trying to access the webserver from http://anonymouse.org ,https://ping.eu and of course my phones and tablet with different operators.

    Note that they were working fine with Cyberoam and even I tested with standard router.

     I Still don't get it! I even created a Rule LAN*.*WAN WAN*.*LAN

    sometimes I'm noticing rule 0 which does not exist, but never the less the IPs and connection tyoe has nothing to do with my issue.

     

    Anything you can advise on would be appreciated.

     

     

  • 0 in reply to Sin Master

    Try the tcpdump command without logging into file.

    tcpdump -ni Port2 host 197.   

     

    Then Access the page via Mobile phone and check the dump.

    You can share the screenshot with us.

    Basically you should see a TCP Handshake. 

  • 0 in reply to LuCar Toni

    Sadly Nothing!

    Tired from different sources

  • 0 in reply to Sin Master

    So basically there is no traffic matching those conditions. 

    Tcpdump is the "nearest" approach to the interface. In fact XG OS (SFOS) cannot block or do anything on this level. It is Layer 1/2. 

     

    Maybe you filter are not matching.

    Port2 is your WAN interface and Host is your WAN IP ? 

  • 0 in reply to LuCar Toni

    Port2 is my WAN used for browsing and VPN etc...

    Port2:2 (Alias from the range /29) is pointing is the one being used in the rule to point to the server on the LAN segment

    I even used the Port forwarding method for RDP on the main WAN IP
    WAN RDP to Local IP RDP ... also nothing.

    Do yo think changing the subnet to /32 for aliases will help?

     

     

  • 0 in reply to Sin Master

    I do not think, this will help.

    You should see the traffic incoming in a Dump.

    As mentioned earlier, this is the lowest level of communication. 

    If you do not see the traffic hitting on those criteria, there is something wrong in the configuration between XG and your ISP. 

     

    If you perform a tcpdump -ni any host IP  you should at least see something. 

    If not, the traffic is not hitting XG.

     

    Even if you did a mistake in the interface configuration, something should be seen in this Dump. 

     

    Another issue could be the ARP Communication, but i would suggest to dig deeper in this scenario explained above. 

  • 0 in reply to LuCar Toni

    I would look into the ARP Communication as well, I had a similar issue with my deployment where the modem and actually the switches internally did not clear out the MAC address of the old firewall, so the IP's matched up but didn't get through the modem due to the MAC address, once I figured that out I had the same issue with the switches.

     

    Might not be same case here but figured I would share just in case.

  • 0 in reply to Badrobot

    Thank you for your reply Badrobot. Its a fresh installation the ARP is clean.

  • 0 in reply to LuCar Toni

    Hi Toni,

     

    I had to configure another WAN with another gateway on port4 to take the server up and its working fine perfectly.

    All the NAT is not working even when setting a port forwarding rule, except its configured on another port of which are limited to 4 - LAN

     

    I'm really disappointed with this firewall and how xg has turned to.