Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 8 replies
  • Subscribers 28 subscribers
  • Views 8104 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Port Forwarding not working

WizardofCOR

Trying to setup a basic port 22 forwarding to a Synology NAS unit, and unfortunately not having any luck.

Basic info:

Port #2 is the WAN of course, Protected server is the hostname/IP (172.17.1.25) of the Synology NAS.  Mapped port is blank - won't accept any input, since I'm using the designated SSH service above.

Advanced:

Tried with/without MASQ, port 22 still shows as Closed to external attempts.

Do I have to do something else somewhere in order for the firewall rule to work, or am I missing something?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to rfcat_vk

    Thank you for your reply, Ian.

     

    This is just a simple port forward - ultimately I wanted to test remote SFTP capability, but port checking on any rule made thus far is showing as Closed.

    No offense to anyone (I do appreciate the responses), but we may have to look at a different solution.

    We simply cannot afford spending 6+ hours on making a simple port-forward operational.

    Thanks again - and best of luck to this project.  

  • 0 in reply to WizardofCOR

    SSH in XG is definied as a TCP/UDP Port services. 

    So basically you should start with a new Service, TCP only Port 22. 

    If this does not work, try to get a tcpdump and check, who is causing this issue. 

     

    https://community.sophos.com/products/community-chat/f/knowledge-base-article-suggestions/105811/how-to-tcpdump-on-xg

    You would easily see, what is going on. 

    There can be different issues:

    XG does not forward, Server does not accept the traffic, no Traffic is reaching XG etc. 

     

  • 0 in reply to LuCar Toni

    So now it's become some sort of personal challenge to get any kind of port-forwarding working on this product.  Rest of the team has already moved on, unfortunately.  But I like to resolve things.

    Just FYI, I had created a new Service, (TCP only Port 22) after reading that multiple protocols don't work (e.g. TCP/UDP) in the same rule.  Still failed using that specific TCP port 22 rule.

    So I've given up on port 22, and am moving directly to SFTP port 115 - to see if we can somehow get any specific, user-defined port to work.

     

    Already set up SFTP port 115 on the Synology, and confirmed it's waiting for forwarded packets.  None are getting through XG.

    I've performed a TCP dump using the prescribed directions here (thank you, btw):

    https://community.sophos.com/products/community-chat/f/knowledge-base-article-suggestions/105811/how-to-tcpdump-on-xg

    Used tcpdump -ni any host {internal WAN port} and port 115 - 0 packets.

    External port forwarding testing still shows 115 as Closed.

    It looks like either they're getting dropped before ever reaching XG, or XG is dropping them out of hand.  I've since verified that packets are making it to the XG, so...

    Disabled ALL IDS/Spoofing/Scanning options (which is disappointing, as these were some of the attractive features that let us test the product.)

    Port still closed, no packets collected/logged.

    Any other suggestions?

     

  • 0 in reply to WizardofCOR

    So you performed a tcpdump on internal Port? 

    You should perform a tcpdump -ni WANPort port 115 and check, if something is incoming or not. 

     

    If you see something in tcpdump on WAN Port, then replace WANPort with ANY and check if XG is "consuming" those packets without forwarding. 

    Then perform a 'drppkt | grep 115' and check, if you see actually some blocks. 

  • +1 in reply to LuCar Toni

    Fixed.

    First, I'd like to thank you guys for your patience - I was wondering why 0 packets were being captured, and why external portscan results were filtered, which led me up the chain.

    Apparently my ISP has been doing me a "favor" by automatically filtering traffic - this has since been resolved.

    Firewall rules work as intended now, and I can finally start diving into more advanced features.

    With the root cause out of the way, I'm going to try and bring the Sophos solution back into focus with my team.

    Thanks again!