Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 8 replies
  • Subscribers 28 subscribers
  • Views 8104 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Port Forwarding not working

WizardofCOR

Trying to setup a basic port 22 forwarding to a Synology NAS unit, and unfortunately not having any luck.

Basic info:

Port #2 is the WAN of course, Protected server is the hostname/IP (172.17.1.25) of the Synology NAS.  Mapped port is blank - won't accept any input, since I'm using the designated SSH service above.

Advanced:

Tried with/without MASQ, port 22 still shows as Closed to external attempts.

Do I have to do something else somewhere in order for the firewall rule to work, or am I missing something?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to LuCar Toni

    So now it's become some sort of personal challenge to get any kind of port-forwarding working on this product.  Rest of the team has already moved on, unfortunately.  But I like to resolve things.

    Just FYI, I had created a new Service, (TCP only Port 22) after reading that multiple protocols don't work (e.g. TCP/UDP) in the same rule.  Still failed using that specific TCP port 22 rule.

    So I've given up on port 22, and am moving directly to SFTP port 115 - to see if we can somehow get any specific, user-defined port to work.

     

    Already set up SFTP port 115 on the Synology, and confirmed it's waiting for forwarded packets.  None are getting through XG.

    I've performed a TCP dump using the prescribed directions here (thank you, btw):

    https://community.sophos.com/products/community-chat/f/knowledge-base-article-suggestions/105811/how-to-tcpdump-on-xg

    Used tcpdump -ni any host {internal WAN port} and port 115 - 0 packets.

    External port forwarding testing still shows 115 as Closed.

    It looks like either they're getting dropped before ever reaching XG, or XG is dropping them out of hand.  I've since verified that packets are making it to the XG, so...

    Disabled ALL IDS/Spoofing/Scanning options (which is disappointing, as these were some of the attractive features that let us test the product.)

    Port still closed, no packets collected/logged.

    Any other suggestions?

     

  • 0 in reply to WizardofCOR

    So you performed a tcpdump on internal Port? 

    You should perform a tcpdump -ni WANPort port 115 and check, if something is incoming or not. 

     

    If you see something in tcpdump on WAN Port, then replace WANPort with ANY and check if XG is "consuming" those packets without forwarding. 

    Then perform a 'drppkt | grep 115' and check, if you see actually some blocks. 

  • +1 in reply to LuCar Toni

    Fixed.

    First, I'd like to thank you guys for your patience - I was wondering why 0 packets were being captured, and why external portscan results were filtered, which led me up the chain.

    Apparently my ISP has been doing me a "favor" by automatically filtering traffic - this has since been resolved.

    Firewall rules work as intended now, and I can finally start diving into more advanced features.

    With the root cause out of the way, I'm going to try and bring the Sophos solution back into focus with my team.

    Thanks again!