Port Forwarding not working

Hi,

you are missing something. Please search the XG forums for a similar request regarding FTP and SSH.

Ian

If anyone has any idea about what I'm missing, then please feel free to mention it.

Tried all sorts of setting changes and all testing fails.

Checked the XG forums, nothing new there.

https://community.sophos.com/products/xg-firewall/f/network-and-routing/74212/basic-port-forwarding-setup---how-to

Am feeling a bit frustrated that simple port forwarding can actually be so difficult on this platform.

You need to review your destination network. If you look at the XG ssh definition you will find it is meant for outgoing not incoming so you will need to create your own definition for incoming.

Ian

Thank you for your reply, Ian.

This is just a simple port forward - ultimately I wanted to test remote SFTP capability, but port checking on any rule made thus far is showing as Closed.

No offense to anyone (I do appreciate the responses), but we may have to look at a different solution.

We simply cannot afford spending 6+ hours on making a simple port-forward operational.

Thanks again - and best of luck to this project.  

SSH in XG is definied as a TCP/UDP Port services. 

So basically you should start with a new Service, TCP only Port 22. 

If this does not work, try to get a tcpdump and check, who is causing this issue. 

https://community.sophos.com/products/community-chat/f/knowledge-base-article-suggestions/105811/how-to-tcpdump-on-xg

You would easily see, what is going on. 

There can be different issues:

XG does not forward, Server does not accept the traffic, no Traffic is reaching XG etc. 

So now it's become some sort of personal challenge to get any kind of port-forwarding working on this product.  Rest of the team has already moved on, unfortunately.  But I like to resolve things.

Just FYI, I had created a new Service, (TCP only Port 22) after reading that multiple protocols don't work (e.g. TCP/UDP) in the same rule.  Still failed using that specific TCP port 22 rule.

So I've given up on port 22, and am moving directly to SFTP port 115 - to see if we can somehow get any specific, user-defined port to work.

Already set up SFTP port 115 on the Synology, and confirmed it's waiting for forwarded packets.  None are getting through XG.

I've performed a TCP dump using the prescribed directions here (thank you, btw):

https://community.sophos.com/products/community-chat/f/knowledge-base-article-suggestions/105811/how-to-tcpdump-on-xg

Used tcpdump -ni any host {internal WAN port} and port 115 - 0 packets.

External port forwarding testing still shows 115 as Closed.

It looks like either they're getting dropped before ever reaching XG, or XG is dropping them out of hand.  I've since verified that packets are making it to the XG, so...

Disabled ALL IDS/Spoofing/Scanning options (which is disappointing, as these were some of the attractive features that let us test the product.)

Port still closed, no packets collected/logged.

Any other suggestions?

So you performed a tcpdump on internal Port? 

You should perform a tcpdump -ni WANPort port 115 and check, if something is incoming or not. 

If you see something in tcpdump on WAN Port, then replace WANPort with ANY and check if XG is "consuming" those packets without forwarding. 

Then perform a 'drppkt | grep 115' and check, if you see actually some blocks. 

So you performed a tcpdump on internal Port? 

You should perform a tcpdump -ni WANPort port 115 and check, if something is incoming or not. 

If you see something in tcpdump on WAN Port, then replace WANPort with ANY and check if XG is "consuming" those packets without forwarding. 

Then perform a 'drppkt | grep 115' and check, if you see actually some blocks. 

Fixed.

First, I'd like to thank you guys for your patience - I was wondering why 0 packets were being captured, and why external portscan results were filtered, which led me up the chain.

Apparently my ISP has been doing me a "favor" by automatically filtering traffic - this has since been resolved.

Firewall rules work as intended now, and I can finally start diving into more advanced features.

With the root cause out of the way, I'm going to try and bring the Sophos solution back into focus with my team.

Thanks again!