Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 26 subscribers
  • Views 4080 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Port Forwarding works when from WAN, but not from LAN Zone.

Noel Victor Pagatpat

Hi everyone, I just need some help regarding port forwarding. We have a new payroll system that needs to access our attendance terminals from all our branches. The system can access the attendance terminals from our other branches (WAN - Which means the port forwarding from WAN to LAN works ) except the terminals inside our private network (LAN).

The new system cannot access the local attendance terminals using the private IP but instead needs to go through the public interface to be forwarded to the Attendance terminal.

I created this business application rule, but I think I'm missing something.

 



This thread was automatically locked due to age.
  • 0

    Hi Noel,

    if the server is inside the lan, traffic does not go through XG unless you have VLAN or networks managed by XG. If this is the case, create another firewall rule FROM the zone where pc are located in and TO zone where the server is located. If you are accessing the server via IP, make sure that the proper record A exists in the dns forwarding zone.

    Regards

  • 0 in reply to lferrara

    Hi Luk,

    Thank you for the response. Unfortunately, the client system can't communicate with the local attendance terminal through LAN but instead still needs to go through the public IP of our Sophos Appliance (WAN Port) just to be forwarded to the attendance terminal.  

    Regarding this "If you are accessing the server via IP, make sure that the proper record A exists in the dns forwarding zone." can you please explain this a bit further? How can I set up a DNS record wherein a packet coming from the LAN that has a Destination IP that matches the public interface of our Sophos Appliance and destination port 4370  can be forwarded to the local attendance terminal? 

  • +1 in reply to Noel Victor Pagatpat

    Hi Noel,

    if this is the case, remove LAN and WAN from the source zone and put ANY. In this way, the DNAT will work.

    For the record A, it is very easy. You can create inside your network, a forwarding zone like "test.local" for your domain name and "test.it" for service that are local but instead going on internet, internal clients are able to reach the www.test.it using LAN ip instead of leaving the network and increasing the time, responses and traffic.

    Regards

  • 0 in reply to lferrara

    Hi Luk,

    Thank you for the assistance. Can't wait to try this tomorrow :)

    I'll let you know if this works.

    Regards,

    Noel

  • 0 in reply to Noel Victor Pagatpat

    Hi Luk,

    Changing the Source Zone from WAN/LAN to ANY didn't fix the problem but I found the solution.

    I created a new rule (in addition to the previous rule I created) with source Zone set as LAN everything else is mostly the same except that I enabled Masquerade.

    Here's the screenshot.

    Our client system can now access the attendance terminals both from our other branches (WAN) and our local terminals (LAN). Thanks for the tip mate, I just needed somewhere to start troubleshooting.

    Regards,

    Noel