Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 28 subscribers
  • Views 879 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG 550 v18.0.1 MR-1-Build396

Alexander Vogel

Hello Sophos Community,

i am experiencing the following problem:

I am trying to configure the firewall in a way that it forwards a lot of requests unfiltered to two CMTS devices unfiltered via static routing.

The CMTS devices are directly connected to the Sophos and have their own zone:

The CMTS devices have the ip-addresses 10.3.0.2 and 10.4.0.2 respectively.

Any traffic that has one of the several  networks handled by the CMTS devices as a destination is supposed to get routed directly to them via static routing:

There is also a static routing of two external IP addresses to an internal XG Firewall behind the Lan interface, providing internet to the actual internal network, which works fine.

Last night i tested the connections and got the expected amount of incomming requests, but the firewall log always showed that the default drop Rule 0 was chosen with the note "Could not associate packet to any connection".

I did experiement a bit with several Firewall rules, but none seemed to get used.

One that specified the destination IP as one of the ones that should get routed to the CMTS devices

One that specified the destination IP as one of the two of the actual CMTS devices

And one that specified the destination zone as the CMTS zone

I even tried a complete wildcard rule ("any" in every possible specification) and still the firewall log showed the traffic as dropped with the same note.

Any of these rules was with all security features deactivated.

Right now the same setup runs on an old Sophos UTM that is to be replaced by this XG Firewall.

Do you have any advice on how to proceed further?



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    are these devices for use internally only or are there external users?

    Further you do not appear to a have nat rule.

    Ian

  • 0 in reply to rfcat_vk

    Hello,

    the devices are for external use only.

    The devices are also configured to process traffic with any of the destination IP´s that are suppsed to get routed to them. Hence i believe no nat rule should be necessary.

  • 0 in reply to Alexander Vogel

    Hi Alexander,

    if there is only one source eg one WAN link you do not need routing but either a WAF rule or you existing rule with a NAT.

    Ian

  • 0 in reply to rfcat_vk

    Hi Ian,

    there are two  WAN links.

    Also the CMTS devices handle the web traffic of several hundred home internet connections as this is the setup of a small internet provider. The CMTS device basically act as the standart gateway for all the customers routers. A WAF rule i think would only handle HTTP or HTTPS traffic. Since the CMTS devices neet to know the actual destination adress of the packages routed to them i also don´t think a NAT rule would be helpful.

  • 0 in reply to Alexander Vogel

    Hi Alexander,

    I am little confused with your setup. CMTS provides a termination for a mobile calls and then sends traffic into the internet either Tunnel or direct connections, correct?
    so what traffic will be incoming to the CMTS from the internet, ports, sources etc?

    you advised the CMTS devices are failover and internet access for home users but that traffic would all be sent to the 8nternet with the CMTS as the source not destination.

    ian

Reply
  • 0 in reply to Alexander Vogel

    Hi Alexander,

    I am little confused with your setup. CMTS provides a termination for a mobile calls and then sends traffic into the internet either Tunnel or direct connections, correct?
    so what traffic will be incoming to the CMTS from the internet, ports, sources etc?

    you advised the CMTS devices are failover and internet access for home users but that traffic would all be sent to the 8nternet with the CMTS as the source not destination.

    ian

Children