Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 27 subscribers
  • Views 744 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

BUG - possibly in firewall rule processing order

rfcat_vk

Hi folks,

I have been trying to get a hairpin firewall rule and NAT for my NTP server.

After two failed attempts at using existing devices as NTP sources I built a Raspberry PI-4 which I have tested with Mac min and W10 devices and all update correctly.

Now the issue with the rule processing order

1/. I have high up the firewall rule list a rule for the PI-4 NTP port and linked NAT which works very we'll.

2/. At the bottom of the firewall list I have a general access to the NTP devices using the default NAT policy also works well.

The issue comes when I enable the hairpin NAT which is below the linked NAT in the order, the PI-4 start using the hairpin NAT and talks to itself, also some devices talk to the PI-4 and get responses.

So, the question is why does the PI-4 use the hairpin NAT and not the linked NAT?

Ian



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to rfcat_vk

    Have you tried disabling firewall acceleration?

    As per the life of packet in  XG, it will check DNAT first when fast path is enabled, and might be due to that hairpin NAT(DNAT) take precedence.

    Regards,
    Hardik R

     
  • 0 in reply to HardikR

    Hi,

    thank you for the suggestion. I will read the KBA again and see what I can do.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hi,

    rather than remove a performance improving feature (I can't remember whether I enabled it or not) I chose to create a linked NAT rule for the NTP redirect firewall rule. I have checked a W10 device and it thinks it is happy, but I can't find any log entries.

    The examples I have posted above have been changed.

    So, I think a success to a certain degree.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.