NAT rule Order causes outage

Question

For multiple smaller customers I have one default SNAT with MASQ to enable internet access and usually two DNAT rules. These rules do not interfere. 
 On multiple occasions it happend that the DNAT rules did not work although configured correctly. All i had to do in order to make them work again was changing their position to the top priority. 
 It happened on different v18 Firmware and Hardware. 
 It happend on initial configuration but sometimes even for existing and previously working rules. In both cases the above mentioned "trick" fixed the issue. 
 Can someone explain to me why the positioning of NAT-rules does matter if they do not interfere with one another? 
 Our company wants to stop deploying UTM and only work with XG in the future but with issues like that we loose trust in it.

emmosophos · Answer

Hello Flomb, 
 Thank you for contacting the Sophos Community! 
 I would recommend you to open a case with Support and send me the Case ID, so I can follow-up! 
 As mentioned by Luca, this was an old issue caused by SFM or migration. 
 However, if this is happening, this needs to be investigated: 
 You would need to provide the output of: 
 1) ipset -L 
 2) iptables-save 
 3) drop packet output for specific tuple which is dropping because the firewall isn&rsquo;t matching 
 4) csc.log 
 Regards,

NAT rule Order causes outage

Top Replies