Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 36 replies
  • Answers 2 answers
  • Subscribers 30 subscribers
  • Views 11637 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issues while creating a hairpin NAT

rfcat_vk

Hi folks,

another post on my issues about creating a firewall hairpin nat rule.

I have an NTP server on my network and I want devices to use it as a reference time source. I know the device works when I change network devices to query it for time, they update correctly.

When I built my own firewall rule using a linked NAT rule there was lots of queries to the rule but nothing was returned.

So, I have decided to use the XG build a server access rule.

I think one of the questions in the create wizard is wrong

It asks for the external source networks and devices, but never asks for the internal networks. You can add your internal networks which I did.

Next issue is the reflexive rule automatically created does not use the required service as entered in previous pages, just uses ANY which allows all traffic to bypass the specific NAT and linked NAT rules. Again you can change it to the required service.

Next issue is the created firewall rule appears to be wrong.

Destination zone is LAN but the destination network is the external interface which is a WAN zone.

The result is the rule does not work.

I have tried creating a FQDN for the external internal access to the NTP, but there is nowhere to add it to the rule along with a number of other issues of trying to add another external url for the same address, the XG does not like it.

Please advise what is required to make the hairpin NAT work. I have read the KBA and followed that document and ended up with the above issues.

Ian

.



This thread was automatically locked due to age.
Parents
  • 0

    Hello rfcat_vk,

    Thank you for contacting the Sophos Community!

    Can you do a packet capture on the GUI, to see if the traffic is arriving and then what rule is being processed?

    As per the Firewall rule, I used the Wizard and got the correct WAN to WAN.

    Regards,

  • 0 in reply to emmosophos

    Hi EmmoSophos.

    None of the internal devices hit the firewall rules. Logviewer only shows the NTP server using the IPv6 rule allowing it out and one dumb device that breaks the country rules when it can't connect to the NTP server.

    Ian

  • 0 in reply to rfcat_vk

    No, you dont need a linked NAT rule. Instead you need a simple NTP Server to WAN NAT Rule on top. 

  • 0 in reply to LuCar Toni

    Hi Lucar,

    working with Prism, I finally got it working and the result does not look like your suggestion.

    I have asked Prism to write up his solution as a KBA.

    Ian

  • +1 in reply to rfcat_vk

    Hopefully this helps someone in the Future.

    NAT on Sophos XG have some really weird issues, one that got me confused for days has the issue below.

    When you create a NAT Policy to Redirect all traffic to a new Destination, the Zone in which the Firewall handles the Outgoing traffic will change.

    First, look at this picture:

    If you look close at It, you will realize what happened within the Firewall when I've tried to redirect all Outgoing NTP Traffic to a Internal NTP Server.

    The IPv4 that my internal machine is communicating are meant to go for the "WAN" Zone, but instead the Firewall is treating them as the "Server" Zone, which is the Local Zone on where my NTP Server is located - and the same on where my NAT Policy is sending all traffic.

    Here's my NAT Policy:

    If you ever create a NAT Policy which Redirects any Outgoing Traffic for a Local Server, be aware you will also need to create a Firewall Rule which get's applied to the same Zone on where the traffic is being redirect. (But not only that.)

    Which now, we will get to the second issue; Normally you would create a Firewall Rule like this, since you only want to allow traffic to go for your local server and nowhere else;

    This is the Firewall Rule you're expected to create; But It doesn't work.

    Before the NAT get's applied to the Traffic, the Zone of the Outgoing traffic already changed, making the Firewall drop all Outgoing Traffic since It won't match for the "WAN" Zone anymore.

    This is primarily an unnoticed issue, since the default Drop rule of the Firewall have no logging enable.

    In which case, you will need to use "Any" as your Destination Network, since as you can see on the Log Viewer above, the Traffic is not being sent to the "WAN" Zone anymore, but It's being sent to the "Server" Zone.

    By creating a Rule like this: (With your Local Zone.)

    Your NAT Policy which Redirects Outgoing Traffic for a Internal server will finally work.

    And the reason on why the "Destination Networks" is "Any" is because the Firewall doesn't treat that traffic (Outgoing Traffic) as the "WAN" Zone anymore, and since there's no other Policy allowing those "WAN" IPv4 Address for your local Zone (Which in my case is the "Server" Zone), the traffic will be dropped.

    By using "Any", all traffic get's accepted by the Firewall Rule and then after It, the NAT Engine pickups It and send the Traffic for the correct Destination from the NAT Policy.

    EDIT: Finishing up, you will need a Secondary NAT Policy - on top of the NAT Policy which is redirecting the Traffic, this Secondary Policy should be created to make the NTP Server Bypass the Redirect and allow It access to the Internet.

    Here's an ex example on how It should look like:

    Again, hopefully this helps someone in the future, also If someone can rewrite all of this in a better manner, I would be very thankfully for It.

  • 0 in reply to Prism

    Looking at your solution, shouldnt the Server still loop itself with NTP? 

  • 0 in reply to LuCar Toni

    Hi Lucar,

    no because the server Nat rule is at the top. Works well.

    ian

  • 0 in reply to rfcat_vk

    Oh, you have a Server SNAT Rule? Ok thats what i suggested. 

  • 0 in reply to LuCar Toni

    It has getting late when I posted this in here, and I forgot to talk about the creation of the secondary NAT Policy which allows the NTP Server to bypass the Redirect NAT Policy. (Access to the Internet.)

    I will write about this later, thanks for reminding me!

  • 0 in reply to rfcat_vk

    Hi folks,

    the issue with my hairpin NAT rule for access to the internal server appears to an undocumented fix in v18.0.5 mR-5 build 586. The XG no longer corrupts the packets after about 2 or 3 hours.

    I have tried using the specific NTP internet destinations as suggested by Lucar, but failed because one of my dives has a hard coded NTP address for the old local LAN network.

    I have added a special network destination to cater for that device and added other destinations for none Apple devices.

    I am still puzzled why the XG decides to src_trans_port to values other than 0 for some packets?

    Ian

  • 0 in reply to rfcat_vk

    Just do not use ANY as your destination, that seems to break the firewall rule after a number of hours. Using selected destinations fixes most access but some still show failure eg one device can send 4 or 5 requests and 2 or 3 will fail.

    Ian

  • 0 in reply to rfcat_vk

    Just to double check: I updated the recommended read with screenshots of this configuration.

    https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/118433/using-v18-nat-to-achieve-ntp-proxy-like-functionality

    Maybe there is some more feedback to it? 

Reply Children
No Data