Problems with inbound traffic on one WAN interface in a multi WAN setup

Hello Guy,

could it be an issue with asynchrous routing? What does #Port6:3 mean? Are you using VLANs on this Interface?

You are trying to publish web and ftp servers with DNAT. How are you handling coming from different IPs? Wouldn't be a better way to do this the Web Application Firewall (WAF): https://support.sophos.com/support/s/article/KB-000036712?language=en_US

Maybe troubleshooting on the CLI can help: https://community.sophos.com/xg-firewall/f/recommended-reads/117389/sophos-xg-cli-troubleshooting-tools

Or go through this: https://community.sophos.com/xg-firewall/f/recommended-reads/122357/life-of-a-packet---sophos-xg-v18-0

Best regards,
BeEf

Hi,

Thanks for  the follow up. I've thought of this being a asymmetric routing issue, but I also thought inbound traffic is always answered through the same interface as the actual inbound traffic (maybe a different IP, but within the same network), unless you specify it differently, hence asymmetric routing would not be the cause. But this could be due to me misunderstanding / misreading the documentation.

Port 6:3 is an alias port referring to one of my external IP addresses that is advertised by the ISP behind the WAN Port (port 6). There is no VLAN behind it.

I'm actually not doing anyhting to handle traffic from different IPs. DNS determines what What I've configured is that the DNS values published on the Internet refer to one of the external IP addresses. That traffic hits the XG firewall on the WAN interface (Port 6).

I'll investigate the WAF option, CLI check and life of packet link.

Regards

Guy

PS! The drop all I configured displays the following message in the browser when connecting from the Internet:

We found the website's address but were unable to connect to the web server

Any ideas?

Nat not working correctly?

Could be, but I have no clue what to change. I've tried the Interface matching criteria, but that makes matters even worse (no connection at all). So if it's the DNAT rule, then my question is: how should this be configured? All DNATs have been setup exactly the same. For one WAN interface, they are working. For the other WAN interface they are not working.

Assuming the Alias is not working correctly. Check the Port6.3 alias for configuration. 

I checked, but there isn't an awfull lot to configure there:

IPv4 has been set to an external IP address within the range of the /29 network defined on the Port 6 interface. Netmask has ben set to 255.255.255.255 to indicate it's a single host and not a network. No Idea what I should change here.

Should I not define the alias on the DMZ interface (port 7). So define an alias on Port 7 (defined GW 172.16.1.252 with a /24 network behind it) with ext IP 80.127.107.18. Currently, the alias has been defined on the WAN port 6.

The network mask has to be the same as the network mask of the hardware interface. 

I think I have resolved it. Looks like it was asymmetrical routing that was causing the issue. I had both WAN interfaces active for outbound traffic with WAN 1 with weight 1 and WAN 2 with weight 10. When I changed one of the WAN interfaces to backup, the inbound traffic for DMZ through the second WAN interface were routed correctly. Although I do find it a bit odd that inbound traffic is impacted by gateway setup, primarily targeted as arranging outbound traffic. But I guess it's also the new way of working and thinking when changing firewalls.

Thanks for your help, tips and tricks.

Regards

Guy