Problems with inbound traffic on one WAN interface in a multi WAN setup

Question

Hi,

I've been working on a Soiphos XG 125 v18 for the last week to get it production ready, setting up the WAN interfaces (2) and the DNATs and FW rules. I thought I had everything covered, but I'm running into an issue I simply cannot resolve. So if anyone can give me some support, that would be great.

My setup is as follows. I have two WAN interfaces (both set to active) on port 5 and 6. I've created aliases for IPs terminated on port 5 and on port 6 in the network section, created DNATs and FW rules for the inbound traffic. The DNAT is configured as follows for Port 5:0:

Original source: Any
Original destination: #Port5:0
Original service: FTP, HTTP, HTTPS
Translated source (SNAT): Original
Translated destination (DNAT): 172.16.1.59
Translated service (PAT): Original

Inbound interface: Any
Outbound interface: Any

The FW rule for this server configured as follows:

Source zones: WAN
Source networks and devices: Any
During scheduled tim: All the time
Destination zones: DMZ
Destination networks: #Port5:0
Services: FTP, HTTP, HTTPS

I see traffic being logged hitting the right DNAT and FW rule for this. So this works good.

However, I have a similar DNAT & FW rule set for another host

Original source: Any
Original destination: #Port6:3
Original service: FTP, HTTP, HTTPS
Translated source (SNAT): Original
Translated destination (DNAT): 172.16.1.63
Translated service (PAT): Original

Inbound interface: Any
Outbound interface: Any

The FW rule for this server configured as follows:

Source zones: WAN
Source networks and devices: Any
During scheduled tim: All the time
Destination zones: DMZ
Destination networks: #Port6:3
Services: FTP, HTTP, HTTPS

And no traffic is allowed to pass through the FW and hits the drop all rule (0). I added my own drop all to activate logging, and that revealed that the NAT rule is being hit correctly from the WAN to the ext IP address (as defined in the alias port 6:3), but traffic from 172.16.1.252 (DMZ interface XG) to 172.16.1.63 (internal IP address host) is being denied. PCAP doesn't tell me anything when I check the denied traffic.

Both hosts reside on the same DMZ network. The DNAT rules were setup like this after consultation with support staff of Sophos.

I searched for hours on the discussion groups to find hints and clues, but was unable to. Any ideas from anyone?

Regards
Guy

This thread was automatically locked due to age.

Guy Soudant · Accepted Answer

I think I have resolved it. Looks like it was asymmetrical routing that was causing the issue. I had both WAN interfaces active for outbound traffic with WAN 1 with weight 1 and WAN 2 with weight 10. When I changed one of the WAN interfaces to backup, the inbound traffic for DMZ through the second WAN interface were routed correctly. Although I do find it a bit odd that inbound traffic is impacted by gateway setup, primarily targeted as arranging outbound traffic. But I guess it's also the new way of working and thinking when changing firewalls. 
 Thanks for your help, tips and tricks. 
 Regards 
 Guy

BeEf · Answer

Hello Guy, could it be an issue with asynchrous routing? What does #Port6:3 mean? Are you using VLANs on this Interface? You are trying to publish web and ftp servers with DNAT. How are you handling coming from different IPs? Wouldn't be a better way to do this the Web Application Firewall (WAF): https://support.sophos.com/support/s/article/KB-000036712?language=en_US Maybe troubleshooting on the CLI can help: https://community.sophos.com/xg-firewall/f/recommended-reads/117389/sophos-xg-cli-troubleshooting-tools Or go through this: https://community.sophos.com/xg-firewall/f/recommended-reads/122357/life-of-a-packet---sophos-xg-v18-0 Best regards, BeEf

Problems with inbound traffic on one WAN interface in a multi WAN setup

Top Replies