FYI -prior to v18 never had these issues... so, not sure why its a problem now.
I am doing something very basic - a simple DNAT to a local server on my LAN / port 443 access.
I have a WAN interface along with additional static IPs. I created an alias (/32) on this interface with one of my static IPs.
I'll share more info but to ensure it isn't an ISP or routing issue, I enabled the user portal on port 443 - I was able to hit the IP address (IP:443) and get the user portal no problem. So, this proves the ISP is properly routing and getting to the right destination. I then changed the user portal back to 8443 since I want to use 443 for my other service. Since the alias is bound to the same WAN interface, I can hit the portal from the primary or any of the alias addresses - I made sure not to overlap my service (443) with the user portal for that reason. So, at this point - I verified I can reach x.x.x.x:443. Now with the user portal back to 8443, I configure my DNAT. Very very simple:
See the screenshot below. I also have a reflexive rule created. I left the "original destination" blank for purposes of the screen shot but this contains my public IP - the one tested / referenced above with the user portal.
I am able to open the firewall log and see the traffic hitting the rule - I see traffic from my source IP (another device / Internet connection unrelated to this setup) hitting the public IP on the proper port. But that is as far as it gets. I verified the reflexive rule is working and the device has Internet access and uses the same port. I an access this device internally no issue or if I directly assign it a public IP and not use NAT at all. It appears that while traffic is clearly hitting the firewall, it is never being forwarded to the server. I verified ARP entries on the firewall and made sure I can ping / hit the server from the firewall internal / LAN interface. When the internal server accesses the Internet, I see it hit the reflexive rule. This was working perfectly before Sophos XG 18.. This is about as simple of a task as you can perform... Bizarre.
- One note - I do have multiple WAN interfaces - and I know how to properly use the routing functions (I personally love V18 - even though some don't like the way routing decisions are now detached from the NAT statements). My setup is simple - for outbound, I have one catch all NAT rule - in fact, the default one created - the SDWAN / routing tab does everything else (never could figure out why some people have a linked NAT rule for every firewall rule - outbound you should only need one rule as a catch all). I also have a DNAT as referenced below. I have a routing rule to ensure the host inside host uses the same same interface for egress. Since the static IP is provided by the ISP, it is only bound and reachable via that interface - traffic for the statics can only ingress one interface - the same one I ensure traffic egresses (I verified this - I can see the inside server using the proper egress port for normal Internet access - such as NTP updates).
This thread was automatically locked due to age.
