Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

No interface filter on automaticaly created reflexive rules

After having some trouble for a couple of days i found that if i create a portforwarding using the gui (DNAT) rule, XG creates 3 NAT rules. DNAT, loopback and reflexive. The DNAT rule comes with a inbound filter for the wan interface. Lookback looks fine  as well. But the reflexive rule doesn't have a interface filter. So when ever a client travels the gateway that has a portforwaring on it, his ip will be masqueraed. Only one LAN connected to a WAN, no problem, but we've got around 70 LAN Networks connected over the XG. When a client from LAN A connects to a server  on LAN B, whiche also has a portforwarding from the internet, the IP of the server will be masquraded with the ip of the XG as well.

Is this behavoir intend to be? Normaly there should also be a interface matching criteria for outgoing interfaces, set to the same wan port used for the dnat rule.

Sorry my english is not that good, but i hope you can understand what i mean.



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    The reflexive rule creates the mirror rule that reverses the matching criteria of the rule from which it's created. It means the reflexive rule will only add the server to the source. The reflexive rules are only needed if the published server needs to connect to the internet with the same WAN interface and IP address. 

    The matching interface would be different in the reflexive rule than the DNAT rule as this rule is intended to provide internet access to the published server. 

    Thanks,

  • Hi H_Patel,

    in our case it is necessary. We've got about 10 public IPs configured on the XG and a portforwarding from one of those public ip's to a internal server needs to travel back the same wan interface as it has come from. I understand what the reflexive rule is used for. The only thing i am saying is, that it should be applied only to packets that are send to the wan interface and not to packets send to other lan interfaces.

  • You do not need a NAT rule for the traffic coming back. The Stateful firewall will do this for you. 

Reply Children
No Data