Please help me troubleshoot my port forward rule

Is the ip from your port1 the same ip as in the policy test or is it a public ip from your ISP?

And as ian said - why are you trying to expose it to the internet? If you want to get access from the internet i would prefer a VPN connection.

I was asking which IP is bound to the port1 - your policy test can't work (if port1 is your wan/internet) as you tried, because you tried to reach the internal IP directly - you have to put your IP from port1 to your destination-field in the policy test.

To be honest - if your firm did this you should consider to change the firm of security and IT-technical reasons. Just my opminion.

Do you mean I have to input my WAN IP in the Source IP field ?

Are there any simpler ways to achieve port forwarding without having to set both the Firewall & NAT rules on Sophos XG v18 ?

Well, actually, I am using this in a household environment. Yes, the computer is an ancient HP T620 Plus with a 128gb SSD and a 4-port Intel I340-T4 NIC equipped. I installed Sophos XG Home Edition v18 on this in order for it to replace my Ubiquiti EdgeRouter X SFP as the firewall router of my upcoming (dream) homelab setup.

I am just an amateur and have no CCNA or any networking exprerience. Having successfully set up the EdgeRouter X SFP can be seen as quite an achievement for me in my opinion. I appreciate your patience and caring for my thread. Would you mind help me furthermore on this topic ?

In the foreseeable future, I will be replacing these antique DVRs with the latest offerings from either Unifi Protect or any wireless CCTV systems. 

Hi,

firstly, simplify your network by removing all your VLANs because they do not seem to serve any purpose, you have a VLAN on almost every port but no other network connection,'Next your Service definition is too broad needs to be something like 1:65536 to 34300:34500.

As Wayne suggested setup your NVR as an endpoint for a VPN  that will improve your security and allow you access.

When you replace the DVR it will more then likely connect to an external server to allow you to have remote acces without setting up any incoming firewall rules, further improving your network security.

Ian

Hi,

firstly, simplify your network by removing all your VLANs because they do not seem to serve any purpose, you have a VLAN on almost every port but no other network connection,'Next your Service definition is too broad needs to be something like 1:65536 to 34300:34500.

As Wayne suggested setup your NVR as an endpoint for a VPN  that will improve your security and allow you access.

When you replace the DVR it will more then likely connect to an external server to allow you to have remote acces without setting up any incoming firewall rules, further improving your network security.

Ian

Hello rfcat_vk Thomas_XG Forgive me for having forgotten to add the network layout map. I have now included it for you to have a better view on the layout of my Internet infrastructure and to answer why do I need several VLAN interfaces.

As I will be implementing several UniFi APs to replace the current Linksys Velops at once for broadcasting several WiFi networks and using many IoT household appliances, VLANs become a necessity for security and maintenance. Thus, I had better create the VLAN interfaces as well as distinguish the Zones & IP Hosts.

Pls take a look at it (again) at the top of my thread and kindly help me out on the troubleshooting. Thank you buddies very much.

Thank you  for the update.

Some items for you to think about. You will need to terminate the VLANs on the XG, not the switch otherwise the XG firewall rules will not manage or log your traffic.

The mesh wifi is just another LAN connection, so there is no need for a VLAN because you do not appear to have any other devices on that port.

Ian

Thanks for your advice.

Firstly, I still don’t understand why do I have to remove the VLAN interfaces. Does it affect Internet connectivity and (or) firewall functionality of the Switch0 if there are VLAN interfaces bound to it ?

Secondly, regarding the Hindi tutorial video with Eng Sub. The narrrator mentions that there is a method other than the one he and I are using to achieve port forwarding. Do you also know what is that method ? Does it work on Sophos XG v18 anymore ?

Thanks again buddy. 

Hi,

I am suggesting you remove the VLANs because they are not connected to the firewall, only the switch. If you want the VLANs, then you do not need a VLAN between the XG and the switch the VLANs should terminate on the XG if you want to pass traffic to them.

Please post an expanded version of your network interface setup.

Ian

What do you mean an expanded version of my network interface setup ? Does it mean a screenshot of the list of interfaces or what else ?

list of interfaces.

Here it is buddy.

In addition, why shall I need to change the service port definition to 34300:34500 instead of assigning the exact port number I look forward to (i.e. 34xxx:34xxx and 34yyy:34yyy respectively) ?

You don't need to change your service ports, just you had a definition of 1:65535 to 1:65535

Ian

Thanks buddy. How about my interfaces ?

Hi J,

I understand you are trying to have a secure network, but the network setup looks overly complex for a home system and will be pain to manage and possibly lead to n network holes which you are trying to avoid.

Ian