Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 29 subscribers
  • Views 2864 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Loopback Rules Don't Work

DWS

Hi community,

the description of the Server Access Assistant (DNAT) says that all in all four rules should be crated,

  1. a DNAT rule,
  2. a SNAT rule,
  3. a loopback rule and finally
  4. a firewall rule.

The assistant then, however, does not create the loopback rule, which makes it impossible to connect from the local network to one's own web server via its external address.

Another option were to create the DNAT rule without the assistant and to tick the SNAT and loopback boxes. This option neglects the firewall rule, obviously, but at least it will actually create the loopback rule. This loopback rule, on the other hand, does not work, it is still impossible to reach the web server via its external address. (Interestingly, after additionally creating the corresponding firewall rule and switching logging on, one can see that the firewall processes and accepts the requests to access the web server from the internal network, so the problem must lie in the NAT rules.)

Next option was to create the loopback rule by hand following the documentation available from Sophos, but again to no avail, as the rule never enabled access to the web server from the internal network.

Where is the flaw? Is Sophos's firewall product simply not able to handle loopback connections at all, is there a bug in processing the NAT rules, or is the documentation wrong? Any clarifications were greatly appreciated.

Best regards,
Dietmar

N.B.: I talked to a senior firewall administrator, who failed in just the same way... Unamused



This thread was automatically locked due to age.
  • 0

    Please post a copy of all the rules you have created. The internal loop back rule does work, took me some experimentation to get it to work.

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hi Ian,

    this is one example standing for more cases.

    This is the DNAT rule:

    This is the loopback rule:

    See below for part 2.

  • 0 in reply to rfcat_vk

    This is second part of my reply.

    This is the SNAT rule:

    Part 3 to follow, as uploads of pictures are  a torture...

  • 0 in reply to rfcat_vk

    Here comes pert 3.

    This is the firewall rule:

    End of transmission...

  • +1 in reply to DWS

    Essentially the loop back should work as designed. 

    NAT is a connection stateful module. Means you only need to setup the initial packet. If you client is asking for the external IP of the Firewall, the NAT should hit and redirect to the internal Client and use MASQ.

    What is important: The firewall Rule needs to hit as well. Which means, you need a Source LAN, Destination LAN and Destination IP: You WAN IP firewall rule. 

    This looks fine to me. If you do a packet capture from this internal traffic, do you see the correct rules matching? Because if the DNAT Rule is above the Loopback rule, it will of course catch the traffic as well. 

    So you have to change the order of the Loopback to be above the DNAT rule. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thank you Toni,

    Changing the rule sequence finally did the trick. Would be interested, though, why the firewall software itself creates the sequence DNAT - loopback - SNAT if it is not operational. Some unsolved mystery...

    Thanks again and bye.

Unfiltered HTML