Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 14 replies
  • Subscribers 29 subscribers
  • Views 2046 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Trouble with Public IP Aliases on WAN Interface

Christopher Phillips

I have a ticket open for this already, but the problem has not been resolved.  I'm pretty frustrated overall by this whole experience, so wanted to try tap into a wider pool of knowledge to see if anyone else has a similar setup, and if they had any similar issues.

I have five public IPs from my provider.  One for personal/Home use, the other four are for my home based business use.  These are the four that I have on my Sophos.

I have a Sophos XGS 126 hardware device.

- Port 2 (WAN) is set with the static IP xx.xx.xx.155/29
---- Alias - xx.xx.xx.156/32
---- Alias - xx.xx.xx.157/32
---- Alias - xx.xx.xx.158/32

- Port 1(LAN) has a static IP on the Interface, but has no real connectivity to my "business" networks.

- I have multiple VLANS on Port 1, each with their own /24 subnet, and this is where all of my "business" networks are connected.

- WAN IP 155 has two DNAT forward to two different servers, both of which work 100% perfectly.  There are no issues with either of these servers running on this WAN IP together.
- WAN IP 156 has a single DNAT rule setup to point to a single internal server.
- WAN IP 157 has a single DNAT rule setup to point to an Nginx Reverse Proxy, which then communicates internally to the servers that it's proxying.  
- WAN IP 158 has a single DNAT rule setup to point to a single internal server.

WAN IPs 156 - 158 have intermittent connectivity outside my network.  Internally I can access every server and every service on them without any issue.  No lag in loading, no errors returned, everything works.  From the Internet, it's always hit or miss whether any of these services work.  I have made various slight changes on the firewall NAT rules and DNAT rules, which have sometimes temporarily resolved the issue, but eventually the intermittent connectivity issues came back.

Originally I had each of these public IPs connected to their own individual virtual Sophos XG, and everything worked fine.  I finally invested in a physical hardware device, and that's where the problems started after consolidating everything into the one device.

If anyone has any suggestions or insight on this, I am all ears at this point and am willing to try just about anything (as long as it's legal and doesn't leave marks!) Smiley



This thread was automatically locked due to age.
Parents
  • 0

    Hello Christopher, 

    Thank you for contacting the Sophos Community.

    May know the Case ID you have with us, so I can see what has been done?

    So basically you must have IPs from 153 to 158 assigned to you and the XG Gateway is the 154 (on the ISP side of things).

    Do you happen to know if this issue happens with a specific Public IP coming to your XG? or it can be any IP? or how did you notice this was happening? just trying to find a way to troubleshoot best this.

    The correct way to set up this would be the one you mentioned, already, Port WAN with /29 and the rest with /32

    Is the port that being access not shared with any of the services of the XG (mistakenly overlapping?

    To troubleshoot this, I would suggest doing a pcap writing to a file, then wait the for the issue to happen, and see if the XG saw the packets arriving, accepted them, and passed down to the sever

    tcpdump -nni Port2.x host xxx.xxx.xxx.156 and port 443 -s0 -w Port2-WAN.pcap -b&

    tcpdump -nni Port1.x host 172.16.254.254 and port 443 -s0 -w Port1-LAN.pcap -b&

    The first command captures the traffic coming to the Port2 Alias IP 156, so you should have Port2.x substitute the X accordingly, as well as the Port of the listening service

    the second command captures the traffic as the XG sends it out the LAN/DMZ zone and interface where your server is located, so substitute the IP accordingly, as well as the X for the vlan and  the port 

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hi Emmanuel,

    The original case number is #05266088.

    I'll make one correction to your statement above.  I have IPs 154 to 158 available to me, with 153 as the gateway address.  From my Internet modem I have my home router connected, and then I have my Sophos connected.  The home router is using .154 as the WAN IP, and .155 to .158 are configured on the Sophos.

    I do not have any port forwards with any overlapping ports.  They are all separate.

    The two services I have port forwarded on .155 work with 100% reliability.  I've not once had any issues with these port forwards.  The problems are with the remaining three WAN IP Aliases.  (.155 i configured as the primary IP on the WAN Interface with a /29 subnet.  .156, .157, and .158 are all configured as /32 aliases on the WAN port.)

    The problem with these three alias ports is intermittent or absolutely no connectivity to the port forwarded servers from the Internet.  All of these services however work fine internally.  I can access everything from the internal network without fail.  There are no lags, timeouts or anything internally, but those same services do not work from the Internet side.

    I am potentially having another callback from Sophos this afternoon on the case but have not had any confirmation of that yet.  If nothing comes of that, I will be reverting back to using individual virtualized XGs for each WAN Alias.  This is how I originally had it set up and everything worked.  When I bought my physical Sophos and started consolidating, the problems arose.

    I will give the packet captures a go later today and see what I can find.  Thank you.

Reply
  • 0 in reply to emmosophos

    Hi Emmanuel,

    The original case number is #05266088.

    I'll make one correction to your statement above.  I have IPs 154 to 158 available to me, with 153 as the gateway address.  From my Internet modem I have my home router connected, and then I have my Sophos connected.  The home router is using .154 as the WAN IP, and .155 to .158 are configured on the Sophos.

    I do not have any port forwards with any overlapping ports.  They are all separate.

    The two services I have port forwarded on .155 work with 100% reliability.  I've not once had any issues with these port forwards.  The problems are with the remaining three WAN IP Aliases.  (.155 i configured as the primary IP on the WAN Interface with a /29 subnet.  .156, .157, and .158 are all configured as /32 aliases on the WAN port.)

    The problem with these three alias ports is intermittent or absolutely no connectivity to the port forwarded servers from the Internet.  All of these services however work fine internally.  I can access everything from the internal network without fail.  There are no lags, timeouts or anything internally, but those same services do not work from the Internet side.

    I am potentially having another callback from Sophos this afternoon on the case but have not had any confirmation of that yet.  If nothing comes of that, I will be reverting back to using individual virtualized XGs for each WAN Alias.  This is how I originally had it set up and everything worked.  When I bought my physical Sophos and started consolidating, the problems arose.

    I will give the packet captures a go later today and see what I can find.  Thank you.

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?