XG V19 port forwarding but getting Local ACL Violation

Hi,

you will  need to change your source port to ports 1:65535.

Ian

Your Firewall Rule / DNAT is not matching the incoming Traffic, we are seeing in the packet capture. 

Thanks, but the source ports for those services ARE 1:65535.

Then how, in the previous version (18.5.4) was it correctly matching?

Incidentally, when I set source networks to WAN / ANY rather than providing the only IPs I want to access that service, the forward works.

I do not know. But clearly you see in the dump a private IP. This means, the Device in front of the SFOS Appliance is doing NAT. 

This is true.  Since this is a home lab, the home modem router NATs the ISP's IP to a 192, and the XG NATs between that and my home (10.x) network.  I know double NATing can be a little sticky, but it's not been an issue before.    Worth it to raise with support?

Home Appliance do not cover support.

If you do the downgrade to V18. How does the traffic look like? 

v18 allows traffic to flow even through a double NAT.  The same rules as shown here work fine. If I can downgrade, I'll post capture results for 18 MR4.

All,

To follow up on this, it's definitely a change in how the XG handles double NATed traffic.  v18.5.4 works well with the shown rules and translates correctly.  v19 seems to misunderstand double NATed traffic when it's forwarded from external to final internal addresses, and the NAT rule drops it with a local ACL violation.  While double NATing (hopefully) doesn't show up much in corporate environments, it would be more common in a home environment.  Solution here was to set my modem to bridge mode, thus removing one NAT layer.  Some ISPs may not allow this, so it could be problematic for some.