XG V19 port forwarding but getting Local ACL Violation

Question

Good Day, 
 I'm trying to set up a port forward (RDP) from my WAN interface to a device on my LAN. The rule migrated from V18 MR4 isn't functioning, and neither are any rules I set up from scratch. Any FW/NAT rules I set up show zero on their counters. A packet capture on the port shows traffic hitting FW Rule 0 and NAT rule 0, with Violation: Local_ACL as the reason. Yes, I know that exposing RDP to the cloud is a horrible practice, but I have a single use case for this with RDP restricted to a single incoming IP and port forwarding from a high port instead of 3389. Just want to know why upgrading to v19 changed this behavior.

Thanks in advance!

LuCar Toni · Answer

I do not know. But clearly you see in the dump a private IP. This means, the Device in front of the SFOS Appliance is doing NAT.

AstaroNBack · Answer

Interface Setup 
 PORT 1 LAN, is default vlan (0), UNTAGGED. 
 MLK_Voip is a VLAN (20), is also on Port 1, but it is TAGGED, MUST be setup as a VLAN, creating a virtual interface on port 1 didn't work for us. 
 
 Relay Setup

Bryan, I just experienced this issue. Sophos is configured differently than a typical Cisco, once you see it work it makes sense. The ACL violations on RULE 0 and NAT 0 are ACL, which is a little misleading, in that you don't need to change a firewall or NAT rule. You need to fix the way you have DHCP relay configured and the ACL violations will disappear. 
 On our setup, we have default data lan as default, VLAN 0, our Voip Lan is 20. On the Sophos FW, you need rules for BOTH, the default lan, as well as your voice vlan, both of these need forward to the upstream DHCP server. 
 In our case, we have another Sophos upstream from this one where our DHCP server resides. To get the DHCP requests to our server, 10.0.0.12, we must also create another DHCP relay on the the Upstream Sophos FW's VLAN interface that receives traffic from this firewall. 
 We had to create rules for each branch VLAN connected to our primary gateway. Each branch has a Sophos FW.

XG V19 port forwarding but getting Local ACL Violation

Top Replies