Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 15 replies
  • Answers 2 answers
  • Subscribers 31 subscribers
  • Views 2815 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG V19 port forwarding but getting Local ACL Violation

Bryan Lucas

Good Day,

I'm trying to set up a port forward (RDP) from my WAN interface to a device on my LAN.  The rule migrated from V18 MR4 isn't functioning, and neither are any rules I set up from scratch.  Any FW/NAT rules I set up show zero on their counters.  A packet capture on the port shows traffic hitting FW Rule 0 and NAT rule 0, with Violation: Local_ACL as the reason.  Yes, I know that exposing RDP to the cloud is a horrible practice, but I have a single use case for this with RDP restricted to a single incoming IP and port forwarding from a high port instead of 3389.  Just want to know why upgrading to v19 changed this behavior.

Thanks in advance!



This thread was automatically locked due to age.
Parents
  • 0

    All,

    To follow up on this, it's definitely a change in how the XG handles double NATed traffic.  v18.5.4 works well with the shown rules and translates correctly.  v19 seems to misunderstand double NATed traffic when it's forwarded from external to final internal addresses, and the NAT rule drops it with a local ACL violation.  While double NATing (hopefully) doesn't show up much in corporate environments, it would be more common in a home environment.  Solution here was to set my modem to bridge mode, thus removing one NAT layer.  Some ISPs may not allow this, so it could be problematic for some.

  • 0 in reply to Bryan Lucas

    To be specific, a modem doesn't do NAT, it's a "router" (more precisely "firewall", and usually "firewall + AP") that would do NATing. As you say, some ISPs require you to use their firewall.  Though Comcast, Verizon, and Starry (among others) do allow you to use your own router and only require you to use their modem/ONT which don't NAT. Including for home users. Though even in the worst case (required to use ISP-provided firewall or modem-firewall combination), you can sometimes place it into Bridged mode to again avoid double-NAT. Double NAT will cause a host of other issues, independently of XG doing some things better/right or not.

Reply
  • 0 in reply to Bryan Lucas

    To be specific, a modem doesn't do NAT, it's a "router" (more precisely "firewall", and usually "firewall + AP") that would do NATing. As you say, some ISPs require you to use their firewall.  Though Comcast, Verizon, and Starry (among others) do allow you to use your own router and only require you to use their modem/ONT which don't NAT. Including for home users. Though even in the worst case (required to use ISP-provided firewall or modem-firewall combination), you can sometimes place it into Bridged mode to again avoid double-NAT. Double NAT will cause a host of other issues, independently of XG doing some things better/right or not.

Children
Unfiltered HTML