Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 15 replies
  • Answers 2 answers
  • Subscribers 31 subscribers
  • Views 2801 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG V19 port forwarding but getting Local ACL Violation

Bryan Lucas

Good Day,

I'm trying to set up a port forward (RDP) from my WAN interface to a device on my LAN.  The rule migrated from V18 MR4 isn't functioning, and neither are any rules I set up from scratch.  Any FW/NAT rules I set up show zero on their counters.  A packet capture on the port shows traffic hitting FW Rule 0 and NAT rule 0, with Violation: Local_ACL as the reason.  Yes, I know that exposing RDP to the cloud is a horrible practice, but I have a single use case for this with RDP restricted to a single incoming IP and port forwarding from a high port instead of 3389.  Just want to know why upgrading to v19 changed this behavior.

Thanks in advance!



This thread was automatically locked due to age.
Parents
  • 0

    All,

    To follow up on this, it's definitely a change in how the XG handles double NATed traffic.  v18.5.4 works well with the shown rules and translates correctly.  v19 seems to misunderstand double NATed traffic when it's forwarded from external to final internal addresses, and the NAT rule drops it with a local ACL violation.  While double NATing (hopefully) doesn't show up much in corporate environments, it would be more common in a home environment.  Solution here was to set my modem to bridge mode, thus removing one NAT layer.  Some ISPs may not allow this, so it could be problematic for some.

  • 0 in reply to Bryan Lucas

    Interface Setup

    PORT 1 LAN, is default vlan (0), UNTAGGED.

    MLK_Voip is a VLAN (20), is also on Port 1, but it is TAGGED, MUST be setup as a VLAN, creating a virtual interface on port 1 didn't work for us.

    Relay Setup

    Bryan, I just experienced this issue.  Sophos is configured differently than a typical Cisco, once you see it work it makes sense.  The ACL violations on RULE 0 and NAT 0 are ACL, which is a little misleading, in that you don't need to change a firewall or NAT rule.  You need to fix the way you have DHCP relay configured and the ACL violations will disappear.

    On our setup, we have default data lan as default, VLAN 0, our Voip Lan is 20.  On the Sophos FW, you need rules for BOTH, the default lan, as well as your voice vlan, both of these need forward to the upstream DHCP server.

    In our case, we have another Sophos upstream from this one where our DHCP server resides.  To get the DHCP requests to our server, 10.0.0.12, we must also create another DHCP relay on the the Upstream Sophos FW's VLAN interface that receives traffic from this firewall.

    We had to create rules for each branch VLAN connected to our primary gateway.  Each branch has a Sophos FW.

Reply
  • 0 in reply to Bryan Lucas

    Interface Setup

    PORT 1 LAN, is default vlan (0), UNTAGGED.

    MLK_Voip is a VLAN (20), is also on Port 1, but it is TAGGED, MUST be setup as a VLAN, creating a virtual interface on port 1 didn't work for us.

    Relay Setup

    Bryan, I just experienced this issue.  Sophos is configured differently than a typical Cisco, once you see it work it makes sense.  The ACL violations on RULE 0 and NAT 0 are ACL, which is a little misleading, in that you don't need to change a firewall or NAT rule.  You need to fix the way you have DHCP relay configured and the ACL violations will disappear.

    On our setup, we have default data lan as default, VLAN 0, our Voip Lan is 20.  On the Sophos FW, you need rules for BOTH, the default lan, as well as your voice vlan, both of these need forward to the upstream DHCP server.

    In our case, we have another Sophos upstream from this one where our DHCP server resides.  To get the DHCP requests to our server, 10.0.0.12, we must also create another DHCP relay on the the Upstream Sophos FW's VLAN interface that receives traffic from this firewall.

    We had to create rules for each branch VLAN connected to our primary gateway.  Each branch has a Sophos FW.

Children
No Data
Unfiltered HTML