Sophos DDNS unable to determine IP address behind NAT

Hello Ally,

Thank you for reaching out to the community, from the advance shell can you execute the following command and provide the output here: 
>  nslookup checkip.cyberoam.com
> telnet checkip.cyberoam.com 443

Hello Vivek,

The commands output are below. Thanks.

 # nslookup checkip.cyberoam.com
Domain Name Server#  127.0.0.1                                                    
 Domain Name       #  checkip.cyberoam.com                                         
 Resolved Address 1#  103.219.21.208                                               
 Resolved Address 2#  103.219.21.212;
 Resolved Address 3#  103.219.21.211;
 Resolved Address 4#  103.219.21.210                                               
 Total query time  #  1062.83 msec                                                 
 can't resolve 'checkip.cyberoam.com'     

                                         
  # telnet checkip.cyberoam.com 443                 
 Trying 103.219.21.208...                                                          
 Connected to checkip.cyberoam.com.                                                
 Escape character is '^]'.   

Hi Ally 

NATed public IP will Translate the IP address of the interface. Use this if your Sophos XG firewall is behind a router and uses a private IP address.

Can you configure your upstream router in bridge mode? if you configure upstream router bridge mode you will get public IP on Sophos XG which might help to resolve the issue.

Regards 

Hello Bharat,

We already selected the NATed public IP option, but it is not working; it only works fine when the Port IP option is selected.

We cannot configure our upstream router in bridge mode. Our network does not allow putting the router in bridge mode. Thanks.

Hi Ally 

Can you share the configuration you have done to forwarded all the ports on your upstream router for Sophos XG IP on WAN Zone ?

Regards 

Bharat J said:

Can you share the configuration you have done to forwarded all the ports on your upstream router for Sophos XG IP on WAN Zone ?

Hi Bharat, All the forwarded ports on the upstream router for Sophos IP are: TCP (8443), and UDP (500, 1701, 4500, 8443)

Regards,

Hi Ally 

Thanks for the update, it seems you have forwarded only TCP (8443), and UDP (500, 1701, 4500, 8443) ports, it would be great if you forward all the ports not only specific ones.

Regards

Hi Bharat, we already tried to put the Sophos IP in the DMZ on our upstream router, but it is not working.

My question is, what ports are needed to be opened for this purpose? Thanks.

Hi Ally 

Just to make sure you are not using any other DNS Provider previously attached to the same Interface?

This is to troubleshoot the issue and to verify if your upstream router is not blocking any service port if you forward all the ports and check if it is working or not. If works we have to make sure proper ports are forwarded like 443.

To check the issue from the upstream router is the above step need to check as well as from your DDNS service provider 

I would like to suggest you try to configure the DDNS service from https://www.noip.com/ it will give you 30 days of a free trial. This is just to verify that DDNS is working on Sophos XG or that the issue is from your DDNS service provider or upstream router.

Some snapshots from my lab : 

You may conduct also the steps below.

1. Open Console > option 5>3  for advance Shell

2. run the command tail -f /log/WINGc.log

3. Goto DDNS and select edit and save it

to restart WINGc service run below command : 

service WINGc:restart -ds nosync

Regards

Hi Bharat, we already checked with three different service providers: DynDNS, Google and Cloudflare. None of them work. Thanks.