Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 12941 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Create 1-1 NAT for accessing the firewall using DynDNS hostname

ArunGupta

I have configured the XG firewall and want to access it using the DynDNS hostname. This makes it easier to access the Web Admin interface using the same URL whether I am inside the home network or outside. I have read many articles on how to do 1-1 NAT but they assume that the WAN port is assigned the public IP address which is not so in my case.The public address must be a FQDN host (like abc.dyndns.org). I am finding that XG does not allow me to use FQDN host almost anywhere.

I had done this in UTM9 easily but cannot find any way to do this in XG firewall. Any clear instructions will be appreciated.

Thanks,

Arun



This thread was automatically locked due to age.
Parents
  • 0 in reply to sachingurung

    Sachin,

    The XG firewall does not see my public IP address.

    Internet->(Public IP)Verizon Modem(192.168.1.x)->(WAN 192.168.1.3)XG firewall (192.168.200.x LAN)

    So, only the Verizon modem sees my public IP address. The XG firewall sees 192.168.1.3 as the WAN IP address. I have configured the Verizon modem with 192.168.1.3 as a DMZ IP address so all traffic gets passed to the XG firewall. But the XG firewall has no knowledge of my public IP address. In UTM9 this is not a problem. I have configured "My Public IP" as a DNS host and use it within the full NAT rule. There is no way to do this in XG firewall.

    The article you have pointed to assumes that the XG firewall has access to my public IP which it does not.

    Thanks,

    Arun

  • 0 in reply to ArunGupta

    Hi Arun,

    What was the configuration setup you had with UTM 9? Configuring full nat on UTM will basically bind UTM with a DNAT (Business rule in XG) and an SNAT (Static NAT in XG) hence, it is possible in XG. Meanwhile, is it possible to map the DDNS request hitting on the modem interface towards XG on 192.168.0.3? As the first point of contact will be the ISP modem and XG won't be aware of the request packet.

    Thanks

Reply
  • 0 in reply to ArunGupta

    Hi Arun,

    What was the configuration setup you had with UTM 9? Configuring full nat on UTM will basically bind UTM with a DNAT (Business rule in XG) and an SNAT (Static NAT in XG) hence, it is possible in XG. Meanwhile, is it possible to map the DDNS request hitting on the modem interface towards XG on 192.168.0.3? As the first point of contact will be the ISP modem and XG won't be aware of the request packet.

    Thanks

Children
  • 0 in reply to sachingurung

    This is how I am doing it on the the UTM9 and it is working fine for several years. Please let me know how to translate this into XG.

    Rule Type: Full NAT (source + destination)
    For traffic from: Internal (Network) (192.168.200.0/24)
    Using Service: WebAdmin (Service defined as Protocol: TCP, Destination Port: 4444, Source Port: 1:65535)
    Going to: My Public IP (This is an entry of type "DNS host" in UTM9 resolving to the IP address assigned by the ISP)
    Change the destination to Internal (Address) (LAN port IP of UTM9 192.168.200.1)
    Change the source to Internal (Address) (LAN port IP of UTM9 192.168.200.1)
    Automatic firewall rule: Yes

    More clarification on "My Public IP". In UTM9, I created an entry under network definition. The entry type is DNS host, the entry name is "My Public IP", the DNS hostname is abc.dyndns.org. UTM9 uses the DNS server on my network to resolve this name to ISP assigned IP. As you can see, the WAN port IP is not used anywhere. 

    XG is not allowing me to use DNS host entry abc.dyndns.org in policy or static NAT. Unless there is a workaround, this seems to be a major omission.

    Thanks,

    Arun

  • 0 in reply to ArunGupta

    Hi Arun,

    In UTM the local DDNS requests are mapped to the UTM interface via a static host entry through a Full NAT.  Configure a DNS host entry for xyz.com, go to System > Network > DNS > DNS host entry and define the hostname bind to the WAN interface. PFA screenshot:

    Let me know if that helps.

  • 0 in reply to sachingurung

    I will try that but I still need a worked out example for configuring full NAT. In XG interface, I cannot figure out what to fill in where in the business rule. There is a Host, Source Zone, Hosted Address, Protected Zone, Protected Application Server, Rewrite Source Address, Create Reflexive Rule...Is one rule enough for creating full NAT or do I need two rules? Nothing is clear in the documentation.

  • 0 in reply to ArunGupta

    Hi Arun,

    I must say that a Full NAT was not required in UTM either. You just needed an SNAT for local DDNS requests. As I mentioned earlier, configuring Full NAT will define a DNAT/ Business rule(not required) and SNAT (to suffice internal requests). 

    Thanks

  • 0 in reply to sachingurung

    Unfortunately, unless you can specifically tell me what goes where, I have wasted more than 8 hours testing different combinations of source, destination etc., but nothing works. So, I think XG firewall is a useless product because it does not allow users to easily configure simple rules. It also has no troubleshooting capabilities like live log of UTM9. I am giving up wasting more time on this product and go back to UTM9 which is far superior.


    Thanks,

    Arun