How to replicate UTM rule to redirect DNS, NTP to internal server?

Hi,

Can you show us a picture of the configuration on UTM, I am not able to understand what exactly are you trying to explain?

Thanks

I'll try to post a screengrab or something later - can't access my UTM right now.

The aim is to catch attempts to access external DNS services and redirect them to the UTM/XG's DNS service instead.  Same with NTP.

Written down, the UTM rule would say this:

- for traffic from LAN

- using service DNS

- going to Internet IPv4

- change destination to UTM's LAN IP address

Thanks!

Hi Jeff,

To replicate this, you need to create Non-HTTP Business Application rule that would supercede (top) the others with the following setup:

-Source Zone: LAN

-Allowed Client Networks: Any (Or a network definition of your subnet)

-Destination Host/Network: Create an IP Range of 0.0.0.1-255.255.255.254

-Forward type: Port/Port list (NTP & DNS/NTP/DNS)

-Protocol: DNS can be both TCP and UDP, but is primarily UDP

-Protected Server: Create an IP Host object for the internal IP Address of the XG

-Mapped Port Type: Match the configuration of forwarding if it's not auto done for you

-Protection zone: LAN

Creating an IPS rule for DNS and NTP wouldn't hurt and you shouldn't need to rewrite source addressing and you won't need to create a reflexive rule.

This should do it, hope that helps!

Emile

Hi Jeff,

To replicate this, you need to create Non-HTTP Business Application rule that would supercede (top) the others with the following setup:

-Source Zone: LAN

-Allowed Client Networks: Any (Or a network definition of your subnet)

-Destination Host/Network: Create an IP Range of 0.0.0.1-255.255.255.254

-Forward type: Port/Port list (NTP & DNS/NTP/DNS)

-Protocol: DNS can be both TCP and UDP, but is primarily UDP

-Protected Server: Create an IP Host object for the internal IP Address of the XG

-Mapped Port Type: Match the configuration of forwarding if it's not auto done for you

-Protection zone: LAN

Creating an IPS rule for DNS and NTP wouldn't hurt and you shouldn't need to rewrite source addressing and you won't need to create a reflexive rule.

This should do it, hope that helps!

Emile

A bit more complex than UTM, then!  ;-)

Thanks Emile, I appreciate your help.  I'll give that a go :-)

Hi Jeff,

Ha ha, it is a teensy bit because in the majority of cases the XG is combining multiple spread out systems on the UTM into one area which means some things get streamlined, others get complex, ha ha!

If you have any problems, let us know and provide a screenshot of your rule set up and information from logs (if any) and we will see if we can resolve :)

Emile

I tried this and the XG Firewall gave me an error stating that "An IP range was used as the destination.  So an IP range is required for the Protected Server."  This makes no sense to me.  Why can't I redirect traffic heading to any IP to a single IP?

I'm trying to redirect NTP requests to a server I've had to set up because the XG doesn't have an NTP server.  What a giant pain that is!

So instead of an IP range in the destination, I used the internal IP address of the XG Firewall and port 123.  I forward this to the IP of my internal NTP server with the same port.  Not sure if this is working yet....

Thanks.

If it helps...  that's my NTP-catching rule in the image.  ntp.boolie.net is an internal linux box (well, a Raspberry Pi actually!) running ntpd.

And yes, I agree it would be lovely to have ntp service back on the UTM, another thing we lost between UTM9 and XG.

Thanks Jeff.

I am sure that NTP server will be added soon inside the XG.

Please vote the feature request:

http://ideas.sophos.com/forums/330219-sophos-xg-firewall/suggestions/10813476-xg-as-ntp-server

Thanks to all!

Many thanks Jeff,

My setup was nearly identical other than my Source was "LAN" and my Allowed Clients was also "LAN".  I've revised mine to match yours.  Fingers crossed...

Emile, this idea is logical and it's fine for catching NTP traffic trying to hit the XG machine and redirecting that (as my screenshot shows) but it doesn't work for catching NTP or DNS going outside the LAN, which was the other part of the problem [:(]

XG will not allow the protected server to be a single IP when the original destination is a range.

When I did some more investigation, it seems that XG's UI insists - incorrectly - that the protected server must be an IP range with the same number of addresses as the original destination.  The message "Number of IP addresses in external IP range and modified IP range must match" pops up if one tries to set up something different.

So presumably it could redirect a single address to another single address, or the whole internet to the whole internet (utterly pointless), but it cannot trap traffic to a range (e.g. the outside world) and redirect it to a single server as needed here.

Any thoughts?  Mine are that this is a bug and it needs to be fixed!

I see others have hit the same block: https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/84813/business-application-rule---must-select-an-ip-range-for-protected-server-s-dnat-ntp

ps - Sorry to be so long getting back to the second part of this - I had other stuff that needed attention more urgently.

hi,

Cd you please check attached configuration. I tried routing NTP traffic to public NTP server. It's not working. Could yo please help with this ?

All i need is to forward the NTP requests to a public NTP server.

Model: XG450 (SFOS 17.0.5 MR-5) 

Rule Type:Business Application Rule