Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 28 subscribers
  • Views 13161 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Business Application Rule - must select an IP Range for Protected Server(s) / dnat ntp

CyberA

I'm having trouble setting an IP range for an internal DNAT rule to redirect NTP (UDP/123) traffic destined for the WAN to an internal server in LAN. A single IP entry works but I want the rule to catch <ANY> destination IP heading to the WAN interface and redirect (with masquerading) to the inside. When I try to define a range in the "Destination Host/Network" section, the wizard complains that I "must select an IP Range for Protected Server(s)". I found this thread https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/80501/how-to-replicate-utm-rule-to-redirect-dns-ntp-to-internal-server where another user was trying to accomplish the same. However even trying those settings using my port GW address as destination, I'm not seeing the traffic being redirected with tcpdump. Is it possible with version 16.01.2 or is this a known bug? I think a "ANY" option for destination would work perfectly but its missing and I also tried 0.0.0.0 like the other poster but UI prevented me. Thanks for any inputs.



This thread was automatically locked due to age.
  • 0

    You appear to have server on your LAN, why don't you make that your DHCP server and use an option to point the NTP calls at your NTP server rather than complex firewall rules?

  • 0 in reply to rfcat_vk

    Hi rfcat_vk,

    I will explore the DHCP option but also want to use the firewall to avoid users from bypassing those DHCP options. Personally I don't see this as being a complex firewall rule as its simply a PREROUTING DNAT for UDP 123 using POSTROUTING MASQUERADE  (i.e. two lines in iptables). I've also opened an support case to inquiry if this the "must select an IP range for protected server" is a known bug.

    Thanks.

  • 0 in reply to CyberA

    You can block all users except your server from using 123 outgoing.

    You actions would be even easier if the XG had an NTP proxy function like the UTM.

  • 0 in reply to rfcat_vk

    Hi Ian, the DHCP server NTP option doesn't work for all clients. What he is trying to do is trivial in UTM9 and is needed for hard coded devices like roku etc that want to get NTP time directly from the internet. In UTM9 you can setup a DNAT rule as follows

    DNAT > Source Internal Network > Service NTP> Destination INTERNET (0.0.0.0) DNAT to Internal Interface IP of your firewall (since UTM has a built in NTP server) or IP of local NTP server.

    In XG, there is no built in definition for ANY or INTERNET (0.0.0.0) so you have to define an IP range that will cover all IPs like 0.0.0.1 to 255.255.255.254. But when you do that, XG says you can't forward traffic for range of IPs to a single host.

    The idea is basically taken from this post by  https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/80501/how-to-replicate-utm-rule-to-redirect-dns-ntp-to-internal-server/306949#306949 

  • 0

    Billybob you are spot-on with what I'm trying to do.

    In XG, there is no built in definition for ANY or INTERNET (0.0.0.0) so you have to define an IP range that will cover all IPs like 0.0.0.1 to 255.255.255.254. But when you do that, XG says you can't forward traffic for range of IPs to a single host.

    It's strange really! This is the error when I try to enter a range for the "Destination Host /Network" field:

    Been pulling my hair out trying to figure this out, saw @EmileBelcourt post last night an hour before I posted my message and tried the steps which failed for me.

    The good news is support responded to my ticket but .. they gave me instructions for SNAT UDP 123 on WAN. I've updated the ticket and awaiting reply.

    I really hope this is just some bug, every time I hit some limitation in XG, which should be trivial, I learn it was cake in UTM9. *scratches head* I wonder why Sophos didn't keep building on that...

  • 0 in reply to CyberA

    CyberA said:

     

    I really hope this is just some bug, every time I hit some limitation in XG, which should be trivial, I learn it was cake in UTM9. *scratches head* I wonder why Sophos didn't keep building on that...

     

    Don't get me started [:D]... I have written volumes on the subject. Keep us posted, hopefully support will have a more elegant solution.

  • 0

    My support case has been closed now. Support said the functionality of having a range to single IP is not supported in the current release.

    They also said the feature will be considered as a possible enhancement for a later date but no timeline or future version was given. [:(]