This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Business Application Rule - must select an IP Range for Protected Server(s) / dnat ntp

I'm having trouble setting an IP range for an internal DNAT rule to redirect NTP (UDP/123) traffic destined for the WAN to an internal server in LAN. A single IP entry works but I want the rule to catch <ANY> destination IP heading to the WAN interface and redirect (with masquerading) to the inside. When I try to define a range in the "Destination Host/Network" section, the wizard complains that I "must select an IP Range for Protected Server(s)". I found this thread https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/80501/how-to-replicate-utm-rule-to-redirect-dns-ntp-to-internal-server where another user was trying to accomplish the same. However even trying those settings using my port GW address as destination, I'm not seeing the traffic being redirected with tcpdump. Is it possible with version 16.01.2 or is this a known bug? I think a "ANY" option for destination would work perfectly but its missing and I also tried 0.0.0.0 like the other poster but UI prevented me. Thanks for any inputs.

This thread was automatically locked due to age.

Parents

0 rfcat_vk over 8 years ago

You appear to have server on your LAN, why don't you make that your DHCP server and use an option to point the NTP calls at your NTP server rather than complex firewall rules?
Cancel
Vote Up 0 Vote Down

Cancel
0 CyberA over 8 years ago in reply to rfcat_vk

Hi rfcat_vk,

I will explore the DHCP option but also want to use the firewall to avoid users from bypassing those DHCP options. Personally I don't see this as being a complex firewall rule as its simply a PREROUTING DNAT for UDP 123 using POSTROUTING MASQUERADE (i.e. two lines in iptables). I've also opened an support case to inquiry if this the "must select an IP range for protected server" is a known bug.

Thanks.
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 8 years ago in reply to CyberA

You can block all users except your server from using 123 outgoing.

You actions would be even easier if the XG had an NTP proxy function like the UTM.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 rfcat_vk over 8 years ago in reply to CyberA

You can block all users except your server from using 123 outgoing.

You actions would be even easier if the XG had an NTP proxy function like the UTM.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Billybob over 8 years ago in reply to rfcat_vk

Hi Ian, the DHCP server NTP option doesn't work for all clients. What he is trying to do is trivial in UTM9 and is needed for hard coded devices like roku etc that want to get NTP time directly from the internet. In UTM9 you can setup a DNAT rule as follows

DNAT > Source Internal Network > Service NTP> Destination INTERNET (0.0.0.0) DNAT to Internal Interface IP of your firewall (since UTM has a built in NTP server) or IP of local NTP server.

In XG, there is no built in definition for ANY or INTERNET (0.0.0.0) so you have to define an IP range that will cover all IPs like 0.0.0.1 to 255.255.255.254. But when you do that, XG says you can't forward traffic for range of IPs to a single host.

The idea is basically taken from this post by https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/80501/how-to-replicate-utm-rule-to-redirect-dns-ntp-to-internal-server/306949#306949
Cancel
Vote Up 0 Vote Down

Cancel