Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 27 subscribers
  • Views 5561 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Server Rule for XG 16.x

Ottertail

 I'm running into a brick wall trying to expose port 80 on a web server in my LAN zone to the WAN zone. With other products this is a fairly simple port forward type rule, but with XG 16.x I cannot get this to work. I've tried every rule template, all the different options and have read countless other threads and articles from others with similar questions. Almost all of the documentation, articles and examples I've seen are prior to XG 16.x and it looks like things have changed quite a bit with the new version. Before I post screen shots to get thoughts, is there any documentation available for exposing a webserver through a rule for XG 16.X. I know it shouldn't be this difficult. Thanks for any help.



This thread was automatically locked due to age.
  • 0

    David,

    Give us more details about your network map.

    Have a look at this thread.

    Sacha posted its screenshot.

    Thanks

  • 0 in reply to lferrara

    Thanks for the reply, Sacha. I did find that thread earlier. I'm have a similar scenario, but even simpler and it is not working for me. In the logs, I can see that the firewall is letting the rule through, but from the client web browser, there is never a connection. Here is a summary of what I have configured and I've also attached some pics if that helps. Let me know if you have any thoughts or if you think I'm doing something wrong. Thank you in advance.

     

    XG v16.01.2 - WAN Interface: 10.0.0.27  Lan Interface: 192.168.0.254

    Web Server - Lan Interface: 192.168.0.5

     

     

  • 0 in reply to Ottertail

    David,

    Make sure Windows Firewall is allowing the traffic and that your upstream router is correctly forwarding port 80 to XG wan interface.

  • 0 in reply to lferrara

    Good thoughts! I have another PC on the LAN network and I can successfully hit the website on the server (192.168.0.5) and all works fine so I think that rules out the windows firewall. On the WAN network, I have another PC I'm using for testing so there is no port forwarding happening from an upstream router at this time.

    Let me know if you have other thoughts. It's great to keep thinking through all the possibilities so thank you.

  • 0 in reply to Ottertail

    David,

    Windows Firewall has different profiles. Make sure, if enabled, all profiles are checked on the http rule.

    For the upstream router you have to create a Dnat from wan to XG wan

  • 0 in reply to lferrara

    Thanks Luk! I've validated the firewall is set OK and there is no upstream router at this point. I also replaced XG with a different firewall and all worked perfectly. I'm either doing something wrong with XG or I'm hitting a bug somewhere. Thanks again for your thoughts.

  • 0 in reply to Ottertail

    Hello,

     

    I would say from my past experience with Astaro 7.x through the latest UTM, before switching over to the VM machine of XG for home, in November, it is a setting in the XG, not a bug.

    Under UTM I had to have DNAT and SNAT rules set up with the port forwarding to my web server behind the UTM. I am now just trying to learn the XG product and get my rules / policies or settings to do the same again for my web server behind XG.  XG has a learning curve going from UTM to XG or for the first time user. I have a domain name. You need to have your NAT rules set correctly. You need a rule so you can use the external domain name from inside your LAN to access the web server by it's external domain name. Right now I can hit the web server internally from my computer using the internal LAN I.P., but not if I use my external domain name for it. Can't remember if it is the DNAT or the SNAT that lets internal LAN machines hit the web server by the domain name.  There are many posts with answers for various port forwarding configurations for servers behind the XG.

     

    It took me a long time to get skilled with Sophos UTM, and once I figured out the settings and rules for port forward to various machines behind UTM, I made note of it and then all the rest is just cloning it and making the slight edits for it.  For me, I need exactly step by step example from start to finish to learn and understand it. One can say you need a rule or policy for XYZ and and tell you what you need in it, but may lack the step by step process to implement it. The Sophos User forum is a great place for assistance. Right now I have my network split between XG and a $150. Linksys home router firewall. Right now the Linksys connects to the VM web server and my Samsung BluRay player goes out it since some how XG blocks it's time sync, but all other network passes out XG.  As I learn how to get my rules set on XG I will move things off the Linksys router to the XG. So if you can, don't give up on XG or Sophos. Run things through your other firewall / router as needed and as you figure out and get things working on XG, move them over to it. I have looked hard for other Free or even low cost solutions that provide the features and protection as Sophos, and I can't find anything better. I use a lot of the advanced features included in the Home license.

     

    Best of luck! As I figure out my rules and policies, I will post my step by step instructions that worked for me and maybe from them, others can see and make needed edits to my instructions to get their rules working.

     

    Chad