Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 9 replies
  • Subscribers 27 subscribers
  • Views 9135 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

xg firewall dnat rule traffic is incoming/outgoing via same interface (WAN)

LukaszNaumowicz

Hi, 

So I'm trying to setup DNAT rule to forward port 8084 from WAN interface to port 8080 on the server in LAN. 

Here is the network layout: internet (public IP) -> provider modem (ports 8080-8089 redirected to 192.168.1.100) -> xg WAN(192.168.1.100) -> XG LAN(192.168.0.1) -> LAN server (192.168.0.180). 

I tried different setups when it comes to firewall rule, here is an example:

Tried also with MASQ but this doesn't help. 

In the log viewer I can see that traffic coming to port 8084 falls under rule id 6, so the correct one, but in/out interface is the same port 2 (that is WAN interface):

 

Here is the interface configuration:

 

Any ideas, why traffic is coming in and out the same interface, I think this is what causes issues with this setup

 

Thanks

 



This thread was automatically locked due to age.
Parents
  • 0

    Hi Lukasz,

    Can you please share a full picture of the DNAT rule? I need to verify the configuration before taking any further step.

    Thanks

  • 0 in reply to LukaszNaumowicz

    Hi Lukasz,

    Take a tcpdump on the specific host (destination IP of the server) i.e., 192.168.0.80.  Post the dumps.

    Refer:https://community.sophos.com/kb/en-us/123567

    Thanks

  • 0 in reply to sachingurung

    on port 2 (WAN): 

    SFVH_SO01_SFOS 16.05.1 MR-1# tcpdump -i Port2 -n dst host 192.168.0.180                             
    tcpdump: Starting Packet Dump                                                                       
    08:39:52.874636 Port2, OUT: IP 77.65.4.106.51816 > 192.168.0.180.8080: Flags [SEW], seq 2906173239, 
    win 65535, options [mss 1440,nop,wscale 5,nop,nop,TS val 1078211563 ecr 0,sackOK,eol], length 0     
    08:39:53.894282 Port2, OUT: IP 77.65.4.106.51816 > 192.168.0.180.8080: Flags [S], seq 2906173239, wi
    n 65535, options [mss 1440,nop,wscale 5,nop,nop,TS val 1078212563 ecr 0,sackOK,eol], length 0       
    08:39:54.951071 Port2, OUT: IP 77.65.4.106.51816 > 192.168.0.180.8080: Flags [S], seq 2906173239, wi
    n 65535, options [mss 1440,nop,wscale 5,nop,nop,TS val 1078213563 ecr 0,sackOK,eol], length 0       
    08:39:55.990309 Port2, OUT: IP 77.65.4.106.51816 > 192.168.0.180.8080: Flags [S], seq 2906173239, wi
    n 65535, options [mss 1440,nop,wscale 5,nop,nop,TS val 1078214563 ecr 0,sackOK,eol], length 0       
    08:39:57.020008 Port2, OUT: IP 77.65.4.106.51816 > 192.168.0.180.8080: Flags [S], seq 2906173239, wi
    n 65535, options [mss 1440,nop,wscale 5,nop,nop,TS val 1078215563 ecr 0,sackOK,eol], length 0       
    08:39:58.043333 Port2, OUT: IP 77.65.4.106.51816 > 192.168.0.180.8080: Flags [S], seq 2906173239, wi
    n 65535, options [mss 1440,nop,wscale 5,nop,nop,TS val 1078216563 ecr 0,sackOK,eol], length 0       
    08:40:00.086471 Port2, OUT: IP 77.65.4.106.51816 > 192.168.0.180.8080: Flags [S], seq 2906173239, wi
    n 65535, options [mss 1440,nop,wscale 5,nop,nop,TS val 1078218563 ecr 0,sackOK,eol], length 0       
    08:40:04.131500 Port2, OUT: IP 77.65.4.106.51816 > 192.168.0.180.8080: Flags [S], seq 2906173239, wi
    n 65535, options [mss 1440,nop,wscale 5,nop,nop,TS val 1078222563 ecr 0,sackOK,eol], length 0       
    08:40:12.257495 Port2, OUT: IP 77.65.4.106.51816 > 192.168.0.180.8080: Flags [S], seq 2906173239, wi
    n 65535, options [mss 1440,nop,wscale 5,nop,nop,TS val 1078230563 ecr 0,sackOK,eol], length 0 

    on port 1 (LAN), no packets with destination to port 8080 captured on Port1:
    SFVH_SO01_SFOS 16.05.1 MR-1# tcpdump -i Port1 -n dst host 192.168.0.180                             
    tcpdump: Starting Packet Dump                                                                       
    08:45:50.610363 Port1, OUT: IP 178.54.189.77.39915 > 192.168.0.180.6889: UDP, length 287            
    08:45:50.714191 Port1, OUT: IP 24.48.59.154.30967 > 192.168.0.180.6889: UDP, length 287             
    08:45:50.950393 Port1, OUT: IP 110.143.14.73.50277 > 192.168.0.180.6889: UDP, length 287            
    08:45:51.352327 Port1, OUT: IP 2.63.78.73.6881 > 192.168.0.180.6889: UDP, length 296                
    08:45:51.636308 Port1, OUT: IP 142.54.178.178.6881 > 192.168.0.180.6889: UDP, length 40             
    08:45:51.869651 Port1, OUT: IP 45.32.61.164.6881 > 192.168.0.180.6889: UDP, length 40               
    08:45:52.548939 Port1, OUT: IP 52.30.149.135.6892 > 192.168.0.180.6889: UDP, length 40              
    08:45:53.659549 Port1, OUT: IP 68.116.5.134.43230 > 192.168.0.180.6889: UDP, length 101             
    08:45:53.785917 Port1, OUT: IP 176.49.252.223.28614 > 192.168.0.180.6889: UDP, length 287           
    08:45:53.787454 Port1, OUT: IP 178.239.14.73 > 192.168.0.180: ICMP 178.239.14.73 udp port 1034 unrea
    chable, length 137                                                                                  
    08:45:53.857600 Port1, OUT: IP 68.116.5.134.43230 > 192.168.0.180.6889: UDP, length 287             
    08:45:54.101962 Port1, OUT: IP 194.126.137.12.12726 > 192.168.0.180.6889: UDP, length 287           
    08:45:54.358275 Port1, OUT: IP 178.239.15.138 > 192.168.0.180: ICMP net 94.231.186.8 unreachable, le
    ngth 137                                                                                            
    08:45:54.536997 Port1, OUT: IP 210.209.69.138.10556 > 192.168.0.180.6889: UDP, length 56            
    08:45:54.854675 Port1, OUT: IP 178.69.180.130.6882 > 192.168.0.180.6889: UDP, length 296            
    08:45:54.987487 Port1, OUT: IP 174.44.71.134.42588 > 192.168.0.180.6889: UDP, length 287            
    08:45:54.995591 Port1, OUT: IP 118.70.125.77 > 192.168.0.180: ICMP host 118.70.125.77 unreachable, l
    ength 137                                                                                           
    08:45:55.134505 Port1, OUT: IP 96.47.144.250.47719 > 192.168.0.180.6889: UDP, length 101            
    08:45:55.285684 Port1, OUT: IP 96.47.144.250.47719 > 192.168.0.180.6889: UDP, length 287            
    08:45:55.463971 Port1, OUT: IP 58.181.52.130.8353 > 192.168.0.180.6889: UDP, length 287             
    08:45:55.527841 Port1, OUT: ARP, Reply 192.168.0.1 is-at 00:0d:48:34:02:bf, length 28               
    08:45:55.585970 Port1, OUT: IP 186.85.244.130.50928 > 192.168.0.180.6889: UDP, length 296           
    08:45:55.687798 Port1, OUT: IP 72.27.70.20.40040 > 192.168.0.180.6889: UDP, length 287              
    08:45:55.799733 Port1, OUT: IP 186.77.192.195.3110 > 192.168.0.180.6889: UDP, length 287            
    08:45:55.799984 Port1, OUT: IP 78.244.179.199.20209 > 192.168.0.180.6889: UDP, length 287           
    08:45:56.205678 Port1, OUT: IP 117.140.47.21.31061 > 192.168.0.180.6889: UDP, length 240            
    ??^C                                                                                                
    26 packets captured                                                                                 
    26 packets received by filter                                                                       
    0 packets dropped by kernel 
     
  • 0 in reply to LukaszNaumowicz

    Hi Lukas,

    The dumps shows requests forwarded to the detination IP of the server but, no reply packets from the server itself. I doubt that to be a local issue can you verify that on the server level and update us?

    Thanks

  • 0 in reply to sachingurung

    Hi, 

     

    The dump was with parameters: dst host

    I suppose this is why there is no response in the dump. 

    I don't see any outgoing packets for 192.168.0.180:8080 on Port 1? 

    We can see it only on dump for Port2 but this is WAN, so it won't reach the server. 

    The rule also shows that packet is sent from Port2 to Port2 as if redirection didn't work. 

     

    Thanks

  • +1 in reply to LukaszNaumowicz

    HI LukaszNaumowicz , 

    Could you print the arp output of your XG device and also check if there is a Static route or policy route for the same .  

  • +1 in reply to Aditya Patel

    There was a policy route which routed all incoming traffic from WAN to Port2 (WAN).

    Deleted the route and DNAT rule works fine.

    I don't know however where did this rule came from. I haven't configured it manually. 

    Thanks!            

Reply Children