Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Subscribers 27 subscribers
  • Views 19728 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT not working, packet status: Violation Local_ACL

TheBard

Hi, I've made a DNAT to forward some ports to a server behind the Sophos XG, but it doesn't seem to be working, and I can't seem to understand why.

I'm a bit new at this, so I have no clue what could cause this, so I was hoping with some help understanding what causes this.

Some info:

The network is composed by my ISP router (192.168.1.1) forwarding ports to the Sophos machine (192.168.1.254) and the rest of the network is behind it (10.*). I've already tested the port forwarding on the ISP router and works fine.

The Rule (I've also tried with MASQ off)


 

Line from Packet Capture:

And this is a sample packet information I've captured of a packet that got blocked:

Ethernet Header
Source MAC Address:64:59:f8:49:af:50
Destination MAC Address: 00:0c:29:1a:03:89
Ethernet Type IPv4 (0x800)
 
IPv4 Header
Source IP Address:173.236.246.209
Destination IP Address:192.168.1.254
Protocol: TCP
Header:20 Bytes
Type of Service: 0
Total Length: 52 Bytes
Identification:39834
Fragment Offset:16384
Time to Live: 49
Checksum: 18117
 
TCP Header:
Source Port: 36742
Destination Port: 25565
Flags: SYN
Sequence Number: 1577553627
Acknowledgement Number: 0
Window: 29200
Checksum: 46429

 



This thread was automatically locked due to age.
Parents
  • 0

    TheBard,

    uncheck the "rewrite source address" and try again.

    Regards

  • 0 in reply to lferrara

    I already tested that, I tried again to be sure, but no luck.  Same result.

    Also the firewall logs are empty.

     

  • 0 in reply to TheBard

    TheBard,

    issue a tcpdump "port xxx" from console and post the result.

    Thanks

  • 0 in reply to lferrara

    Had to figure out how to access the console, but it was easier than expected:

    console> tcpdump "port 25565"
    tcpdump: Starting Packet Dump
    15:27:00.728112 Port2, IN: IP 173.236.246.209.51886 > 192.168.1.254.25565: Flags
     [ S ], seq 3406861371, win 29200, options [mss 1452,nop,nop,sackOK,nop,wscale 7],
    length 0
    15:27:01.724509 Port2, IN: IP 173.236.246.209.51886 > 192.168.1.254.25565: Flags
     [ S ], seq 3406861371, win 29200, options [mss 1452,nop,nop,sackOK,nop,wscale 7],
    length 0
    15:27:03.728260 Port2, IN: IP 173.236.246.209.51886 > 192.168.1.254.25565: Flags
     [ S ], seq 3406861371, win 29200, options [mss 1452,nop,nop,sackOK,nop,wscale 7],
    length 0
    ??^C
    3 packets captured
    3 packets received by filter
    0 packets dropped by kernel

  • 0 in reply to TheBard

    Meanwhile I tried also remaking the rule from scratch, changing ports and way to test them, but didn't work either.

    Strangely enough, I can forward http/s ports just fine by using the WAF, but can't make DNAT to work...

  • 0 in reply to TheBard

    Hi,

    your problem is more than likely a double nat. Router then XG. Try putting the router in bridge mode and have the XG manage the internet connection.

    Ian

  • +1 in reply to TheBard

    TheBard,

    this is strange.

    What firmware are you running?

    Did you try with the v17 beta?

    Thanks

  • 0 in reply to lferrara

    Firmware is SFOS 16.05.7 MR-7

    Haven't tried with the beta yet, I'll look into ways to update to that, if not I'll try with a fresh install. (If it can't be updated I'll test it as soon as I get back home in a day or two)

     

    I do have a double NAT as Ian pointed out, but both VPN and Http/s ports are forwarded correctly to the Sophos machine, and I have already tested the port forwarding to the Sophos IP and works perfectly. I could also try the Bridge mode (or at least the "Full NAT" mode, since that's all our ISP router has, hoping it's the same thing) but I'll have to wait for noone else to be at home first since it would cut everyone else's internet access.

     

  • 0 in reply to TheBard

    Whelp, beta 17 works fine! 

    I have no clue what the issue was still, but that solved it!

Reply Children
No Data