Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 14872 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LAN-to-WAN-to-LAN rule

Brad Fuller

Hi!

 

Upgraded to Sophos 17 on one of our client's networks.

The port forwarding from the outside works fine, and actually all the traffic now including VOIP is much smoother than the Cyberoam OS that was on this CR50.

Question - going to my.exampledomain.com:44444 port forwards just fine from an external address, and safely arrives on port 443 at a secondary server on the internal network, but I want the internal users to go to that same address of my.domain.com:44444 with the same result.  Right now it just comes back as not responding.  Are there any firewall rules that I can use to allow this?  Tried turning on "Create Reflexive Rule" and a mix of rewrite source address (MASQ) on and off on the current port forwarding rule to no avail.

So in essence, I want to go from the internal LAN to an external WAN address that then send them back to LAN.  This is so that when someone gets a notification with a link in their email, "please click on this link to view your message", it works from both the outside and inside.

Thanks!

Brad

 



This thread was automatically locked due to age.
Parents
  • 0

    Solved my own question.

     

    Take the port forward firewall rule you have coming in from WAN to LAN and clone it.

    Edit the cloned rule and change the source to LAN, then turn on Masq and Create Reflexive Rule.

    Done.

     

  • 0 in reply to Brad Fuller

    I have almost exactly the same question but following your solution did not achieve intended results.

     

    I cloned rule, changed source from WAN to LAN, turned on MASQ and also Reflexive.

     

    What did you put for the MASQ exactly? NAT Policy or a specific IP?

  • 0 in reply to Hassan Farzadeh

    Hi!

    So here is how my rule is set up.  It works great for me, but maybe your situation may take a bit of tweaking?

    2nd Server wants access on port 443, but so does site for the Remote App and Desktop Connection site on the RDS Server, and we only have one IP.

    DNAT/Full NAT/Load balancing Rule

    Source Zone - Lan
    Allowed Client Networks - localsubnet (or "any" since it is coming from the LAN)

    Destination - WAN
    Services - TCP 1:65535/44444

    Forward to - Server2 - mapped port 443
    Protected Zone LAN

    Routing

    +Rewrite source address - MASQ (Default masq rule)
    +Create reflexive rule

    I also have the NAT Policy on my IPv4 Gateway set to MASQ.

     

    For me, this was the only way I can get to the 2nd server from both internally and externally, using the same https:// URL.
    Basically, you want the firewall to think that traffic to this server from both the LAN and WAN, is coming from the WAN, and it triggers the port forward.

     

    At least, that's what I have in my head.

     

Reply
  • 0 in reply to Hassan Farzadeh

    Hi!

    So here is how my rule is set up.  It works great for me, but maybe your situation may take a bit of tweaking?

    2nd Server wants access on port 443, but so does site for the Remote App and Desktop Connection site on the RDS Server, and we only have one IP.

    DNAT/Full NAT/Load balancing Rule

    Source Zone - Lan
    Allowed Client Networks - localsubnet (or "any" since it is coming from the LAN)

    Destination - WAN
    Services - TCP 1:65535/44444

    Forward to - Server2 - mapped port 443
    Protected Zone LAN

    Routing

    +Rewrite source address - MASQ (Default masq rule)
    +Create reflexive rule

    I also have the NAT Policy on my IPv4 Gateway set to MASQ.

     

    For me, this was the only way I can get to the 2nd server from both internally and externally, using the same https:// URL.
    Basically, you want the firewall to think that traffic to this server from both the LAN and WAN, is coming from the WAN, and it triggers the port forward.

     

    At least, that's what I have in my head.

     

Children
No Data