Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

fwrule="60002" Dropping Certain Traffic from Remote Sites

Hello,

I have our remote sites set up to connect to our UTM via eth2 but users are reporting that the SIP/VoiP desk phones are not connecting and that all the remote site printers were showing as offline (Printer server is at main office).

other traffic such as web browsing and Citirx desktops are fine.

The firewall is showing that Traffic is being dropped by the default drop rule fwrule="60002":


2016:05:20-09:24:58 srv-utm1-1 ulogd[25527]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth2" outitf="eth1" srcmac="a8:0c:0d:c2:a3:01" dstmac="00:1a:8c:f0:5c:e2" srcip="192.168.18.113" dstip="88.82.18.86" proto="17" length="200" tos="0x18" prec="0xa0" ttl="58" srcport="16470" dstport="35938"

2016:05:20-09:24:58 srv-utm1-1 ulogd[25527]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth2" outitf="eth1" srcmac="a8:0c:0d:c2:a3:01" dstmac="00:1a:8c:f0:5c:e2" srcip="192.168.18.113" dstip="88.82.18.86" proto="17" length="200" tos="0x18" prec="0xa0" ttl="58" srcport="16470" dstport="35938"

I recently had to add 2 Masquerading rule to get the remote sites connecting. The IPS log is empty for the same period.

Just looking for some advice as to what could be blocking the SIP and printer traffic. the remotes sites are named IPVPN Projects in the rules.

        

Thanks,

Mark.



This thread was automatically locked due to age.
  • Hi Mark, if the default drop rule is dropping the traffic, it might mean that you need to create a firewall rule to allow the traffic you want. In simple terms, in order for traffic to go across subnets (networks) it needs to through the UTM, and as such, your firewall. This error is simply telling you that a valid firewall rule does not exist for that traffic and it's being blocked.

    If traffic is going from the same network to the same network, it will not go through the firewall, so a rule of Source: network1, Services: Any, Destination: network1, does not do anything and should be removed.

    Your WAN2LAN rule is only allowing DNS traffic to leave your internal networks and go through the internet, if your goal is to allow web-browsing or other internet traffic, that rule will NOT work.

    For testing purposes, why don't you try creating the following firewall rules:

    1. Allow Any from IPVPN to Internal (to allow all communication from ipvpn to internal)

    2. Allow Any from Internal to IPVPN (to allow all communication from internal to ipvpn)

    3. Allow Any from internal to Internet IPV4/Interner IPV6 (to allow full internet access)

    Also, it would help if you provided print screens of all your firewall rules, including the automatically generated rules (look at the filtering drop down lists in the firewall section)

  • Hi Kent,

    Thanks for your quick reply!

    I will create those services and test the connection.

    Looking at my Firewall rules I can see a rule with similar properties that is disabled:

    Screenshots of the other rules are:

         

    Thanks again!

    Mark.

  • My humble suggestions below, I'm still learning the UTM too, but maybe one of the pros can chime in.

    Rule 7: This was probably added from the "allowed networks" rule in the SSL VPN configuration, I would explicitly list the internal networks in the "allowed networks" section and control Internet access through a firewall rule. Keep in mind, you kind of already did this in rule 19

    Rule 10: You should not need to include Internal (Address) if you already included Internal (Network). I would remove Internal (Address) for simplicity's sake.

    Rule 11: will allow internal network full access to the CCTV network, but this does not mean the CCTV network will have access to the internal network. I use similar rules to allow one of my internal subnets to communicate with devices on my guest wifi, but not the other way around.

    Rule 12: By default, unless you explicitly allow traffic, it is blocked. The only benefit see to that rule is to remove "default drop" messages from your firewall log, but you have logging enabled, so I don't see the point to this one

    Rule 13: Same as rule 12

    Rule 14: Can't see the entire rule but from what I can see, GuestWLAN will not be able to browse the internet

    Rule 15: You have to split that rule into 2 separate rules as I mentioned in my previous post. Internal on the left and IPVPN Projects on the right and visa versa. Assuming you wanted to allow full communication between both networks

    Rule 16: Your devices should not be going to the internet for their DNS requests, they should be going to the UTM and, in turn, the UTM should be forwarding foreign DNS requests to your forwarders. I don't see the point of this unless you're wanting to let those devices query a foreign DNS server themselves.

    Rule 17: This is the same as rule 15, split it

    Rule 18: Again, I can't see the full listing, but why would you want to allow things like Network Printing and Windows Networking through to the internet? Why not just configure any ANY rule for that?

    Rule 19: This allows the VPN SSL to communicate with the IntALL and IPVPN objects

  • Great post, Kent.  You're right that the "(Address)" object doesn't need to be included. Rules 15 and 17 look good to me, though, but that's a style issue.

    Cheers - Bob