Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 4 subscribers
  • Views 4673 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT, SNAT or Masquarading - Not for a server - GFE Client (Good For Enterprise)

taxingmonk

Hi,

I run a Sophos UTM 9 at home which I've been running for well over a year now and it's been very good.  I have a stack of firewall rules for various devices and I've configured various rules for things like cameras and VOIP phones.

 

 

My recent bugbear is with an application I have to use for work.  My org are taking our blackberries off of us and replacing it with a BYOD offering using GOOD For Enterprise (GFE).  I have a specific device for this application and nobody else on the network uses GFE

I have run into no end of pain getting this to work reliably but it has led to my analysing the packet flow a bit.  In conjunction with http://goodpkb.force.com/PublicKnowledgeBase/articles/Answer/17892 I have a handle on how it works (and what won't work when certain traffic flow is restricted).

I have done the following: 

1) Fixed the IP Address of the device (and android phone)

2) Configured firewall rules to allow the outbound TCP and UDP traffic from the device on the internal network to the CIDR Blocks listed in the above link (216.136.156.64/27
198.76.161.0/24)

3) Configured a DNAT rule to forward UDP traffic from the GFE ranges (216.136.156.64/27 and 198.76.161.0/24).  

The rule takes traffic from the source GFE NOC, and forwards the traffic to the device, i.e. it does not modify the service or port

I think this means that it will use whatever the inbound port is and not change it.

 

The issue is the actual client does this

Device(Internal IP)->Ephemeral port (e.g. 2345)-> GFE NOC (UDP:12000)

and then there is return traffic which goes

GFE NOC (UDP:12000) -> External IP -> UDP(2345)

 

The problem is that this feels very rigid and will fall down if I ever have more than one GFE device on network.  So should I be doing something a bit more clever?  Is there some way of getting UDP tracking/hole punching to work?  The FAQ sort of talks about a UDP "session" which is technically a nonsense but I know what they're getting at, and extending it to be "at least 10 minutes". Which also just feels naff.

 

Should I therefore be looking at other UTM 9 features or am I totally missing the point?

 



This thread was automatically locked due to age.
  • 0

    Hi, and welcome to the UTM Community!

    If that's a quality app, you should not need the DNAT.  If a DNAT is required, then a good app would have an option for a fixed port.  If not, then you're stuck with your present solution.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

     

    I'm not really convinced by that.  The use of an ephemeral port by a client application (not a server) for the return UDP path isn't an unreasonable design pattern.  In fact I'd go so far as to say, this has been the norm since the concept of an ephemeral client port.  A fixed port wouldn't work for any scenario which has more than one client running the same port without needing to coordinate those ports, again, among client applications this is normal.

     

    So we're saying that the UTM 9 doesn't support any kind of UDP hole punching?

    Cheers,

    Max

  • 0 in reply to taxingmonk

    No, Max, there's not a "helper" for this as there is for FTP, etc.  Your DNAT could be modified by using a new service you create like "Any UDP" instead of the "Any" service object.

    Still, I'm surprised that any DNAT is required.  The connection tracker should handle anything coming back to your phone app.  I can't imagine that GFE initiates contact with your phone.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

     

    You're right there is a 'hole punch' packet sent via UDP so GFE->device (phone)->UTM->External IP->Good NOC->(Ephemeral UDP Port 1234:GOOD NOC 12000) but the return packet then dropped by the firewall.  

    I'll try to grab a snippet of the log and attach that and you can see it happening.  So there is a UDP connection tracker then?

    Max

  • 0 in reply to taxingmonk

    It'll be interesting to see a line from the Firewall log file (not the Live Log) so we can see why the connection tracker isn't accepting the response packets.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML