Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 5570 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LAN to WAN and LAN to LAN traffic issues with rule 60001

Nate Ruehs

I'm running into two issues that I can't figure out, I've tried searching for similar issues, but I haven't found an answer yet.

My setup:

UTM 9.411-3

LAN network 192.168.2.x WAN IP 24.140.23.XXX

Every feature but the Firewall and EndPoint Protection is turned off to try and troubleshoot my issues.

My first firewall rule is FROM: Internal Network > Any service > Internet IPv4  ALLOWED

In my firewall log I see the following:

2017:02:25-10:50:52 utm ulogd[4505]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="c4:85:08:a9:c1:85" dstmac="00:11:0a:14:31:51" srcip="192.168.2.99" dstip="24.140.23.XXX" proto="6" length="52" tos="0x00" prec="0x00" ttl="128" srcport="50460" dstport="6690" tcpflags="SYN"

I read the KB article about traffic matching rule 60001, but I don't understand how LAN to WAN traffic would have anything to do with NAT.

I also see LAN to LAN traffic on the same subnet drop on my network with the same rule:

2017:02:24-10:59:29 utm ulogd[4505]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="00:11:32:2b:29:5d" dstmac="00:11:0a:14:31:51" srcip="192.168.2.162" dstip="192.168.2.1" proto="1" length="323" tos="0x00" prec="0xc0" ttl="64" type="3" code="3" 

Any ideas?



This thread was automatically locked due to age.
  • 0

    60001 rule is the default drop rule.

    possible your rule has a problem.

    try a any - any - any rule ... for a short time ...

    if this works, check your rule.

  • 0

    Hi Nate,

    Change the destination in the FW-rule from Internet IPv4 to Any IPv4. Show us a picture of the existing FW-rules configured in your UTM. Looking at the logs:

    1. The traffic is on random ports, verify if those services are allowed through the Fw-rule.

    2017:02:25-10:50:52 utm ulogd[4505]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="c4:85:08:a9:c1:85" dstmac="00:11:0a:14:31:51" srcip="192.168.2.99" dstip="24.140.23.XXX" proto="6" length="52" tos="0x00" prec="0x00" ttl="128" srcport="50460" dstport="6690" tcpflags="SYN"

    2. The drop is for "proto 1" which is ICMP. Make sure ICMP is allowed thorugh the UTM in Network Protection / Firewall / ICMP tab.

    2017:02:24-10:59:29 utm ulogd[4505]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="00:11:32:2b:29:5d" dstmac="00:11:0a:14:31:51" srcip="192.168.2.162" dstip="192.168.2.1" proto="1" length="323" tos="0x00" prec="0xc0" ttl="64" type="3" code="3"

    Hope that helps

  • 0

    Hi, Nate, and welcome to the UTM Community!

    In addition to what Dirk and Sachin told you, I found it curious that you have an internal IP trying to contact the IP on the UTM's External interface.  You might need Accessing Internal or DMZ Webserver from Internal Network.

    Cheers - Bob

  • 0 in reply to BAlfson

    Fantastic observation by Bob. I think he has a potential solution for you.

    Thanks