DNAT rule goes thru and drop in the same moment - that drives me crazy!

Hi

To connect to the ISP service, are you using a VDSL modem (like the Draytek 130) or a NAT router? The reason I ask is the mention of the 'second crazy thing' has put me in mind of an issue that happened to me (a couple of years ago) and I wonder if it's related to your issue with the ISP dropping and re-establishing every 24 hours (and likely your ISP assigned public IP address changing)?

When I first started using UTM, I used a NAT router to connect to the ADSL, then I moved to using a Draytek Vigor 120 modem (essentially a PPPoE to PPPoA converter, but no NAT) which meant that my UTM's WAN directly faced the Internet (and thus had my public IP address) and that worked very well, for a while. At that time, the connection was quite stable, but it did occasionally drop and reconnect (and thus I was assigned a new public IP address) and though I wasn't monitoring things closely, it never seemed to cause me any problems.

After a few months, something changed (likely after a UTM update) and whenever the ISP then dropped and reconnected (and thus I was assigned with a new IP address) I had problems. The first thing I did was to look at the UTM's WAN interface and I noted that it still showed as having the previously assigned IP address (from before the drop and reconnect) so for some reason, the UTM WAN interface was no longer 'refreshing'. To get around the problem, I had to revert to using a NAT router (so the UTM WAN interface had a static, internal address) and I have just left it like that, ever since (I am now on VDSL, so I'd have to buy a Draytek 130 in order to test whether that still happens, or not).

Back in the day, I seem to recall finding (here) a discussion on that very same issue (and someone reckoning that it was a UTM bug) but I do not know how things progressed.

Sorry if I am wildly off track and that is not the issue (or if you are already using a NAT in front of UTM) but it just seems a rather strange coincidence that an ISP reconnect (and thus likely a new public IP address being assigned) results in a behavioural change (implying to me that your UTM isn't behind a NAT) and as nobody else has yet responded, I thought the above might be worth a mention.

Bri

Hi,

You already know that this isn't normal behavior.  If Briain's suggestion doesn't fix this, please show us a line from the full Firewall log file corresponding to one of those blocks in the Live Log.

Cheers - Bob

You have bound one of the objects to an interface. Remove it and test again. 

I bet MasterRoshi is right that you've violated #3 in Rulz (last updated 2019-04-17), but if you want to recognize similar problems, post that Firewall log file line I asked for above.

Cheers - Bob

Hi Briain, thank you for your thougts.

In the Moment I use a ZyXEL VMG1312-B30A VDSL-modem in front of the sophos utm. Every 24h I get a new public IP address, I don't have a static one. Luckily, I've had no problems with it so far.

I understand why you changed your configuration and I think about it, if I will use a Fritzbox in front of the sophos utm. Then the utm will get a static IP from the Fritzbox and maybe my problems also gone?!... I will test this, If no simpler/complex solution opens up (maybe a config change only ;-)

Hi MasterRoshi,


thank you for your hint.


Before I create the forwarding DNAT rule I changed each destination of my firewall rules for internet access from "Any" to "Internet IPv4 & Internet IPv6" (for that I created the custom Network group "Internet").


Because of your hint I checked my definitions and see, that the built-in definition "Internet IPv4" is bound to "External (WAN)" !? Could this cause the error?

Hi Bob,

longtime security guru of the sophos forum ;-) Thank you for many helpful comments in other disscussions! That helped me for better understanding firewall security. I've wanted to say this for a long time.

Anyway. I checked the Rulez just before I opened up this discussion, and also a second time after the last update. But I can't find an error in my config.

In the meantime I reverted the changes onto my firewall rules I descripted in my reply to MasterRoshi (I changed destination back to "Any"). Now I will test the behavior with this change. But when that will works, it's also not a resilient solution, because now I have a guest vlan and no host from management lan should reach a host onto the guest vlan...

P.S: Yes, I've already get your how-to "Configure HTTP Proxy for a Network of Guests", thanks again for that :-)

Hi Moeppi,

It is more likely the destination object that has the interface binding (Internal Mail Server). The default IPV4 internet object is like that on purpose and cannot be changed. 

... the "Internal Mail Server" have no interface binding.

Most likely it is the internet IPV4 object then, I have never seen this being used in a DNAT before and have not tested it. 

Can you try with ANY and let us know if you still see the firewall drops in the logs after the initial connection hits the rule?