We'd love to hear about it! Click here to go to the product suggestion community
I've recently noticed this behavior on UTM 9.603-1 where the NAT rules stop working after the WAN interface gets a new IP address assigned to it. My WAN connection is a CenturyLink DSL connection that uses PPPoE and it will occasionally get a new IP address if the connection is dropped or renegotiated.
After it's pulled a new IP address, and successfully updated my DNS record with No-IP.com it seems the NAT rules tied to that interface stop working. A few weeks ago I noticed this behavior and thought it was because I had my NAT rules bound to 'Uplink Primary Addresses', and so I changed them over to just the 'External (DSL) (Address)' interface which is my primary WAN connection. I do have a secondary WAN connection for failover that goes to another interface connected to a wireless AP that looks for hotspot connections offered by my cell phone; it's not used very often so I figured I would just link to the primary WAN interface and leave it at that.
The IP address on the WAN interface recently changed and I realized I wasn't getting any email on my phone, so I went back and looked at the NAT rules and the rule to forward HTTPS traffic to my exchange server looked fine. Checking from a connection that is outside the firewall with Telnet, port 443 wasn't accepting connections and they timed out (Dropped, not rejected). All I did was disable the rule, let it sit for 15 seconds, then re-enabled it and telnet was able to connect to port 443 right away after that.
My guess is that under the hood UTM isn't updating the firewall and/or NAT table rules to reflect the new external IP. An odd twist to this is that it doesn't seem all rules are affected at the same time. I have a FTP service forwarded as well that has 'Uplink Primary Addresses' as the destination match and while it has had the same issue previously, it seems fine currently. (I didn't test before disabling and re-enabling the HTTPS rule)
Anyone else seen or had this issue before? It feels like a bug that should be brought to Sophos' attention, and I thought I'd check here first to see if there was anything obvious that I was missing. It's kind of a pain as sometimes the DSL modem will retrain / reconnect in the middle of the night and I'm unaware of it until I see that my email is no longer flowing.
Hi KP and a belated welcome to the UTM Community!
See Upgrade to UTM 9.601-5 firmware doesn't start FW NAT rules on boot.
Cheers - Bob