Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 4 subscribers
  • Views 2434 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Communication only working in one direction between internal and internalVLAN

Frodi Danielsen1

I have a Sophos SG230 running UTM9 (version 9.605-1) I have 4 interfaces enabled Exernal (WAN), VPN, Internal and InternalVLAN88,

I am having problems getting from internal (192.168.10.1/24) to internalVLAN88 (192.168.88.254/24), but not the other way around?

I have tried with RDP (this is what it need working), from InternalVLAN88 I can access a host on internal (from 192.168.88.102 to 192.168.10.102) all good, but going the other way (from 192.168.10.102 to 192.168.88.102) no luck.

I get these lines in the firewall log (my rule allowing RDP tcp/udp 3389 from and to 192.168.10.102 and 192.168.88.102 is number 5) Seems like traffic from internal to internalVLAN88 finds way to the net but gets lost on the way back?

Any suggestions what I am missing

 

2019:11:12-13:18:35 sophos ulogd[16484]: "id=""2002""" "severity=""info""" "sys=""SecureNet""" "sub=""packetfilter""" "name=""Packet" "accepted""" "action=""accept""" "fwrule=""5""" "initf=""eth0""" "outitf=""eth4.88""" "srcmac=""00:50:56:99:f4:c8""" "dstmac=""00:1a:8c:59:1e:4a""" "srcip=""192.168.10.102""" "dstip=""192.168.88.102""" "proto=""6""" "length=""52""" "tos=""0x02""" "prec=""0x00""" "ttl=""127""" "srcport=""56010""" "dstport=""3389""" "tcpflags=""SYN""" 
2019:11:12-13:18:38 sophos ulogd[16484]: "id=""2000""" "severity=""info""" "sys=""SecureNet""" "sub=""packetfilter""" "name=""Packet" "logged""" "action=""log""" "fwrule=""0""" "srcip=""192.168.10.102""" "dstip=""192.168.88.102""" "proto=""6""" "length=""52""" "tos=""0x02""" "prec=""0x00""" "ttl=""128""" "srcport=""56010""" "dstport=""3389""" "tcpflags=""SYN""" "info=""nf_ct_tcp:" invalid packet ignored in state SYN_RECV
2019:11:12-13:18:44 sophos ulogd[16484]: "id=""2000""" "severity=""info""" "sys=""SecureNet""" "sub=""packetfilter""" "name=""Packet" "logged""" "action=""log""" "fwrule=""0""" "srcip=""192.168.10.102""" "dstip=""192.168.88.102""" "proto=""6""" "length=""48""" "tos=""0x00""" "prec=""0x00""" "ttl=""128""" "srcport=""56010""" "dstport=""3389""" "tcpflags=""SYN""" "info=""nf_ct_tcp:" invalid packet ignored in state SYN_RECV

 

Live log

 

My Interfaces 



This thread was automatically locked due to age.
Parents
  • 0

    Hej Frodi and welcome to the UTM Community!

    The logs and pictures you showed us don't have anything definitive about blocked traffic.  DO you see anything in the Intrusions Prevention log?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob, no nothing at all in the Intrusions Prevention log related to either of the ip addresses here. I can not find any information in firewall (or intrusion prevention) log anything where this traffic should be blocked, whenever I try to initiate a connection (RDP) I get one green line allowing the connection, followed by 2 white lines and that is all - and no RDP session is made. This problem is just in one direction from 10.102 to 88.102 from the other direction everything works fine.

    I have a rule that allows any traffic for these same net (rule number 10) just wanted to narrow it down a bit, thus creating rule #5 only for RDP, to see if I could get any additional information

  • 0 in reply to Frodi Danielsen1

    If the traffic isn't being blocked, Frodi, it must be a routing problem.  My guess is that .88.102 has a higher-priority route back to .10.102.  If the response traffic does make it back to .10.102, it likely rejects the responses as uninvited.  Any luck with that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Frodi Danielsen1

    If the traffic isn't being blocked, Frodi, it must be a routing problem.  My guess is that .88.102 has a higher-priority route back to .10.102.  If the response traffic does make it back to .10.102, it likely rejects the responses as uninvited.  Any luck with that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML