This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SNAT not working sometimes

Hello all,

I have been a very long time UTM user and continue to refine and tweak my environment. Recently I've become aware that it appears my SNAT rule(s) are not always working. They work just fine 99% of the time, but if I capture on my external interface, I can see occasionally traffic that wasn't translated. Any thoughts about whats going on and/or how to remedy?

To explain my setup in it's simplicity, I have two UTM firewalls. One is a Home licensed version and acts as my primary firewall (call it FW1). I have a second firewall (base license only - FW2) behind one dedicated interface on FW1. I have a single NAT rule on FW2 that says <All Protected Networks> <any port> <Any Destination> -> Source Translate to External (Address).

Ultimately, the devices behind FW2 work. They are a mix of IoT devices, firesticks, etc. Sometimes the streams for Netflix, Disney+, etc take a few seconds to load - but they do and the kids are streaming all day. I can see however in the FW1 logs that occasionally I am seeing the actual IPs of some of those IoT devices hitting it, when they should be SNAT. A tcpdump further confirmed this. It's not a lot, but more than none. 

 

To a much lesser extent I'm also seeing something similar on the external interface of FW1. It almost seems like the firewall can't keep up or loses track. The CPUs and RAM are near idle though.



This thread was automatically locked due to age.
Parents
  • Matt, please show a picture of the Edit of an SNAT that sometimes fails.  Also a line from your packet capture showing that the SNAT didn't "take."

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thank you BAlfson, you're always on duty!

    I have a lot of info below so will try and walk you through it. First a network diagram to depict what I meant before. For this discussion I'm looking at traffic coming from the IoT subnet (10.0.0.0/24) going to the Internet (the line above FW1). I've labeled each of the subnets with the network name for reference in the next screenshot.

       

    I technically have 3 NAT rules on FW2 (below) but the first two are very specific. NAT rule 3 is the one I have the edit open for. The contents of group "Networks" is 'Camera (Network)' and 'IoT (Network)'.

    This is a snippet of the packet capture, obfuscated for a few details but I have confirmed the MAC addresses are the proper respective interfaces of the FW1 and FW2 'Isolation' network to rule out any weird routing bypass or switch misconfiguration.

    XXXXX-fw2:/home/login # tcpdump -nni eth0 -e net 10.0.0.0/24
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    07:26:29.929219 00:0c:29:XXXX > 00:26:55:XXXX, ethertype IPv4 (0x0800), length 54: 10.0.0.158.57037 > 52.216.160.83.80: Flags [F.], seq 3252134152, ack 3657444415, win 1403, length 0
    07:26:30.140059 00:0c:29:XXXX > 00:26:55:XXXX, ethertype IPv4 (0x0800), length 54: 10.0.0.158.57037 > 52.216.160.83.80: Flags [F.], seq 0, ack 1, win 1403, length 0
    07:26:30.566721 00:0c:29:XXXX > 00:26:55:XXXX, ethertype IPv4 (0x0800), length 54: 10.0.0.158.57037 > 52.216.160.83.80: Flags [F.], seq 0, ack 1, win 1403, length 0

    I did notice that all the packets getting through appear to be fin's. Not as bad but I still can't come up with a reason that it should be happening. The result is network noise and dirty connections for connected devices, but it also reflects in my FW1 Executive reports that these few devices are routinely my top 'Dropped Sources' (roughly 50K dropped packets/week combined).

    Also for reference, both firewalls are on 9.703-3

  • What is "Isolation (Address)" and why do you need that SNAT in FW2?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Isolation (Address) from the perspective of FW2 is the external interface of the firewall, specifically it is 10.255.255.30 which should be the only address I see in the packet capture.

    The reasoning for the SNAT, and really the entire reason for FW2, is that the Sophos Essentials UTM license is free with unlimited IPs (very limited on advanced features though). I don't need two way connectivity with my IoT devices so hiding them all to one IP is fine and enables FW1 (Home License) to stay under 50. I can apply one generic policy for them on FW1. From this perspective it's completely a workaround that brings me limitations but is sufficient without violating licensing counts. If I could bump up the user limit on the home license (without buying a full fledged enterprise license) I could eliminate FW2. I only have a family of 4 but when everyone has tablets, I have 20+ smart wifi switches, Chromecast, etc... the count goes up quickly even though it's not that much traffic.

  • An elegant solution to the IoT problem, Matt!

    I have no idea why that's happening.  Maybe somebody let some of the blue smoke out of that box. [:S]

    Rather than an SNAT, why not try Masquerading?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I've never really tried using Masquerading because from the GUI it looks like a "simpler" version of traditional NAT which is a concept I understand so prefer the added configuration capabilities. I'm not opposed to trying it, as long as I can still get the same capabilities. 

    Since I do still have some NATs configured (specifically to redirect NTP to my gateway rather than devices querying the Internet), do NAT rules take precedence over Masq? 

    And this would be my new Masq rule (and disable NAT #3)? ### In review, I really only need the IoT network to be hidden. The camera network has no need to ever go through the firewall, just query it for DNS/NTP. NAT rule has already been revised for this as well.

  • You want the Isolation interface instead of IoT.  Also, see #2.1 in Rulz (last updated 2019-04-17).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thank you. I had looked through Rulz initially but guess I missed it.

    Anyway, I was optimistic at first but it looks like the issue still exists. At least I learned how to add a masquerade now. I guess I'll just deal.

Reply Children
No Data