Unwanted packets

Can you draw us a quick picture of the setup so we can more easily understand your network.

PS. blanking out 192.168.x.x IP's is not really necessary since they are only local addresses on you side. It's not your WAN IP-address. 192.168.0.0/16 are all RFC1918 private IP-addresses that are not in use on the internet.

You may have additional firewall rules allowing the traffic or you may have DNAT rules that can make traffic being able to flow.

Below net and masqueranding rules

The packets started to flow in just after installing some days ago.
At that time I had no server configured.
What other information about configuration do you want ?

What would make things a bit more clear is a simple diagram of your network; where's tmg, sophos and the connections between them.

Also, if you go to firewall in Sophos UTM, can you choose to display ALL rules (not just user configured rules), maybe there are rules (ie the DNAT rules for automatic firewall) that allow the traffic.

Ciao Fabio and welcome to the UTM Community!

First, several comments:

1. The UTM can do everything you're now doing with the TMG, so you could simplify your life by eliminating the TMG.
2. If you're using ESXi, install only VMXNET3 virtual NICs for the UTM instance.
3. Hosting your own name server that is open to the world is not something I would recommend.
4. If you are double NAT'ing the devices on the LAN behind your TMG, this will cause problems, especially with IPsec VPNs.

The Blackhole static route is a new option, and I don't think it's what you want here.  See #2 in Rulz to understand why you want a DNAT for blackholing this traffic instead of the static route or a firewall rule.

Cheers - Bob
PS Your English is much better than my Italian!

1) No Dnat rule allow to reach the point where unwanted packets are found.

2) no automatic firewall rule allow to reach the point where unwanted packets are found.

3) Network Scheme

Sorry to respond late but I have another problem with sophos: see visual studio-2017 nuget package not working

1. The UTM can do everything you're now doing with the TMG, so you could simplify your life by eliminating the TMG.
As shown in the network diagram TMG is a second defense line between DMZ and Internal network.
2. If you're using ESXi, install only VMXNET3 virtual NICs for the UTM instance.
I use Hyper-V; is is included in MSDN --> No cost
3. Hosting your own name server that is open to the world is not something I would recommend.
It is a test environment, I want to be able to test many solution.
Anyway the DNS responds only for my zones and doesn't forward any query and no root hints also.
4. If you are double NAT'ing the devices on the LAN behind your TMG, this will cause problems, especially with IPsec VPNs.
There is a route relationship between DMZ (Sophos internal network) and TMG.

5. The Blackhole static route is a new option ...
Added in desperation trying to block packets.

Thanks for the drawing; that makes the topology clear to me.

Could it be that the blocked traffic is actually "return-traffic" for already active transmissions from any of your hosts behind TMG? You may be able to check that using the IP-address that is blocked.

Also if you really need to know what's going on, you could use something like wireshark in between the Sophos UTM and TMG where you can more precisely monitor exactly what traffic is flowing from where to where and wheter or not the "blocked-by-TMG" traffic is return traffic.

You are using TMG as a 2nd line of defense, but TMG is actually EOL since somewhere 2015... Isn't it better to look for alternatives?

Could it be that the blocked traffic is actually "return-traffic" for already active transmissions from any of your hosts behind TMG? You may be able to check that using the IP-address that is blocked.

Considering some domain involved  akamaitechnologies.com and amazonaws.co it is possible.
If the transaction is started whitin internal network, i don't understand why is not accepted.

Also if you really need to know what's going on, you could use something like wireshark in between the Sophos UTM and TMG where you can more precisely monitor exactly what traffic is flowing from where to where and wheter or not the "blocked-by-TMG" traffic is return traffic.
Where you suggest to install wireshark ? On TMG server or on another server in DMZ?

You are using TMG as a 2nd line of defense, but TMG is actually EOL since somewhere 2015... Isn't it better to look for alternatives?

Yes, if I find one at no cost.

Fabio,

1. Yes, your diagram confirms the veracity of my observation.  You'd be better off with a DMZ and an Internal NIC in the UTM.

2. My point was only that similar problems occur when not using VMXNET3 in EXSi-based setups.

3. Ah, that makes sense!

4. Then I don't understand your masquerading rule.

5. Again, use a blackhole-DNAT instead of the blackhole static route meant to be used with OSPF.

Cheers - Bob

You could wireshark using another PC where you install wireshark and then span the WAN switchport from your TMG to another port where you connect your wireshark device. Of course you could also install wireshark on TMG but I would keep it as clean as possible.

Should it be return-traffic that is blocked, it's indeed a little strange but I don't really have an explanation for that either...