Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 38 subscribers
  • Views 4585 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Loopback NAT loopback / FW rule (XG V18) / UDP issue

Samy Wee

I have LAN, DMZ and WAN configured on a XG firewall running on a  esxi / home setup. 

 

I want to redirect anyone accessing a particular IP/service in internet to an IP/service in DMZ. Trying to do a NAT - rule with no luck. 

 

Here is what I have. 

Source : LAN IP (192.168.1.5) 

Destination (Internet - This is not the WAN IP) : 170.10.10.5:8000 (Both UDP/TCP) 

Need to redirect this to (DMZ) 192.168.3.5:8000 (Both UDP/TCP)

 

I wrote following NAT rule, but do not seem to match this rule. 

 

Original Source : Any

Original Destination : 170.10.10.5

Original Service : TCP (1:65535) / (8000), UDP (1:65535) / (8000)

 

Translated source (SNAT) : MASQ

Translated destination (DNAT) : 192.168.3.5

Translated Service (PAT) : Original

 

Inbound Interface : Any

Outbound Interface : Any

 

Although I had touble initially, I later manage to create additional firewall rules for traffic to traverse from any zone to any zone, tcp seems to be working, however my udp traffic seems to to be one way, do not seems to have a return path. 

 

 

 

Any difference between UDP vs TCP rules that I have to be aware of. 



This thread was automatically locked due to age.
  • 0

    To add to clarify the issue, Here is some details from what I see. 

     

    LAN (Port1)

    WAN(Port2)

    DMZ(Port3)

     


    Here is my issue with a packet capture.

    LAN to WAN (Captured at Port1)
    23:10:20.632835 Port1, IN: IP 192.168.1.5.57207 > 170.10.10.5.9000: UDP, length 89
    I do not see OUT Packet from Port1 my host in LAN.

    DMZ to LAN ((Captured at Port3) - Note this is not same packet as above, but a packet captured little later.
    23:11:46.065902 Port3, IN: IP 192.168.3.5.9000 > 192.168.3.1.57207: UDP, length 12


    However I do not see any traffic Entering from Port1 with SRC IP of 170.10.10.5


    Here is how it work with it is tcp traffic.
    23:22:22.235909 Port1, IN: IP 192.168.1.5.51854 > 170.10.10.5.9000: Flags [F.], seq 757069028, ack 2296387257, win 8212, length 0
    23:22:22.237146 Port1, OUT: IP 170.10.10.5.9000 > 192.168.1.5.51849: Flags [.], ack 1, win 1024, length 0

    Why my NAT rule work differently for udp vs tcp. I made sure service definition has both udp and tcp.

    I think most use cases do not use udp loop-back NAT rules. Is there an issue when there is UDP involved with NAT - loopback?

  • 0 in reply to Samy Wee

    Hi,

    please read this thread and see if that helps.

    https://community.sophos.com/products/xg-firewall/f/network-and-routing/118163/hairpin-nat-sophos-xg310-configuration

     

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML