DMZ Hell

Hi All,


I have gotten to the point of actually posting for help. I am new to this but I assure you I have read multiple documents, posts and watched videos. Still I am so stuck.


Here it goes:


Sophos XG current build


Port 1 LAN

Port 2 WAN  MY IP/

Port 3 DMZ

Internal network works fine. Completely connected and monitoring.

As naked as can be to eliminate any rule conflicts.


Have a Windows Server 2019 connected to a switch and the switch is connected to port 3


DMZ Firewall Rule- DMZ Source: ANY Zone/Host Destination: DMZ/Any Host

                             Rewrite MASQ (

                             Primary Gateway DHCP Port 2


The rules check out in Policy Testing as accepted.


The server has no internet connection. I am able to access the 'localhost' on this server and the website pulls up fine. Firewall/anti virus OFF.


Configure-Routing Port 1 Port 2


Network-DNS-DNS Host Entry

My Domain Name domain


DNS -Request Route-Target

My Web Server




My Domain A is set to my IP address.


This is the current set up. If I ping My Domain I get 'Pinging Reply from Destination not reachable' from a computer on the LAN...currently


Ping from offsite computer I get: Pinging 'MY IP Address Request Timed Out'


This has to be easy for someone out there!



  • For let the server in dmz zone, create a dmz to wan with Nat enabled.

    For the dns, make sure your pcs are using XG as dns server or there is a conditional forwarding between your internal dns server to XG.


  • In reply to lferrara:

    That was Fast!


    Added the DMZ To WAN as mentioned. No change  for connection to the server. Pings are the same. The server has nothing running for DNS. I gathered that XG would handle that so it was removed.



    Failed to mention in the first port I had this rule for WAN:



  • In reply to JAGER:


    You do not need the static routes as for the interfaces configured on XG are added automatically.

    For any ti dmz rule, you do not need nat enabled.

  • In reply to lferrara:

    Removed the static routing and made the change removing the NAT from the rule but nothing flowing yet:


  • In reply to JAGER:

    Use packet capture or tcpdump and post the output here

  • In reply to lferrara:

    Couple different captures. Redacted is MY IP:


    Working on a proper tcpdump..not sure what switches to do so I am researching.


    Did a port scan and the only open port is 443 for the client access. All else, blocked.

  • In reply to JAGER:

    Did a tcp dump for port 3 and got nothing.

    Tcpdump port 80 Red redacted MY IP:


    Is this helpful?

  • In reply to JAGER:

    Looking around further brings up another question that may relate to my issue. My ipv4 and gateway ip are slightly different. I assigned the website name to the ipv4 as this is what ithought was my ip address. Wouldn't I want to send traffic to the gateway ip so it routes properly?

  • In reply to JAGER:

    Jager, can you clarify?

    Also, can you upload a network map with ports, ips and default gateways?


  • In reply to lferrara:

    It usually something simple:


    This issue was resolved by adding a DHCP server for the DMZ.