We'd love to hear about it! Click here to go to the product suggestion community
i would like to do a "NAT reflection" in XG but from a DMZ (actually a guest WLAN) to LAN using the public IP, forwarding back inside to the LAN
I have seen how LAN back into LAN is explained in https://community.sophos.com/products/xg-firewall/f/network-and-routing/73239/nat-reflection
Can it be done?
Hi Intern Support
Yes, you would be able to configure this NAT reflection (Hairpin) rule as per that community thread.
In your situation:
Create business application rule (DNAT/Full NAT/Load Balancing)
Please let me know if you had any issues.
I will follow up with our KB team in regards to publishing an article regarding this.
In reply to FloSupport:
Thanks for the answer!
When i choose "Rewrite Source Address (masquerading): Enabled" i also have to choose "use outbound address" what to choose there?
Do i create and use the address of the fw-interface for this network?
Since it is a WLAN (a wlan-router involved), is there a problem with the tcp connections (port 443) going back and forth?
XG330 SFOS 17.1.3 MR-3
In reply to Intern Support:
Yes, you could use the default "Masq" default definition, as this would NAT to the IP of the egress interface (LAN interface). Or you can also create a new IP host object for your LAN interface IP, and specifically use this for your NAT policy.
There shouldn't be any issues as the XG is a stateful firewall and will know where to forward the traffic to.
Right now i have one forward rule for access from the internet and one for access from the wlan, both to access the same lan device via https, is there any way i can make this one rule?
do i also need to MASQ the accept rule that allow services on the internet, like dns, https and so on, and what NAT policy?
If yes, does it mean i always have to use masquerading on rules handling traffic to the internet?
This will have to be two separate rules, as one rule is meant for outside internet users (no NAT) and one for hairpinning WLAN users (NAT).
For internal wireless/LAN traffic that is destined for the WAN zone (internet), you will need to have masquerading enabled (NAT to your public IP). Private network IP traffic will be dropped by ISP routers.
If i would like to allow certain traffic from LAN to all the other networks including the internet, do i have to create two rules.
1. for the internet that is using MASQ
2. for all the other networks
How do i define the internet?
Destination Zone ? WAN i guess
Destination Network ? #Port2 (but thats just one IP) or do i create a network range like 0.0.0.1 - 255.255.255.254
Yes you would have to create 2 separate rules for this. As your LAN to WAN firewall rule will need to have masquerading enabled, while your LAN to other local zones (DMZ/LAN) will not.
Please also make sure that your hairpin DNAT rule we originally discussed for LAN traffic accessing your internal server through it's WAN IP, remains at the top of your firewall rule list.
Just for understanding, why do i need to keep the "hairpin DNAT rule" at the top of the list?
To ensure that this rule is processed first, in the event you create any other firewall rules that could interfere.
is it working ta add my wireless lan to the WiFi zone or does it affect the network in any way except from the "device access" options (policies)?
To confirm, I would need to take a look at how your current setup is configured. Enable the support access tunnel on your appliance and PM me with your ID.
it is not possible right now since the XG is not in service at the moment.
My knowledge is that zones is just for handling policies in a easier way, ports that belong to the same zone share the same policies.
Policies = "admin services", "authentication services, "network services" and "other services" accessed on the XG device.
They do not affect traffic going through the XG, RIGHT? (i just want to make sure i understand ZONES).
Yes, that is correct about zones making policy administration easier.
However, I'm unsure of your question relating to not affecting traffic going through the XG?
Policies include firewall rules, which are configured to determine what traffic is allowed to go through the firewall and what type of traffic scanning/proxying occurs.
If a rule has source zones "lan" and source network and devices "any" it means that all ports in that zone is included.
Is that it or is it more to it? can you use zones in any other ways?
Apologies for the confusion, yes that is correct.