Sophos Connect Client can't reach WAN

Hello everybody, 

 

I hope some of you can help me with this. I think it is fairly easy to solve but I cannot wrap my head around this. 

I have following network structure: 

Internet <--> 12.13.14.15 Router 10.6.0.1 (All ports opened) <---> 10.6.0.5 Sophos XG Firewall 10.20.30.1 <---> Internal Network

VPN Clients get IP-Adresses from 10.21.0.20 to 10.21.0.30.

I have three (four) Firewall rules setup: 

- LAN to VPN
- VPN to LAN
- VPN to WAN
- WAN to VPN (But I'm not sure with this)

So my firewall is as a single client inside the network behind the router. All the traffic passed to the firewall. In the Sophos Connect Client settings page on the firewall I set the interface to 10.6.0.5 for the export. But put afterwards my public ip (12.13.14.15) inside to get it to work.

With this configuration in place I managed to access the clients in the LAN network with 10.20.30.1/24 addresses.
As I receive a ping answer I think the two rules LAN to VPN and reverse VPN to LAN must work. What I cannot reach is any outside client. 
For testing purposes I tried to ping 1.1.1.1, but with no response. Even in the logs I can see that my user which is connected through the client appears as passed traffic but the traffic never makes it to the WAN. 

Do you have any suggestions what the issue could be?

  • It sounds like the rule VPN to WAN is missing the MASQ for the NAT. What version are you using? And is this a Full tunnel ?

     

    If this is V17 in the Rule change the setting for NAT to MASQ. If this is V18 this should work out of the box. If not navigate to the NAT tab And see the rule order if the Network range that you use hits something before the default IPv4 rule. Or if you have a your own rule for MASQ, look in to that rule.

     

    //Rickard

  • In reply to RickardNordahl:

    Hello Rickard, i will add the missing informations. 

     

    We use Version 18.0.1 MR-1 Build 396. I think the connection is a full tunnel because the route in the generated config file is 0.0.0.0/0, as of my understanding the whole traffic is getting redirected. This is also what I want to achieve. 

    I deployed the box the last few days. It came with v17 and I upgraded immediately to v18. So there is a NAT Rule with SNAT MASQ set, as you can see in the screenshot.

     

    Although it is linked to a specific firewall rule, shouldn't it catch all traffic no matter which firewall rule handles the traffic?

    Here is the List of Firewall Rules. They consist mainly of LAN,WAN (Any Host) => VPN (VPN client address space 10.21.0.0/24)

     

    EDIT:

    Could the problem be a missing route for the VPN client traffic?

    //Giuseppe

  • In reply to Giuseppe Rizzo:

    Hello, I do not think (for now anyway) that you are missing a route (in the XG)since the internal traffic works and that flows with out problem. You can look in the logs to see if the Sophos Connect network is hitting a NAT rule or not.

    One thing is the unknown router here. Why do you have that? and could it be something in that needs to be addressed, routes, NAt rules and so on?

     

    Back to the Sophos. It could be the rule order of the Nat rules, can you post a screenshoot of all the nat rules please? And also please try to enable the last Nat rule called "Default ipv4 NAT" or something similar and see if that helps. 

     

    //Rickard

  • In reply to RickardNordahl:

    Thank you for your response.

    RickardNordahl

    Hello, I do not think (for now anyway) that you are missing a route (in the XG)since the internal traffic works and that flows with out problem. You can look in the logs to see if the Sophos Connect network is hitting a NAT rule or not.

     
    In the logs I can see that the VPN client accesses for example 1.1.1.1 and the firewall rule icon is green. As I understand the log viewer these packets passed the firewall and where processed by NAT. 

     

    RickardNordahl

    One thing is the unknown router here. Why do you have that? and could it be something in that needs to be addressed, routes, NAt rules and so on?

     
    The router is needed for the internet connection. I have two isp's, that means I also have two gateways but they run in a failover cluster. So they don't run in load balance mode. One ISP provide me with a fiber connection. For this I don't need the router but for the other connection (VDSL) I need the built in modem to connect to the ISP. 
    One thought was to change the router to a modem only mode. But I think the router shouldn't be a problem. All ports are passed to the firewall and there are routes for the traffic, originating the firewall.
     

    RickardNordahl

    Back to the Sophos. It could be the rule order of the Nat rules, can you post a screenshoot of all the nat rules please? And also please try to enable the last Nat rule called "Default ipv4 NAT" or something similar and see if that helps.

    Yeah for sure. Here is the screenshot, I only have the one rule active. But what makes me wonder is that in the logs the used NAT-Rule is 0 but there is not NAT-Rule 0.

     

    //Giuseppe

     
  • In reply to Giuseppe Rizzo:

    Hi I think I can see the problem here.

     

    The NAT rule you have is Linked to the firewall rule #5. LAN to WAN, that means that the VPN clients will not hit that NAT rule.

     

    There should be a new default one on the bottom on the list that is inactive. But if not please create a NAT rule for traffic to Internet using MASQ. 

     

    Here is the one I have: 

     

     

    And here is the configuration.

     

     

    Remember to change the Outbound Interface to the Interface you use as WAN, place the rule on last on the NAT rule page, there is no need to link the rule.

     

    When you have this rule up and running the VPN shoud be able to access Internet and you can disable the LAN to WAN nat rule. And after that works, you can remove the LAN to WAN linked nat rule. There is no need to use Linked nat rules in v18 If not for special setups or rules.

  • In reply to RickardNordahl:

    Thank you very much. This worked properly. 

    So my understanding is right, that in the case traffic gets processed by a firewall rule with no linked nat rule. Other linked nat rules won't apply. Only unlinked nat-rules.

    One issue remains. Everytime I login to the VPN I receive the warning "The UDP-Port for IKE seems to be blocked" but the connection could be established successfully. Also in this case, no blocked ports on the isp router but do I need to create a seperate rule for the initial connection?

    // Giuseppe

  • In reply to Giuseppe Rizzo:

    That's correct, If a NAT rule is linked it is only used when traffic hits that firewall rule. If you have a non Linked NAT rule they are applied to any traffic that match that NAT rule.

     

    No there is no need to create a rule for the UDP port message. I think it could be that since the router in front also NAT's the traffic so it takes more time then the client expects. Not sure.