Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
We'd love to hear about it! Click here to go to the product suggestion community
I am trying to publish multiple services to the Internet. It is working fine using business rules. But, I want to be able to add a loopback/hairpin NAT so that if someone inside the network uses the public IP to access the service they are redirected to the internal network. I would also like this bound to an interface IP and not an IP object because it will not always be a static IP.
In reply to Slawski:
Good morning everyone,
I am reaching yout trough my original posting: https://community.sophos.com/products/xg-firewall/f/network-and-routing/118163/hairpin-nat-sophos-xg310-configuration
I was following your settings but im failing on the "template" for the Business Application Rule.
Which template should I use? Every template has different settings and nothing like your posting....
In reply to Marius Reeger:
did you find a solution ?
I'm stuck at the same point.
In reply to Alberto Aresi:
with XG v18, you can create loopback interface inside the NAT tab.
In reply to lferrara:
Luk, I'm now on V18 but it's not like there is a rule that says "loopback".
Could you give some hint on how to set it up ?
use the DNAT wizard and you will see that the wizard creates 3 DNAT rules:
If you already have the DNAT rule that matches the same traffic, delete the DNAT rule created by the wizard. Delete the reflexive rule is you do not need it and keep the loopback rule.
If you want to create the loopback rule manually, create like this. See the screenshot:
Port 2 is my WAN interface and VTLVA is my internal server IP.
Hope it helps!
Still not working
Port 2 is my wan and test2asolve is my NAS
make sure that a corresponding Firewall rule exists.
If it does not work, please post a drop-packet-capture.
it is now working, but only with the wizard.
The loopback option is grayed out when I try to create the new nat rule manually.
But that's quite enough for today.
this one works for me.
I generally find Split DNS to be a more elegant way to solve this sort of problem rather than messing around with NAT rules.
In reply to ChrisKnight:
That is all very fine when all the devices on your network change their DNS settings as per DHCP server or even static assignments, but when they inbuilt DNS entries which for some application s ignore the network settings then you need a hairpin DNS NAT.
There has to be a bug in V18.
So many people where loopback NAT is not working. They always get linked to this old thread from 2015.
I tried it with sophos support last week. After 3 hours of working on our XG we had to stop.
Edit: It seems we fixed the issue. We changed the route precedence to static first. With the update to v18 it changed to policyrouting first.