Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Need help to fix Port forward UDP from external to Internal Server Different ports (port Translation)

My setup.

 

External need to access Internal Server, UDP port 12345.

 

I created a Firewall Rule first:

 

Named the Rule, Rule group (Traffic to Internal Zones)

Action: Accept

Source zones: Any     Source networks and devices: Any     During scheduled time:  All the time

Destination zones: LAN     Destination networks:  #Port1 (my port connected to internal network)     Services:  deluge udp (Protocol UDP/ Source port 1:65535  Destination port:  12345)

Nothing selected in Match known users, web filtering, App Control, and IPS

 

I created a NAT Rule:

Named the rule

Original Source: #Port2 (where my modem / Internet source is connected)     Original Destination:  Local subnet (192.168.1.0 with subnet /24)     Original service:  UDP

Translated source (SNAT):  Original     Translated destination (DNAT):  Server (IP Address of my server)     Translated service (PAT):  deluge UDP (Protocol UDP/ Source port 1:65536  Destination port:  12345)

Interface matching criteria left as is:  Inbound interface:  Any     Outbound Interface:  Any

 

When I check from canyouseeme.org, and check port 12345, it says it cannot see the service on MyPublicAddressHere).



This thread was automatically locked due to age.
Parents
  • Hi,

    please try changing your source port to WAN.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi.  Changed my Source to WAN in Firewall Rule.  Didn't change anything in DNAT.  

    Same result.  

     

     

    Update!  I got it to work by watching this video, but somewhat :D

    https://www.youtube.com/watch?v=-ekWg2Lvo5M&t=1006s

     

    First, I did change Source to WAN.  Also changed Destination networks to #Port2 (port connected to WAN)

    Second, Went to NAT Rule, and changed source to Any, Original destination as #Port2. 

     

    When I tested this, still failed.

     

    I somehow remembered I've tried changing UDP to TCP before, in XG v.17.  I tried changing everything to TCP, and I was 'seen' from outside.

    I know both needs  to be open.  Does this mean TCP allows you to be seen from outside?  And UDP is needed from the inside?  

  • Thanks for the explanation   So from the looks of it, I need PAT.  I am required to open ports from outside, but want it to go through different port number on the server inside.  

  • No you don‘t.

    You have all of your docker apps (webservers) locally running on different ports as you said initially. But they are all running on the same local IP/server.

    For this scenario NAT alone is all you need. You create a NAT rule for each port/webserver you want to be reachable from the internet using the same port as you use to connect via LAN. You CAN use PAT in this scenario to ‚hide‘ your locally used ports from the internet but the minimal gain in ‚security‘ (in my opinion it is zero) is not worth raising the complexity for your firewall rules.

    You only really need PAT when all of your apps would run on the same port, but different local IPs. In most conditions you only have 1 public IP and there, each port can only be used once/for one service. So if you wanted to expose two apps/services that locally both use 8080 you could only publish one of them in the internet with port 8080. For the other app/service you would have to use another port on the internet, e.g. 8081, locally it would stay the same. There you would need PORT (i hate the ‚ADRESS‘ here) TRANSLATION.

    When your app needs more than one port open you simply create another NAT rule without touching the port. If your app locally does react to 8080 and 8088 then create two NAT rules, one for 8080 and one for 8088.

    If your app locally does not listen on a specific port it would make no sense creating a NAT rule for that port.

    As I said above, with NAT (AND PAT) the destination system becomes responsible for the connection. If there is a security problem with the app/service you expose to the internet the firewall alone can‘t protect it. So I would recommend two things: install all security updates/patches for your apps and don‘t do that only once, do it regularly.

    Second thing: use IPS in the firewall rule (WAN to LAN for example) as this can protect you against known security problems. But don’t only rely on it. It is an additional security layer to properly patched systems.

    And my last two cents: if you do not really know what you are doing leave it better to someone who does. We have already too much botnet zombies out there.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • Ok, I think I may have been confused before.  Deluge Docker Container, which is accessible via NAS_IP:8112, has settings that I can adjust under preferences, such as Incoming ports, and Outgoing ports.  8112 is just for me to access the webgui, and not really of any other significance.  Maybe all Docker apps are accessible via web port 80, but since all of them is using NAS_IP, they can't all be port 80, hence, there's distinction between port NAS_IP:8112 (Deluge), NAS_IP:8384 (Syncthing), etc.  Under each container, it's where I need to set Incoming and outgoing ports.  So not all containers listen on all ports.  As you explained above, the firewall only opens, and close the ports.  It's up to the Apps to listen on certain ports (when it is open).  Correct?

    If above is correct, I want to allow incoming port 12345 to my Deluge Docker Container, This is what I've done so far:

     

    Create Service Deluge TCP 12345

    Protocol TCP, Source port 1:65535 Destination port:12345

     

    I added NAT rule, Server access assistant (DNAT)

    Under Select IP host, I selected NAS_IP

    Under Public IP address, I selected #Port2 (my WAN interface)

    Under Services, I selected Deluge TCP 12345 (service created above)

    External source networks and devices, selected Any

    Does above sound right?

  • Sounds right.

    The thing where you have to allow incoming and outgoing ports is the one that controls, which of your docker apps will receive the connection. All other docker apps won't be able to get the connection on the same port.

    From a logical view the Deluge docker app will then have open the ports 8112 and 12345. If 8112 is only for you for management, only NATing 12345 should be enough.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • Yes, seems 8112 is the management port, not really where ports should be forwarded to.  

    Deluge also requires UDP of the same port number, e.g. 12345 to be open.  Under original service section, can TCP and UDP be placed together?  Saw on example in firewall rule where 2 service are together, such as SMTP and SMTPS.   

    The rule created by Server Access Assistant for Deluge Docker Container has source as ANY.  I guess whis won't hurt as opposed to #port2 ?  Any only includes #port1, and Vlan, and VPN?  So mostly internal customers except for VPN.

     

     

    How do I tweak NAT (if still the correct service) to open outgoing?  Deluge says it requires me to open port range e.g, 5000-5005 for outgoing.  I don't think the Server Access Assistant will work here.  I'll need to fill things up manually.  What do I put in:

     

    Source:  LAN. Original Destination:  #port1?  Original Service:  Deluge TCP Outgoing port range?

    Translated Source (SNAT): Original Translated Destination (Original) Translated service (PAT): Original

    Inbound interface ANY Outboud interface ANY?

     

  • Normally you do not have to care about NATing outbound traffic. MASQuerading is here the name for it. Technically it is a SNAT (source nat), what we were talking about until now is DNAT (destination NAT). With masquerading the first IP address of your WAN interface is used, when a local IP address is making a connection to the internet. Since local adresses (like 192.168.0.1) are not routable on the internet the router/firewall exchanges the original source address to its own WAN IP. So the destination servers know the "way back" to serve the request.


    What you do have to care about is a firewall rule. In most cases (home routers) any outgoing traffic is allowed by default. With a firewall like a Sophos XG you have more control about it, giving you the possibility only opening the needed ports and leave the rest closed.

     

    Regarding your question about TCP and UDP: I would recommend using one definition for one service (Deluge "TCP 12345" and "Deluge UDP 12345" for example). Then one NAT rule for each service and one firewall rule for eachs service. With the "hit counts" to firewall and NAT rules you can then see, if one of them is useless. If the rule has 0 hits, simply disable/delete it.

     

    ANY means ANY, not only local adresses. The firewall zone plays a lot of importance here, too. "Any" in WAN means every possible public IPv4 adresses.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • kerobra said:

     

    Regarding your question about TCP and UDP: I would recommend using one definition for one service (Deluge "TCP 12345" and "Deluge UDP 12345" for example). Then one NAT rule for each service and one firewall rule for eachs service. With the "hit counts" to firewall and NAT rules you can then see, if one of them is useless. If the rule has 0 hits, simply disable/delete it.

     

    This makes a lot of sense. 

    Sorry, I don't quite get the explanation opening ports for outbound traffic. 

    When an app such as Deluge says it requires me to open outbound ports on my firewall, say a range of 5001 to 5005, I shouldn't look at NAT rule. Instead, what do I do?  Do I just create a new firewall rule?  With Service Deluge TCP Range: 5001:1005?  

    Thanks!

  • If I didn't get it right you are on v18 now, correct?

    Then under "Rules and policies" / "NAT rules" you should see a SNAT rule at the very end of the list called "Default SNAT IPv4" (or maybe IPv6, too, that depends on your internet provider). When you look closer into that rule you can see that it covers all incoming connections ("Any" Original source, "Any" Inbound interface") and the Outbound interface that you defined as your WAN interface. Under "Translated source (SNAT" you should see the default MASQ rule and any other set to "Original".

    That means everything that leaves your network over the WAN interface will get source-NATed with masquerading. Masquerading uses the public IP of the WAN interfaces for connections from your LAN devices to the internet since a webserver in the internet can't answer requests from your PCs local IP adress for example.

     

    If you have an internet connection with more than 1 IP adress (e.g. a /29 subnet) then you can use more specific SNAT rules, in most cases this is for example used for an email appliance/gateway that must be resolvable both "forward" through MX (like "mail.yourdomain.com") as backwards to it's IP (like "123.45.67.89" containing a RDNS record) to be more "trusted". But that only mentioned besides.

     

    So with your "Default SNAT IPv4" NAT rule all outbound connections are covered from the "NAT side" out of the box.
    What you do have to do is allowing the outbound traffic with "Firewall rules". If you already have an allow rule that allows all traffic from "Source zone LAN to Destination zone WAN" you do not have to use extra rules for your docker apps at all.
    But like with the incoming rules, I would recommend splitting outgoing rules into smaller parts, so: 1) that you can see, if it is even used at all and 2) are able, to be more specific to the usage of the additional security features like web filtering, IPS, App control or QoS (traffic shaping).

     

    In XG the Firewall and NAT rules are executed from top to down. If an entry matches the actual connection further rules are not applied. So maybe you have to care about the position of your rules in the ruleset, especially the firewall ruleset.

     

    When configuring firewall rulesets for my customers I normally do the following:
    - top rules: incoming NAT connections, if used and webserver protection rules.
    - after that: Site-to-Site- and/or RAS-VPN-rules.
    - then: connections between local zones of the firewall like DMZ, (v)LANs
    - last: outgoing connections by zone, allowing so much traffic as specifically needed.

    For the outgoing connections there are some "special cases" (e.g. traffic that should not be proxied), these are bound to specific local IP adresses and/or destinations. These come before the more general rules that cover the whole subnet or zone (like "web surfing" or something like that) just before the "Drop all" rule.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • Yes, I'm on V18.  Thank you for your patience in explaining each question.  I understand it better now, will test it out, ask you suggested, granular, so that you know which is useless, or which is needed.  

  •  I have a follow-up question.  After opening my port xxxx1, and after I put the same port number in Deluge torrent app, whenever I use canyouseeme, it says port is open.  When I removed the port number from the torrent client, and put in any other port number xxxx2, and I test the original port number xxxx1, it says it's 'closed.'  Now, when I put back xxxx1 on the torrent client, and go to Sophos XG log viewer, and added filter of 'Destination is IP_address_of_NAS,' nothing comes up.  

    If traffic is supposed to be going in or out of docker app from the NAS, isn't there supposed to be output when I select this?

Reply
  •  I have a follow-up question.  After opening my port xxxx1, and after I put the same port number in Deluge torrent app, whenever I use canyouseeme, it says port is open.  When I removed the port number from the torrent client, and put in any other port number xxxx2, and I test the original port number xxxx1, it says it's 'closed.'  Now, when I put back xxxx1 on the torrent client, and go to Sophos XG log viewer, and added filter of 'Destination is IP_address_of_NAS,' nothing comes up.  

    If traffic is supposed to be going in or out of docker app from the NAS, isn't there supposed to be output when I select this?

Children
No Data