Issues while creating a hairpin NAT

Hi folks,

another post on my issues about creating a firewall hairpin nat rule.

I have an NTP server on my network and I want devices to use it as a reference time source. I know the device works when I change network devices to query it for time, they update correctly.

When I built my own firewall rule using a linked NAT rule there was lots of queries to the rule but nothing was returned.

So, I have decided to use the XG build a server access rule.

I think one of the questions in the create wizard is wrong

It asks for the external source networks and devices, but never asks for the internal networks. You can add your internal networks which I did.

Next issue is the reflexive rule automatically created does not use the required service as entered in previous pages, just uses ANY which allows all traffic to bypass the specific NAT and linked NAT rules. Again you can change it to the required service.

Next issue is the created firewall rule appears to be wrong.

Destination zone is LAN but the destination network is the external interface which is a WAN zone.

The result is the rule does not work.

I have tried creating a FQDN for the external internal access to the NTP, but there is nowhere to add it to the rule along with a number of other issues of trying to add another external url for the same address, the XG does not like it.

Please advise what is required to make the hairpin NAT work. I have read the KBA and followed that document and ended up with the above issues.

Ian

.



corrected an incorrect edit.
[edited by: rfcat_vk at 9:46 PM (GMT -8) on 8 Feb 2021]
Parents
  • Hello rfcat_vk,

    Thank you for contacting the Sophos Community!

    Can you do a packet capture on the GUI, to see if the traffic is arriving and then what rule is being processed?

    As per the Firewall rule, I used the Wizard and got the correct WAN to WAN.

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi EmmoSophos.

    None of the internal devices hit the firewall rules. Logviewer only shows the NTP server using the IPv6 rule allowing it out and one dumb device that breaks the country rules when it can't connect to the NTP server.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    3 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
  • messageid="02002" log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="N/A" nat_rule_id="0" policy_type="0" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" vlan_id="" ether_type="IPv4 (0x0800)" bridge_name="" bridge_display_name="" in_interface="PortE2" in_display_interface="LAN" out_interface="" out_display_interface="" src_mac="xxxxxxxx" dst_mac="" src_ip="192.168.x.x" src_country="" dst_ip="WAN IP" dst_country="DNK" protocol="TCP" src_port="64563" dst_port="32400" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"

    ----

    Best regards Martin ;-)

    Sophos UTM Certified Engineer v9.7
    Sophos  XG  Certified Architect v18.5
    Homelab: 1 x XGS2100 SFOS v18.5  - 3xAPX530 - 1 x SG210 v9.7 - 1 x UTM 220 v9.7 - 1 x SG135 v9.7 (All Fullguard Plus licenses)

  • I found with the DNAT wizard I could setup access to the server from the internet but the server did not respond.

    Also I found that the translated details do not appear in the logviewer until you way the mouse over the lefthand side symbol and it shows whether translated and packets sent and received.

    I will try again the with DNAT wizard.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    3 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
  • You beat me to the post. That is not translating. I will see what I can test.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    3 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
  • Same here, thanks, no post hijacking intended Stuck out tongue winking eye

    ----

    Best regards Martin ;-)

    Sophos UTM Certified Engineer v9.7
    Sophos  XG  Certified Architect v18.5
    Homelab: 1 x XGS2100 SFOS v18.5  - 3xAPX530 - 1 x SG210 v9.7 - 1 x UTM 220 v9.7 - 1 x SG135 v9.7 (All Fullguard Plus licenses)

  • Hi Martin,

    a total failure. In my limited understanding of NAT the firewall rule appears to be wrong. 

    You want a LAN to WAN rule for the server, then you want the external access then you need the internal people to access it via the external interface and that is not what I am seeing in the DNAT wizard setup.

    My testing is limited at the moment because I deleted the Dyndns entry for my NTP server so there was no incoming traffic. I need to re-create it and start testing again but building my own NAT rules.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    3 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
  • Hi,

    Was just on with support, we did create new DNAT rule with the assistant, this assistance crated:

    - FW rule

    - DNAT

    - Reflex NAT

    - Loopback NAT

    As we have seen every time, but what he did, was to edit the newly created firewall rule, and add the zone (Only WAN was there in the bginning) where FROM you ALSO want to access the traffic, in my case LAN, as the server was also on the LAN in my lab:

    And then it worked!!

    can you try?

    ----

    Best regards Martin ;-)

    Sophos UTM Certified Engineer v9.7
    Sophos  XG  Certified Architect v18.5
    Homelab: 1 x XGS2100 SFOS v18.5  - 3xAPX530 - 1 x SG210 v9.7 - 1 x UTM 220 v9.7 - 1 x SG135 v9.7 (All Fullguard Plus licenses)

  • tricky, undocumented feature.

    Will do later tonight depending on my wife and my exclusive use of the XG.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    3 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
  • Yup - no need for a auto created loopback rule, when it's not working :-)

    Better leave the XG behind......

    ----

    Best regards Martin ;-)

    Sophos UTM Certified Engineer v9.7
    Sophos  XG  Certified Architect v18.5
    Homelab: 1 x XGS2100 SFOS v18.5  - 3xAPX530 - 1 x SG210 v9.7 - 1 x UTM 220 v9.7 - 1 x SG135 v9.7 (All Fullguard Plus licenses)

  • So far absolutely useless, no traffic at all. Like you my server is only LAN.

    Not only that. the addition made no changes to the NAT rules.

    So in summary a major fail.

    Ian

    I am seeing UDP flood due to the firewall rule failure.

     
    V18.0.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    3 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
  • So I tested in production today, nothing worked. BUT if I setup a webserver on my laptop, create the rules, everything works.

    When I then create the same rule, but point to the org webserver (We where on DMZ both of us), nothing works, except traffic from outside can pass, but loopback broken and log floating with:

    messageid="00005" log_type="Firewall" log_component="ICMP ERROR MESSAGE" log_subtype="Allowed" status="Allow" con_duration="0" fw_rule_id="12" nat_rule_id="9" policy_type="1" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" vlan_id="" ether_type="IPv4 (0x0800)" bridge_name="" bridge_display_name="" in_interface="PortE2" in_display_interface="DMZ" out_interface="" out_display_interface="" src_mac="xx:xx:xx:xx:xx:xx" dst_mac="" src_ip="x.x.x.x" src_country="" dst_ip="wanip" dst_country="DNK" protocol="ICMP" icmp_type="12731" icmp_code="443" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="DMZ" src_zone="DMZ" dst_zone_type="" dst_zone="" con_direction="" con_event="Interim" con_id="1083932784" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"

    Sophos XG Firewall: How the ICMP error messages works and how to allow or deny it

    Have read this, but the code provided does not make sense, have opened a supportcase again :-O

    ----

    Best regards Martin ;-)

    Sophos UTM Certified Engineer v9.7
    Sophos  XG  Certified Architect v18.5
    Homelab: 1 x XGS2100 SFOS v18.5  - 3xAPX530 - 1 x SG210 v9.7 - 1 x UTM 220 v9.7 - 1 x SG135 v9.7 (All Fullguard Plus licenses)

Reply
  • So I tested in production today, nothing worked. BUT if I setup a webserver on my laptop, create the rules, everything works.

    When I then create the same rule, but point to the org webserver (We where on DMZ both of us), nothing works, except traffic from outside can pass, but loopback broken and log floating with:

    messageid="00005" log_type="Firewall" log_component="ICMP ERROR MESSAGE" log_subtype="Allowed" status="Allow" con_duration="0" fw_rule_id="12" nat_rule_id="9" policy_type="1" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" vlan_id="" ether_type="IPv4 (0x0800)" bridge_name="" bridge_display_name="" in_interface="PortE2" in_display_interface="DMZ" out_interface="" out_display_interface="" src_mac="xx:xx:xx:xx:xx:xx" dst_mac="" src_ip="x.x.x.x" src_country="" dst_ip="wanip" dst_country="DNK" protocol="ICMP" icmp_type="12731" icmp_code="443" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="DMZ" src_zone="DMZ" dst_zone_type="" dst_zone="" con_direction="" con_event="Interim" con_id="1083932784" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"

    Sophos XG Firewall: How the ICMP error messages works and how to allow or deny it

    Have read this, but the code provided does not make sense, have opened a supportcase again :-O

    ----

    Best regards Martin ;-)

    Sophos UTM Certified Engineer v9.7
    Sophos  XG  Certified Architect v18.5
    Homelab: 1 x XGS2100 SFOS v18.5  - 3xAPX530 - 1 x SG210 v9.7 - 1 x UTM 220 v9.7 - 1 x SG135 v9.7 (All Fullguard Plus licenses)

Children
No Data