Issues while creating a hairpin NAT

Hello rfcat_vk,

Thank you for contacting the Sophos Community!

Can you do a packet capture on the GUI, to see if the traffic is arriving and then what rule is being processed?

As per the Firewall rule, I used the Wizard and got the correct WAN to WAN.

Regards,

Hi EmmoSophos.

None of the internal devices hit the firewall rules. Logviewer only shows the NTP server using the IPv6 rule allowing it out and one dumb device that breaks the country rules when it can't connect to the NTP server.

Ian

tricky, undocumented feature.

Will do later tonight depending on my wife and my exclusive use of the XG.

Ian

Yup - no need for a auto created loopback rule, when it's not working :-)

Better leave the XG behind......

So far absolutely useless, no traffic at all. Like you my server is only LAN.

Not only that. the addition made no changes to the NAT rules.

So in summary a major fail.

Ian

I am seeing UDP flood due to the firewall rule failure.

So I tested in production today, nothing worked. BUT if I setup a webserver on my laptop, create the rules, everything works.

When I then create the same rule, but point to the org webserver (We where on DMZ both of us), nothing works, except traffic from outside can pass, but loopback broken and log floating with:

messageid="00005" log_type="Firewall" log_component="ICMP ERROR MESSAGE" log_subtype="Allowed" status="Allow" con_duration="0" fw_rule_id="12" nat_rule_id="9" policy_type="1" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" vlan_id="" ether_type="IPv4 (0x0800)" bridge_name="" bridge_display_name="" in_interface="PortE2" in_display_interface="DMZ" out_interface="" out_display_interface="" src_mac="xx:xx:xx:xx:xx:xx" dst_mac="" src_ip="x.x.x.x" src_country="" dst_ip="wanip" dst_country="DNK" protocol="ICMP" icmp_type="12731" icmp_code="443" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="DMZ" src_zone="DMZ" dst_zone_type="" dst_zone="" con_direction="" con_event="Interim" con_id="1083932784" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"

Sophos XG Firewall: How the ICMP error messages works and how to allow or deny it

Have read this, but the code provided does not make sense, have opened a supportcase again :-O

I gave up, hairpin NAT internal to internal does not work from what I can see in the logs.

Ian

Got it working, but it's very complex I think.

The dnat assistant cannot solve this.

Regaring NTP service see this workaround:

 Sophos XG: XG as NTP server – workaround – martinsblog.dk

Hi Martin,

thank you for the link. The fix assumes you can change the various network device’s ntp server setting, what I am trying to achieve involves redirecting ntp requests to the internal ntp server.

I am tying to workout some logical way of achieving this, but so far XG fails.

ian

Did this, its easy but you have to follow certain points: 

Create a NAT Rule with:

Source: Your internal Network
Translated Source: MASQ 

Destination: ANY
Translated Destination: Your Internal Server

Service: NTP

Firewall:
Source: All Zones, you selected in NAT
Destination Zone: (Try first ANY to Test it, after successful tests, change it to your specifics, like WAN Zone or internal Zones etc.). 
Service: NTP 

This should cover all the traffic and redirect it to the NTP Server in a transparent manner. 

You need a firewall rule + NAT Rule, created by your own. 

Hi Lucar,

there is a flaw with that setup, the ntp server will never update, just loop on itself. The Nat rule needs to be linked and that is where I failed last time. Iwill try again.

ian

I tried setting up the firewall for the devices to access the NTP sever with your recommended NAT and setup a firewall rule to allow the NTP server access to the internet using the default NAT rule used for general access.

The only rule that carried traffic was the NAT and that does not get recorded in logviewer even though you can select NAT rule.

Ian

I tried setting up the firewall for the devices to access the NTP sever with your recommended NAT and setup a firewall rule to allow the NTP server access to the internet using the default NAT rule used for general access.

The only rule that carried traffic was the NAT and that does not get recorded in logviewer even though you can select NAT rule.

Ian

No, you dont need a linked NAT rule. Instead you need a simple NTP Server to WAN NAT Rule on top. 

Hi Lucar,

working with Prism, I finally got it working and the result does not look like your suggestion.

I have asked Prism to write up his solution as a KBA.

Ian

Hopefully this helps someone in the Future.

NAT on Sophos XG have some really weird issues, one that got me confused for days has the issue below.

When you create a NAT Policy to Redirect all traffic to a new Destination, the Zone in which the Firewall handles the Outgoing traffic will change.

First, look at this picture:

If you look close at It, you will realize what happened within the Firewall when I've tried to redirect all Outgoing NTP Traffic to a Internal NTP Server.

The IPv4 that my internal machine is communicating are meant to go for the "WAN" Zone, but instead the Firewall is treating them as the "Server" Zone, which is the Local Zone on where my NTP Server is located - and the same on where my NAT Policy is sending all traffic.

Here's my NAT Policy:

If you ever create a NAT Policy which Redirects any Outgoing Traffic for a Local Server, be aware you will also need to create a Firewall Rule which get's applied to the same Zone on where the traffic is being redirect. (But not only that.)

Which now, we will get to the second issue; Normally you would create a Firewall Rule like this, since you only want to allow traffic to go for your local server and nowhere else;

This is the Firewall Rule you're expected to create; But It doesn't work.

Before the NAT get's applied to the Traffic, the Zone of the Outgoing traffic already changed, making the Firewall drop all Outgoing Traffic since It won't match for the "WAN" Zone anymore.

This is primarily an unnoticed issue, since the default Drop rule of the Firewall have no logging enable.

In which case, you will need to use "Any" as your Destination Network, since as you can see on the Log Viewer above, the Traffic is not being sent to the "WAN" Zone anymore, but It's being sent to the "Server" Zone.

By creating a Rule like this: (With your Local Zone.)

Your NAT Policy which Redirects Outgoing Traffic for a Internal server will finally work.

And the reason on why the "Destination Networks" is "Any" is because the Firewall doesn't treat that traffic (Outgoing Traffic) as the "WAN" Zone anymore, and since there's no other Policy allowing those "WAN" IPv4 Address for your local Zone (Which in my case is the "Server" Zone), the traffic will be dropped.

By using "Any", all traffic get's accepted by the Firewall Rule and then after It, the NAT Engine pickups It and send the Traffic for the correct Destination from the NAT Policy.

EDIT: Finishing up, you will need a Secondary NAT Policy - on top of the NAT Policy which is redirecting the Traffic, this Secondary Policy should be created to make the NTP Server Bypass the Redirect and allow It access to the Internet.

Here's an ex example on how It should look like:

Again, hopefully this helps someone in the future, also If someone can rewrite all of this in a better manner, I would be very thankfully for It.

Looking at your solution, shouldnt the Server still loop itself with NTP? 

Hi Lucar,

no because the server Nat rule is at the top. Works well.

ian

Oh, you have a Server SNAT Rule? Ok thats what i suggested. 

It has getting late when I posted this in here, and I forgot to talk about the creation of the secondary NAT Policy which allows the NTP Server to bypass the Redirect NAT Policy. (Access to the Internet.)

I will write about this later, thanks for reminding me!