Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 1 reply
  • Subscribers 38 subscribers
  • Views 1404 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Reflexive rule blocks WAN connection for the host mentioned in that rule

Eduard Schick

Hi everyone,

After using the DNAT assistant to enable access to my Synology from WAN (https://community.sophos.com/xg-firewall/f/discussions/125700/synology-nas), there are 3 NAT rules that have been created.

The problem right now: My SynologyNAS has no connection to the web anymore when the reflexive rule is enabled. It took me half an eon to figure that out.
Because someone wrote that it might be a problem of the webfilter, I even created an exception for the NAS's IP so it had to filter applied to it, but that didn't help at all.

When I switch the IP of the NAS or the IP of the host is the Hosts and Services list then it has connection agan. So it definetly had s.th. to do with the host (which is being used in the rules). So I disabled the created NAT rules and tried to enable rule by rule until it was blocked again. That's why I believe it's this rule's fault.

The rule's content is:

Correct me, if I'm wrong here:
So, if I got it correctly, the point for this rule is to allow the server that has been accessed to send data back to the user.

  1. Why does the firewall block connection when the reflexive rule is enabled?
    Did I mess up the setup? ... I didn't change it manually.
  2. Do I need this rule in any way when my 2nd rule from the bottom says "allow any service LAN to WAN" (the default one)?

Thank you in advance!
I appretiate any help.



This thread was automatically locked due to age.
  • FormerMember
    +1 FormerMember

    Hi 

    Thanks for reaching out to Sophos Community.

    Kindly apply Translated destination(DNAT) as 'Original' in reflexive rule configuration. As per the current configuration, a reflexive rule has SNAT and DNAT both applied. Hence source and destination address both will be translated when SynologyNAS requests to ANY(internet).


    Reflexive rules: You can create a mirror NAT rule for destination NAT rules. It reverses the matching criteria of the destination rule(DNAT). For example, create a destination NAT rule to translate incoming traffic to an internal server. The corresponding reflexive rule will allow traffic from the server to the source specified in the destination NAT rule.

    docs.sophos.com/.../NATRules.html

Unfiltered HTML