Hi all. I'm running Sophos XG v18 and have been building things out a bit for my home setup, but just recently I hit a snag that I'm having a lot of difficulty figuring out. I've read a lot of guides that suggest this is a common thing and pretty approachable however I'm still held up. Unsure if it's a v18 thing as a lot of results pertain to v17.x or if it's my lack of understanding (clearly the latter).
I have a wildcard certificate from Lets Encrypt that has been uploaded to Sophos XG. I also have a domain, call it example.org, which is registered and a DDNS service that keeps that in check. I have several internal services/VMs that I want to make accessible via subdomains, e.g. cctv.example.org, cloud.example.org, etc. In some cases these services run their own local self-signed SSL certificates (in one case I can't even find a way to disable it), so perhaps that's a contributing factor here.
Using the cctv platform as an example here, my process from start to finish is as follows:
1) In System >> Hosts and Services, I created a new IP host. Name = cctv.example.org, IP is the local LAN IP of that server.
2) In Configure >> Network >> DNS >> DNS host entry, I created a new entry where host/domain name is cctv.example.org, entry type manual, IP local LAN IP of that server, TTL 60, Weight 1, Publish to WAN and Reverse DNS lookup both remain unchecked.
3) In Protect >> Web server >> Web servers, I created an entry where name is CCTV and host is cctv.example.org, HTTP, port 8800 (what the CCTV server uses).
4) In Protect >> Rules and policies >> Firewall rules, I created a rule where Action = Protect with web server protection, hosted address = Port2 (WAN), listening port 443, HTTPS checked/HTTP redirect checked, domains = cctv.example.org, Lets Encrypt wildcard cert selected, and the "CCTV" entry selected under Protected servers >> Web servers.
With this in place from outside the LAN I can hit cctv.example.org and I get immediate access with the assigned Lets Encrypt SSL cert. I don't have to do :8800 or anything of that nature. Works absolutely fantastic and exactly what I wanted. The problem is from inside the LAN that exact procedure does not yield access. In Chrome for example I get "hmm can't reach this page, cctv.example.org took too long to respond -- ERR_CONNECTION_TIMED_OUT.
Within Firewall rules >> Add firewall rule, I've also tried "server access assistant (DNAT)" but it didn't yield any difference in behavior. I've toyed with the NAT rules and MASQ but the most I've been able to do is take down my entire WAN connection which prompted a VEEAM rollback as I made the mistake of not pulling a Sophos XG backup config prior (I know, I know...)
If I could figure out one of these services I can likely get all of them working, but I'm growing increasingly confused by some of the forum posts I've read. Some folks suggest I just need to set up DNS host entries, which I did and seems to work for external access to cctv.example.org, but not inside. I've read about hairpin NAT but half of the articles folks have linked to that appear to go to Sophos documentation end up 404'ing me. Other folks seem to want to be able to access cctv.example.org but have it entirely redirect/change to internal.ip.of.cctv:8800, whereas I'd like internal and external to just be cctv.example.org 100% of the time.
I'm missing something... and I'm sure it's something obvious... if anybody knows I would be greatly appreciative!
This thread was automatically locked due to age.
