Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 40 subscribers
  • Views 2874 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Loopback rule uses wrong interface?

Theo Test

Hi,

I have configured DNAT rules to our internal web server according to the documentation https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/NATRules/RulesPoliciesCreateDNATAndFirewallRulesForInternalServers/index.html, and functional identical to what is described in Loopback Rules Don't Work 

However, I cannot access the web server from within the LAN.

The configuration is:

Sophos XG210 (SFOS 19.0.1 MR-1-Build365)

Interfaces:

Firewall rules:

NAT rules:

Now this is what happens:

It works from the internet ...

But it fails from the LAN ...

Why is it using the WAN interface (Port1.101) as the out interface here?

In both cases the translated destination ist the local IP 192.168.50.132. So I assume, in both cases the out interface should be the LAN interface (Port1).

What's wrong with my configuration? Am I missing something?

Best regards,

Stefan



This thread was automatically locked due to age.
  • 0

    Hi  ,

    Thanks for reaching out to Sophos Community and hope you are well.

    You only created a NAT Loopback Rule/U-turn NAT/Hairpin NAT etc so it means traffic coming in from that specific server must come from the WAN IP of the Server even if it is coming from the LAN zone. 

    Traffic from LAN would look like this just as the logs would say: LAN->WAN IP of server->DNATed to internal IP of server (This is how loopback/U-turn supposed to work, so the use case is achieved in this scenario)

    If you want to have direct LAN-> Server traffic w/o using Loopback, you need to create a FW rule from LAN->Specificied Zone and Network/IP of the server above the "TEST-2" FW rule, 

    Basically TEST-2 FW Rule uses the Loopback NAT rules so you can see it traverses the WAN IP/Interface as per logs (Uses Port1.101)

    Kindly try the mentioned steps above, and kindly let us know how it goes. 

    Thank you for choosing Sophos and have a nice day.

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • +1 in reply to Raphael Alganes

    I have another guess. 

    NAT will not change the route. 

    I assume, you have a SD-WAN route in place or another route, which will change the Interface route the appliance will take.

    This means: SFOS will change the traffic, but NAT will not change the route / outbound interface.

    Check your SD-WAN routes, if you have something like "Internetv4" in place. If so, this will likely change the route to your WAN interface and send the traffic out. Because everything else looks fine. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni
    LuCar Toni said:

    I have another guess. 

    NAT will not change the route. 

    I assume, you have a SD-WAN route in place

    That was it!

    We have several SD-WAN routes, and the last one is sort of a catch-all rule with destination internet IPv4 group, routing through the WAN interface.

    I solved the issue by adding an additional penultimate SD-WAN route which acts as an exception rule for the web server's external IP, routing through the LAN interface.

    Thanks a lot, LuCar Toni!

Unfiltered HTML