Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG210 NAT Port Forwarding not working

Hello Community,

Hoping for some sort of advice as I'm pulling my hair out with this one. All I want to do is forward UDP 1194 to the NAS 192.168.15.9 to get OpenVPN to work.

Here is the NAT rule. Port3 is the external interface with a public IP from the ISP. 

This is the firewall rule. Right now it's basically "Allow all to all" which is not very safe but even this isn't working. 

When we look at the packets captured, there are entries as below so we know the traffic is hitting the Sophos and the rules are being matched correctly. However, no packets make it to the destination.

Finally, here is the OVPN service definition:

Any help would be greatly appreciated. Thanks!!!



This thread was automatically locked due to age.
  • Hi,

    please try changing your translated source to MASQ.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Thanks for your input. We did try this before but it still doesn't work.

    I legitimately don't understand how it can be failing when the log entry shows packet status as "Forwarded". What else could be wrong???

  • Even the policy tester says the traffic should be allowed through...

  • We also tried forwarding other types of traffic to different internal hosts but the result is always the same i.e. packets are showing as being forwarded but the connection isn't established.

    We're obviously missing something in the Sophos configs somewhere, just not sure what and where that is. A bit frustrating, considering it's just a simple port forwarding.

  • Your packet capture shows Port3 as the egress port for packets destined to 192.168.15.9 (thats the external port...?)
    Is 192.168.15.0/x a directly connected subnet or do you use internal routing in lan?
    Do you use some SD-WAN routes?
    Try diagnostics/Route lookup to check routing for 192.168.15.9 (pls post the result)


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Thanks Dirk, you helped us to finally solve this.

    192.168.15.1 is the address of the Sophos firewall so that behaviour is really strange.

    There was indeed an SD-WAN route which had Incoming interface, Source networks and Destination networks all set to Any and route via the ISP GW. We changed that to LAN & WAN and boom -- everything is working now.

    I am a bit puzzled as to how Sophos can route its own internal LAN via an external gateway??? Especially since internet access for the internal hosts was always working fine? Oh well, I won't dig into it.

    Thanks again!

  • Yes, SD-WAN routes have a lot of “power”.
    This makes it possible to route a “directly connected” network away.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • What I find remarkable is that Route lookup was saying "192.168.15.9 is not behind a router" -- which of course you want to interpret as "I will route to it directly". But you'd be wrong Shrug