Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Server on VLAN

Hello Everyone,

I am having a little configuration issue with my web server on a VLAN. All my VLANs have internet access but I can't seem to access my web server from outside my network. Can anyone post an example firewall rule from Public IP to VLAN please?

Thanks

Mark



This thread was automatically locked due to age.
  • Are there any online resources anywhere for what I am trying to do specifically? I am trying everything and it is still not working, I have looked but I could not find anything specific to what I am trying to do.

  • There is either a problem with your rule or your isp blocks the port. One other item, the server might not like the external addresses, check whether the server has a valid list of allowed networks?
    ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • My ISP does not block any ports, I currently have a pfsense firewall setup and everything works on that. I wanted to upgrade from pfsense to Sophos Firewall due to features etc. As I am new to Sophos Firewall I may need to view some tutorials etc as the setup assistant cannot get the incoming traffic onto the specified VLAN. I am sure I am missing something but unless I see the steps of what is missing I am at a loss. I have also followed the documentation links on this post and still nothing. Outgoing traffic works fine on the server and internet access it is just incoming traffic to the VLAN and Webserver which I am struggling with.

  • Please check and verify traffic flow under MONITOR & ANALYZE || Diagnostics || Packet Capture passing from the same firewall rules with help of tcpdump and drop packet to investigate the issue. 

    Please share the output to assist you 

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • So, I think I am missing something here when it comes to the Sophos Setup Assistant for DNAT. When I launch it, I get prompted for the Internet IP of the Webserver which I added under Hosts and Services. I then get asked for the Public IP which again I added via Hosts and Services. Then services to allow and who externally can access these internal services which is any.

    It creates the DNAT with loopback and Reflective rules including an incoming firewall rule. My issue is I am not defining when the incoming traffic hits the LAN that it then gets filtered to the specific VLAN with that static IP.  There is clearly a step missing here as the switch has three VLANs and unless the incoming traffic knows which VLAN to look for it won’t pass the traffic.

    I added the Webserver VLAN #Port1.40 to the DMZ zone, but it did not make much of a difference. So, based on this can someone explain if I have missed a step with routing the traffic I saw somewhere someone bridged the ports and added a static route but not sure if this is needed.

  • Please find below screenshots of rules

  • Tcpdump and drop will help you understand traffic is passing or not 

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • Logs

    As you can see from these logs those highlighted in green are the allowed ones matching from my web server VLAN, I just need to do the reverse to match on the incoming. I have attached the Google Doc link below

  • By looking into traffic with tcpdump we have updated DNAT rule Inbound Interface as ANY and Outbound interface as VLAN website started working

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.