Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Port Forwarding, why do some rules work and others not??

Hi,


I currently have a Watchguard XTM 22 series with no security bundles, just running in standard Firewall mode. Rules on that are dead easy to setup and just tend to just work.

Now the reason for me trying out other software is because I could do with some hardware that can handle higher throughput across subnets and of course, the ability to do forms of scanning and web filtering.

I was trying out pfSense, which worked okay but I still couldnt get Bacula to work through it (same issue I am having with Sophos XG). And Sophos caught my eye with all of it's filtering features.

I have found that all of my rules that go to things such as Plex and my Synology work fine, but when I set them up exactly the same to forward ports for Bacula - my backups just won't run.


Here is an image of my current rules, the IP in Source refers to my #Port 1 as I have a Dynamic IP. I have marked which ones work and which ones don't (even though some traffic hits BACULA-SD slightly). I have also tried these with Any Zone but that did not work.

Is anyone backing up remote servers with Bacula?

Any help is greately appreciated



This thread was automatically locked due to age.
Parents
  • I have tried WAN as well as Any Host. Both to no avail.

    The internal IP address of my firewall is 192.168.8.254


    I am yet to introduce any additional subnets until I am sure the simplest of firewall rules work... I have not even touched on any form of detection or filtering yet as I want to get the crucial thing working before I decide to use this product full time at home - that being NAT.


    I don't understand how the rules for my Synology's Web UI and Gitlab work absolutely fine, whereas when it comes to doing the Bacula rules they just refuse to work.

  • Matt,

    can you post one rule that works and one that does not?
    It the masquerading active?

    Luk
  • Apologies for the slight delay, have to keep switching back to my Watchguard to keep the backups running! Here are the screenshots as requested.


    Working one below along with shorthand (HTTPS into my Synology's Interface)

    The rule for Bacula that does not work:

    And yeah Plex port will be changed at some point :)

Reply
  • Apologies for the slight delay, have to keep switching back to my Watchguard to keep the backups running! Here are the screenshots as requested.


    Working one below along with shorthand (HTTPS into my Synology's Interface)

    The rule for Bacula that does not work:

    And yeah Plex port will be changed at some point :)

Children
  • Matt,
    you should enable rewrite source address in order to NAT external IP to internal. Are you sure that HTTPS is working correctly?

    Luk
  • Yeah the HTTPS is working absolutely fine to the Synology, so is the Plex rule - Unable to access them via their external IP from the LAN but can when I am on an external network. I haven't used the 'Rewrite source address (masquerading)' at all.

    I will change the hard drive in the server again in a couple hours and give that option a go. Going to let the rest of the family have non internet disturbance for a bit :P

    Cheers
  • I enabled the option:

    I also applied this to the HTTPS and Plex rules and they were both fine.


    I ran a backup from Bacula again but it just gets stuck at the same place (all storage in configs points to local 192.168.8.12):


    Traffic hits the rule like it was before but the backups just will not run, it's like it is sending traffic out but not allowing any in:


    I have a Dynamic IP address too btw.

  • What do the logs say?

    Security logs I mean.

    Luk
  • I don't have rewrite source address enabled on my port forwarding rules and they work just fine? What does it actually do?
  • Physik,

    rewrite source address is happening automatically. The rewrite source address is making a little bit confusion.
    With or without works! For bacula, if you try a telnet from external do you reach the external ip? I mean
    telnet publicip 9101?

    Does the bacula uses XG as default gateway?

    Luk
  • Did you try setting MASQ instead of NAT?  Without reading deeply into your problem, most of the guides I've seen in my limited 1 week with this firewall, seem to say to use masquerade.  From what I've read NAT is actually better performance, but this firewall seems very buggy, so sometimes it's best to just try what works for others I'd say.


    So far, I wish I was back on IPCop, but that doesn't have the same level of protection.  Hopefully patches are coming.