Resolved: Old grumpy admin's fault. NAT Counter not working as expected

I have a NAT rule as shown below

The rule works as expected but the NAT counter is not working using this configuration. If I change the source to ANY or explicitly as my workstation's IP, everything works as expected.

 

Related to https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/f/feedback-and-issues/115813/port-renaming-not-implemented-system-wide/417298#417298 .

Whats the point of having zones and port names if the firewall /NAT rules consider port1 as physical port1 on the firewall and not LAN or LAN zone.

 

Regards

Bill

Parents
  • Source NAT is not your interface. 

    What do you want to archive with your rule? 

    #PortX is the Interface itself. 

    So basically why should the Interface itself generate traffic? 

    If you want to select traffic coming / going to, please use the Interface Matching criteria on the bottom of the Rule. 

    __________________________________________________________________________________________________________________

  • Yeah you are right port1 is not my source but the rule works so....

  • If the counter does not hit, maybe some other NAT rule will hit (first match). 

    Linked NAT rules can also match. So i would guess, if the Source is incorrect, some other NAT rule in your Table will pick up the traffic. 

    Check the Log Viewer - There should be an indicator for the matching NAT rule. 

    __________________________________________________________________________________________________________________

  • I don't have any other NAT rules for natting DNS. This is the only one. My DNS traffic wouldn't be natted by any other predefined rule.

    XG is not my edge firewall in lab setting. You maybe right that my edge firewall maybe redirecting.

    Sorry for the bogus report.

    Regards

    Bill

  • Can you show us the matching Log Viewer and the NAT Policy window? 

     

    Another point is, what do you want to archive with this Rule? You want to redirect DNS Traffic, going through XG against XG Interface - correct? 

    Tried this in my setup, and it works fine with the counter. 

    If i select the wrong host (for example #Port), it does not work, simply does not tick. But the Traffic does not get redirected. 

    The question is, which testing did you do? Tcpdump? Can you show us your dump? 

    __________________________________________________________________________________________________________________

  • Like I said, XG is not my edge firewall so my edge firewall was catching some of my DNS queries and I thought it was XG. Sorry for not checking the logs.

    What I wanted to accomplish was to have XG reply to any DNS query in my LAN segment no matter what I choose for DNS server on the client. This is already possible with UTM and other firewalls obviously, but XG was not capable before v18. 

    Sorry again for not double checking the logs before submitting the report. Totally forgot about my edge firewall [:$]

Reply
  • Like I said, XG is not my edge firewall so my edge firewall was catching some of my DNS queries and I thought it was XG. Sorry for not checking the logs.

    What I wanted to accomplish was to have XG reply to any DNS query in my LAN segment no matter what I choose for DNS server on the client. This is already possible with UTM and other firewalls obviously, but XG was not capable before v18. 

    Sorry again for not double checking the logs before submitting the report. Totally forgot about my edge firewall [:$]

Children