simple port forwarding

Hello

V18 rules is confusing for now, how do i create a simple port forwarding, to allow access to a port from outside?

Thanks

Parents
  • It is very confusing:

    1. Create a NAT, under Rules and policies. For example,
    2. Create a Firewall rule to allow traffic from Any to WAN zone where destination network/host is the WAN ip address

  • Hello Luk,

    please check ( below ) the DNAT firewall rule and appropriate DNAT rule. Especially focus on the Destination Zone and the Destination Network in the firewall rule. The Destination Zone is LAN zone and #PortB: 1 is the alias address on the WAN interface! It is very interesting interconnection of the Destination Zone and the Destination Network!

    This is not me, but it is the result of business rule migration from v17.5 to v18 EAP1. But it really works. I learned something new again thanks to Sophos ...

    However, it is important that the DNAT rule must be before the masquerading rule (MASQ) otherwise of course "matches" the User Portal. 

    Regards

    alda

    [:(]

     

     

     

     

  • I'm with Luk.  Really liked the way v17 did this.  Probably more from getting familiar and changing my thought process to XG vs others.

    Looking forward to seeing how this improves over the coming months.

  • Hello Luk and axsom1,

    I agree with you, of course. That's why I wrote that I learned something new even though I mean it very sarcastically. I can't imagine how v18 EAP1 was tested when it works like that. LuCar Toni mentioned is some thread that he  tested/used v18 EAP1 for several weeks and nobody from Sophos has not seen these errors in the implementation? No one compare the original firewall rules with the resulting firewall rules after migration  when they developed it?

    I can't explain it well enough. The v18 EAP1 is released in less than a week and "amateurs" like us find such implementation errors in a few days?

    Regards

    alda

  • I also very much preferred the unified single plane of glass, frankly it was one of the crowning features of the XG.

    One page to rule them all, one page to find them and one page in the darkness, bind them.

    Now we have ambiguity across a few pages now, if it were possible, I'd rebind everything with Natting back into the unified system but have the option to do separate global NATs as a side offering. I miss my BUNs (BAPs and UN rules) already.

    Emile

  • Before this thread, I created a specific one:

    Please post there so Sophos can collect feedbacks faster.

    Thanks

    I agree with you all.

  • alda said:

    Hello Luk,

    please check ( below ) the DNAT firewall rule and appropriate DNAT rule. Especially focus on the Destination Zone and the Destination Network in the firewall rule. The Destination Zone is LAN zone and #PortB: 1 is the alias address on the WAN interface! It is very interesting interconnection of the Destination Zone and the Destination Network!

    This is not me, but it is the result of business rule migration from v17.5 to v18 EAP1. But it really works. I learned something new again thanks to Sophos ...

    However, it is important that the DNAT rule must be before the masquerading rule (MASQ) otherwise of course "matches" the User Portal. 

    Regards

    alda

    [:(]

     

     

     

     

     

     

    Hello guys this is driving me nuts again... i thought i got it working but didnt it seems.

    The above posted by Alda finally works but it is not making any sense to me.

     "The Destination Zone is LAN zone and #PortB: 1 is the alias address on the WAN" If the destination is LAN surely the destination network has to be inside the LAN, why does it work when i selected the WAN port.  No wonder it was not working until i followed this solution.

    Am i understanding this wrong because it is not making any sense to me.

  • waghelak said:

    The above posted by Alda finally works but it is not making any sense to me.

     "The Destination Zone is LAN zone and #PortB: 1 is the alias address on the WAN" If the destination is LAN surely the destination network has to be inside the LAN, why does it work when i selected the WAN port.  No wonder it was not working until i followed this solution.

    Am i understanding this wrong because it is not making any sense to me.

    [:'(][:S][:|]

  • Hello waghelak,

    I think the explanation is very simple, it's Sophos magic !

    Sorry, I have a somewhat strange type of humor, but unfortunately nothing else I can think in the current situation ...

    Regards

    alda

  • I think those are very good reasons on what they want to achieve and probably went through a very thoughtful process but it seems using the same firewall rule setup for both MASQ and DNAT is confusing and not making any sense. 

    It seems like they have just flipped roles for MASQ and DNAT.  Many firewalls rules for one MASQ and many DNAT rules for one firewall rule :)

    Surely they need to change the wording for "Destination Networks" as the option selected is determined on what is selected in "Destination Zone"

  • Well, cant answer in my thread.

    Hows innovative to change a concept thats ingrained in everyones head?

    Firewall rule: source, destination, action. Simple as that.

    If I have a Lan (source 8.8.8.8) to Wan (destination any) rule, it'll never match anything because you know, thats an internet (wan) IP.

    But how:

    Wan (source any) to Lan (destination WAN IP address) rule, is supposed to have coherence? How is that valid?

     

    "But you are going to lan and pointing to a wan IP address, that is never going to match!" The customer said.

    "Yes, it will" Said the Sophos partner.

    "Why? How? It doesnt make sense!" The astonished customer said.

    "Magic!" As the last resort, the partner said.

     

     

Reply
  • Well, cant answer in my thread.

    Hows innovative to change a concept thats ingrained in everyones head?

    Firewall rule: source, destination, action. Simple as that.

    If I have a Lan (source 8.8.8.8) to Wan (destination any) rule, it'll never match anything because you know, thats an internet (wan) IP.

    But how:

    Wan (source any) to Lan (destination WAN IP address) rule, is supposed to have coherence? How is that valid?

     

    "But you are going to lan and pointing to a wan IP address, that is never going to match!" The customer said.

    "Yes, it will" Said the Sophos partner.

    "Why? How? It doesnt make sense!" The astonished customer said.

    "Magic!" As the last resort, the partner said.

     

     

Children
No Data