Thread Info
  • State Not Answered
  • Replies 10 replies
  • Subscribers 5 subscribers
  • Views 5946 views
  • Users 0 members are here
Options
Suggested

NAT RULE 0

Billybob

Can we choose a different color for traffic processed by NAT RULE 0. I have a firewall rule ALLOW ANY ANY and a nat rule NAT LAN to WAN. If i disable the nat rule, the traffic stops flowing as expected, but my firewall logs are still green and show traffic as allowed. It is technically correct that my traffic is allowed due to the firewall rule but I am not getting anywhere due to NAT rule zero so a little hint in the logs would be nice.

Also, the NAT rules don't stop passing traffic immediately if disabled unlike firewall rules probably due to conntrack entries so some clarity in the logs would be appreciated. (Try ping 8.8.8.8 and disable NAT rule, your ping will continue)

Regards

  • 0

    Hi Billybob,

    That would be nice but I have some Customers that do have some un-NATed routes via the WAN link, this would then interfere with the logging of those. There is already a column for whether it is NATed or not?

    I can imagine that the reason why it continues is solely because of the conntrack entry and waits for it to time out. I dislike this behaviour as it has caused me problems in the past.

    Emile

  • 0 in reply to Emile Belcourt

    Aha... I guess we need a new NAT logging module then that shows traffic is being dropped due to a NAT rule. This is not a big deal as NAT is pretty much set and forget. I was playing around with firewall rules and my traffic wasn't working but the logs showed that everything was OK till I noticed NAT rule zero. A little confusing to say the least but your point is taken on different people with different needs

    I figured conntrack was letting the traffic pass through that was already passing and I just put it down as an observation. But people that don't understand conntrack will definitely have questions [:D]

    Regards

  • 0 in reply to Billybob

    Hi Billy,

    On the SG UTM it's the same, I regularly forget to masquerade and there's no feedback and I sit there scratching my head for a second xD

    Emile

  • 0

    I realize this is probably a stupid question but for my own edification, what is NAT Rule 0? I understand there is the Firewall "Rule 0", which essentially drops any traffic that doesn't match the other firewall rules before it. Without it, all traffic would be allowed to pass. However, I didn't think that was really the case with NAT since, by default, if nothing is defined, well... nothing will be be NATed (think I just made up a word).

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • 0 in reply to shred

    Hi Shred,

    NAT Rule 0 is effectively "NoNAT" meaning no modification is applied :)

    Emile

  • 0 in reply to Emile Belcourt

    Got it. So there isn't technically a "NAT Rule 0", it's the nature of how it works. Simply, if there are no NAT rules, then there is no NAT. Appreciate the reply!

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • 0 in reply to shred

    Hi Shred,

    Yeah, that's pretty much it, the NAT column has to be filled so if no other NATs are applied, NoNAT takes effect.

    Emile

  • 0 in reply to Emile Belcourt

    I did have a few problems when messing with NAT too much due to conntrack trying to do its job.

    I added a bunch of firewall rules with coupled NAT in the firewall rule and made sure everything was working as expected. I then deleted just the NAT rule making orphaned firewall rules (no NAT orphan ;). The traffic keeps flowing if the connection is established and NAT 0 shows up in logs. However if you recreate another NAT rule the traffic doesn't go back to the new NAT rule immediately because the conntrack time hasn't expired. The firewall keeps using NAT rule 0 although a regular NAT rule does exist. This problem is really bad when streaming from netflix or similar since the traffic keeps flowing for a long time although the NAT rule is not there.

    You can probably flush the conntrack table from command line or create a new firewall rule for everything to work again if you don't want to wait. 

    After messing around with NAT for a while and getting more headache than I needed, I went back to creating a single NAT LAN to WAN rule for all my traffic. Lesson from this exercise, don't do something because it can be done and keep it simple by using one NAT rule unless there is a specific need for additional NAT. 

    Regards

  • 0 in reply to Billybob

    Its hard to fix this actually.

    One solution would be, flush all matching firewall rules if you create a firewall / nat rule, but nobody will accept this. 

    So basically most products will work this way, if you have a "living" connection, that those connections will be alive afterwards. 

     

    Like mentioned before in some threads, i would assume, Linked NAT Rules are more likely "migration helper" to not break upgrades from V17.5 to V18. 

    I would always recommend to use self created NATs to keep it simple. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Another workaround that is probably far easier to implement is that if you create a linked FIREWALL rule and then try to delete the linked NAT rule, you get a warning that the linked firewall rule will be disabled if you delete the NAT rule. That way the traffic will stop flowing almost immediately since the firewall rule will be disabled and that essentially stops all traffic using that firewall rule immediately.

    This will remove any impact on other firewall traffic and stop the orphaned firewall rules that are looking for suitable NAT rules that may or may not exist.

    Regards

Unfiltered HTML