BUG - logviewer and linked NAT rules

Hi folks,

I have been trying workout why some of my linked NAT rules show no use.

Background.

I Built EAP3 and used my v17 backup as the configuration method.

I deleted all the default linked NAT rules and created one generic NAT rule. This does not work well for traffic between  internal networks. So I added a none MASQ rule to cover connections between internal networks but you need one for each internal network rule.. This was not required in V17.

The XG appears to slow down after I removed all the linked NAT rules, throughput was fine just web pages became very slow to load.

So to overcome this issue I added linked NAT rules for all external connection firewall rules, both IP4 and IPv6.

All active firewall rules are passing traffic but eh associated linked NAT rules are not.

According to the logviewer I have two firewall rules using the same linked NAT rule even though the firewall rules are shown associated to different linked NAT rules.

I have one firewall rule for my VoIP phones which uses NAT rule 0 and not the associated linked NAT rule.

 

Maybe this explains why my DPI is working on devices without CAs installed eg IoT devices?

Also intermittently some sites take two attempts to establish a secure connection and then other times during the day they will not connect at all.

 

Devs please feel free to login and investigate, Pankti of the EAP reporting team has the current access details.

 

 

Ian

Parents
  • Fixed the NAT rule 0, the firewall rule NAT link was missing.

    Still investigating why two firewall rules used the same NAT rule, possibly an issue with an IPv6 firewall rule.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Chasing red herrings, the website that used to work reliably has become unreliable, I tested via my phone hotspot and received the same failed negotiating error with both safari and FF.

    Ian

    Interesting observations after having fixed the NAT configuration, still not sure why some firewalll rules were using a generic NAT instead of the linked NAT rule? Site looks are faster with the linked NATs than with a generic NAT.

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Chasing red herrings, the website that used to work reliably has become unreliable, I tested via my phone hotspot and received the same failed negotiating error with both safari and FF.

    Ian

    Interesting observations after having fixed the NAT configuration, still not sure why some firewalll rules were using a generic NAT instead of the linked NAT rule? Site looks are faster with the linked NATs than with a generic NAT.

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Children
  • The original issue about firewall rules not using linked NAT rule still exists.. My VoIP network uses NAT 0 according to the logviewer, passes traffic correctly eg incoming phone calls.

    What is NAT rule 0 and where does it live?

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • So basically for outgoing/incoming rules using VoIP and the SIP helper, the SIP helper acts as a proxy and bypasses the linked NAT rule which did not happen in V17.

    I do have other firewall rules that use NAT rule 0 but that is because they are between internal networks.

     

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.