I need help with a FW Rule


I have just setup XG Home on a VM and all is working well until I try to setup a port forward for my CCTV NVR. I have 2 networks the main Lan and VLan 10 the CCTV is on Vlan 10.

I used the DNAT wizard to setup the rule and it created 3 DNAT rules and 1 Firewall Rule. When I try connect to my NVR over 4g using my phone it works fine but when I connect on my local Lan on Wifi it does not work I use the WAN address to connect inside my NVR app on my phone. On my old router this setup used to work fine am I missing something


  • What you're saying, I think, is that accessing the NVR from outside of your firewall works, but from inside it does not work. What is the firewall rule doing? I assume allowing external traffic to the NVR. (Of which a DNAT rule is translating to the internal IP of your NVR.) Not sure what the other 2 NAT (probably not all DNAT) rules do, though one is probably a "hairpin" rule to map inside access. You might need to add an additional firewall rule to allow the appropriate traffic from your MAIN to your CCTV zones.

    My guess would be that your previous router implemented hidden firewall rules when you made certain NAT rules, but Sophos keeps routing, NATing. (NAT rules), and permissions (firewall rules) separate.

  • Hi rikta gena

    If you check the packet capture under MONITOR & ANALYZE-->Diagnostics-->Packet Capture Click on configure Enter BPF string host xx.xx.xx.xx and port 80  for your CCTV public IP with port, while accessing from LAN or wifi zone you will get rule id 0, you have to create a firewall rule for the incoming traffic to get it forwarded 

    Please check with the below rule that is from LAN/wifi zone to LAN zone with the destination network port on which you have mapped your CCTV 


    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.