Thread Info
  • Locked Locked
  • Replies 17 replies
  • Subscribers 5 subscribers
  • Views 3137 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

External and internal NAT for different ports

Matthias Roth1

Hello guys,

I am trying to create a DNAT rule for a server based in a DMZ network. We have a wifi controller in the DMZ where Access Points from different onsite and offsite locations connect to through two different ports over WAN. I managed that with a DNAT rule from external and a dns entry on our domain controller which points to the public ip in the DMZ (works fine).

Now we got the requirement that the web ui port 8443 is only accessable by the internal network and not external. But the port seems to be blocked (default drop if I read the logs). I tried now everything I can imagine with Full Nat/DNAT and firewall rules. It seems like he doesn't use the NAT rules because in the logs the default drops says source internal server ip from where I tested it and destination is the public ip (where normally the DMZ server address should be).

Have you guys an idea?

Thanks in advance.

Kind regards,

Matthias



This thread was automatically locked due to age.
  • in reply to Matthias Roth1

    Matthias, please copy a default drop line from the Firewall log file (not the Live Log).  If you prefer, obfuscate IPs like 212.XX.YY.22, 10.X.Y.100, 192.168.X.200 and 172.2X.Y.51. That lets us see immediately which IPs are local and which are identical.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    Hey Bob,

    here is a line from the log: 

    2021:10:21-15:05:47 fw-1 ulogd[11751]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="lag0.2" srcmac="*removed*" dstmac="*removed*" srcip="192.168.X.215" dstip="212.X.Y.148" proto="6" length="52" tos="0x02" prec="0x00" ttl="127" srcport="63896" dstport="8443" tcpflags="SYN" 

    Here you can see that he tries to access the wifi controller with the public ip instead of the DMZ ip even though the Full NAT rule is activated.

    Thank you in advance.

    Kind regards,

    Matthias

  • in reply to PhilippRusch

    Philipp, I looked at his log line below and his Full NAT.  The packet should not have been dropped.  What am I not seeing?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    Hi Bob,

    what is this: initf="lag0.2" 

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Nobody has any idea what's going on here?

    Kind regards,

    Matthias

  • in reply to Matthias Roth1

    Just a wild guess: I think NAT is confused by the LAG you are using.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • in reply to Matthias Roth1

    This is mysterious, Matthias.  I don't understand why the packet isn't processed by your NAT rule.  Is there an earlier NAT rule that captures this traffic?  A DNAT maybe?

    Cheers -Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML