This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Added a new interface to Sophos SG UTM but cannot open any ports on it

Hi there,

I have a Sophos SG125 UTM and until now it has had 2 interfaces configured - eth0 Internal LAN (192.168.102.X/24) & eth1 WAN (PPPoE)

I haven't had any need for open external ports up to this point.

I have now added a VM on to our Hyper-V server and allocated a physical NIC to a dedicated Virtual Switch for this server. This physical NIC is directly connected to eth4 on the SG125. eth4 is configured with the IP address 172.16.0.254/24 and the new VM is configured with the IP address 172.16.0.1/24. 

Internet browsing & Teamviewer etc is working fine on the new VM but I have to open 2x TCP ports (8080 & 8090) on the SG125 for this server. I have created firewall rules in the usual manner but the firewall is dropping all traffic on TCP 8080 & 8090.

Firewall rules are in

Network Protection > Firewall > New Rule >

Source: ANY

Services: Defined TCP 8080 & 8090

Destination: Definition for new Server

Action: Allow

Is there something else I have to do?

Many thanks in advance for any help offered.

Paul.



This thread was automatically locked due to age.
Parents
  • You might have to pick new ports or change the transparent proxy in UTM (Web Protection > Filtering Options > Misc tab).  Port 8080 is there by default.  You may have to change that port to something else, maybe 8081 or another you aren't using.

    I would also not use 'Any' as your source.  Define your network(s) instead, that's a potential security issue.  Also, make sure you enable the rule once you create it (it's off by default).  ;)

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Thanks for the reply Amodin

    I tried creating 2x redirected port rules (TCP 12345 > 8080 & TCP 12346 > 8090) but still nothing. The Firewall logs are showing the traffic as being dropped.

    I have 3x firmware updates to apply (currently on 9.705-3) but I'll have to do these tomorrow when I know nobody is connected remotely. I doubt this will fix it though.

    I can't help but feel I've missed something on the interface settings or similar.

    Oh the "Any" on the source of the firewall rule is imply for testing purposes - I would usually have this set to "Internet IPV4" as the sole purpose of this server is a public facing web server but I appreciate the heads up.

  • I can't help but feel I've missed something on the interface settings or similar.

    Can you take a screenshot and drag it into a reply window of what you think you might have set incorrectly?  We can see what your setup is.  Feel free to edit any revealing IPs.

    I would also copy/paste some of your logs showing the blocking taking place so we can read those lines.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Pics show interfaces, Firewall Rules for the new VM & Network (172.16.0.X), Masquerading rule (not sure if required?) & logs showing drops. 86.11.141.252 is my home broadband IP.

    Although TCP 8080 is required, client connections come in on TCP 8090 so I haven't yet changed the web filtering port.

    I've also just updated the SG125 to the latest available firmware (9.707-5) which also rebooted it. Still no change.

    I'm sure it's something simple and quite fundamental but I just can't think what it is.

    Thanks!

  • if you wish to allow access from internet to your server, you need a DNAT-rule.

    Source=any - Service=8090+8090 -> destination=external Interface IP .... change destination to "your Server"  

    ... and i would check the 2 checkboxes for Firewall-Rule and logging


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Wow - so that worked!

    Thank you so much!

    I did have DNAT rules in before but the mistake I made was my rule was like:

    Source= Internet IPV4 - Service=8090+8090 -> destination=VM Server 

    It's kinda common sense now in hindsight but isn't that always the way?....

    Thanks again for the help guys - really appreciate that.

Reply
  • Wow - so that worked!

    Thank you so much!

    I did have DNAT rules in before but the mistake I made was my rule was like:

    Source= Internet IPV4 - Service=8090+8090 -> destination=VM Server 

    It's kinda common sense now in hindsight but isn't that always the way?....

    Thanks again for the help guys - really appreciate that.

Children