Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 16 replies
  • Subscribers 3 subscribers
  • Views 65620 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Please help: All DNAT rules suddenly stopped working, affecting remote access and external access

traderjay

Hey Guys – I am completely stumped and need some help! All of sudden my DNAT rules stopped working and it is affecting my remote desktop, Plex server and CCTV camera access from outside of the network. Below is a screenshot of my current firewall and DNAT rules.

I’ve not touched them for months and everything is working perfectly until applying the recent updates. As you can see, I even Any->Any rule to isolate the problem without much success :(

 

 

 

This is the firewall log when I try to use remote desktop:

2016:10:03-12:17:44 homestation ulogd[4782]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="00:25:90:f4:54:61" srcip="204.79.197.200" dstip="192.168.1.101" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="64961" tcpflags="RST"

 

This message comes up when I try to access my Plex Server remotely:

2016:10:03-12:24:44 homestation ulogd[4797]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="02:ff:70:00:07:0b" dstmac="00:25:90:f4:54:61" srcip="192.168.1.118" dstip="192.168.1.199" proto="17" length="30" tos="0x00" prec="0x00" ttl="64" srcport="23235" dstport="5351"

 

 



This thread was automatically locked due to age.
  • 0

    Hi,

    Sometimes a firmware upgrade effects the residing configurations in UTM. The first and foremost step after an update is to restore a backup from the previous version. Can you try that and update us if the issue resolves? 

    Contrary to this, I am unable to understand why all the ports are mapped with the DNAT rule 3, always map required ports or have an additional IP on such requirement.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    I tried the restore process and I am still unable to access the server from outside of the network. Can you also clarify what do you mean by:

    "Contrary to this, I am unable to understand why all the ports are mapped with the DNAT rule 3, always map required ports or have an additional IP on such requirement."

     

     

    Just to confirm is the backup/restore tool accessed via this page and clicking on the highlighted green arrow:

    I just get logged out of the UTM but I am not sure if the restore process is successful.

    sadfa

  • 0 in reply to traderjay

    Please help me out guys :( This is causing major issues. Will re-installing Sophos UTM and reloading the config help?

  • 0 in reply to traderjay

    Hi,

    Yes, you access the correct page to restore the config. After the successful restore, UTM will log out and you need to login again.

    I think, I found the issue. In the no 1 DNAT rule, the going to object should be External WAN (address) instead of (network). PFA screenshot and configure the DNAT rule exactly.

    Any help with that?

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Hi sachingurung- It is still not working :( None of the ports are visible outside of the network...

  • 0 in reply to traderjay

    Hi,

    Take SSH to UTM and login as root. Execute,

    tcpdump -nei any port 3389

    and try to establish an RDP connection on homestation. Do you see any logs here? Please post them here.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    I don't see any logs at all and even tried with a few other ports :(

  • 0

    In your first post, the first firewall log line is unrelated to RDP - it is a reset packet for a terminated HTTPS conversation, and it can be ignored.

    The second line is a dropped UDP packet.  When you defined the Service for 5351, did you define it as "TCP" or as "TCP/UDP?"  What do the .118 and .119 IPs represent here?

    Based on your most-recent post above, something is blocking access to your UTM.  If this is a home installation, are you certain that you weren't assigned a new IP by your ISP?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I was able to get some results from packet capture testing port 32400:


    listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
    16:15:38.666747  In c0:bd:d1:58:1d:82 ethertype IPv4 (0x0800), length 78: 192.168.1.124.32400 > 192.168.1.199.53: 21698+ A? e14.whatsapp.net. (34)
    16:15:38.698634 Out 00:25:90:f4:54:61 ethertype IPv4 (0x0800), length 546: 192.168.1.199.53 > 192.168.1.124.32400: 21698 8/13/6 A 173.193.205.3, A 158.85.58.28, A 158.85.58.118, A 169.47.5.199, A 169.45.248.175, A 169.47.5.232, A 174.37.199.200, A 169.45.248.101 (502)

     

    .199 is my Sophos UTM Box

    .124 is my VMS server running the CCTV application

    .118 is my Plex server

  • 0 in reply to sachingurung

    Actually how long does it take for the logs to appear?

Unfiltered HTML