Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 16 replies
  • Subscribers 3 subscribers
  • Views 65621 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Please help: All DNAT rules suddenly stopped working, affecting remote access and external access

traderjay

Hey Guys – I am completely stumped and need some help! All of sudden my DNAT rules stopped working and it is affecting my remote desktop, Plex server and CCTV camera access from outside of the network. Below is a screenshot of my current firewall and DNAT rules.

I’ve not touched them for months and everything is working perfectly until applying the recent updates. As you can see, I even Any->Any rule to isolate the problem without much success :(

 

 

 

This is the firewall log when I try to use remote desktop:

2016:10:03-12:17:44 homestation ulogd[4782]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="00:25:90:f4:54:61" srcip="204.79.197.200" dstip="192.168.1.101" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="64961" tcpflags="RST"

 

This message comes up when I try to access my Plex Server remotely:

2016:10:03-12:24:44 homestation ulogd[4797]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="02:ff:70:00:07:0b" dstmac="00:25:90:f4:54:61" srcip="192.168.1.118" dstip="192.168.1.199" proto="17" length="30" tos="0x00" prec="0x00" ttl="64" srcport="23235" dstport="5351"

 

 



This thread was automatically locked due to age.
Parents
  • 0

    In your first post, the first firewall log line is unrelated to RDP - it is a reset packet for a terminated HTTPS conversation, and it can be ignored.

    The second line is a dropped UDP packet.  When you defined the Service for 5351, did you define it as "TCP" or as "TCP/UDP?"  What do the .118 and .119 IPs represent here?

    Based on your most-recent post above, something is blocking access to your UTM.  If this is a home installation, are you certain that you weren't assigned a new IP by your ISP?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I was able to get some results from packet capture testing port 32400:


    listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
    16:15:38.666747  In c0:bd:d1:58:1d:82 ethertype IPv4 (0x0800), length 78: 192.168.1.124.32400 > 192.168.1.199.53: 21698+ A? e14.whatsapp.net. (34)
    16:15:38.698634 Out 00:25:90:f4:54:61 ethertype IPv4 (0x0800), length 546: 192.168.1.199.53 > 192.168.1.124.32400: 21698 8/13/6 A 173.193.205.3, A 158.85.58.28, A 158.85.58.118, A 169.47.5.199, A 169.45.248.175, A 169.47.5.232, A 174.37.199.200, A 169.45.248.101 (502)

     

    .199 is my Sophos UTM Box

    .124 is my VMS server running the CCTV application

    .118 is my Plex server

Reply
  • 0 in reply to BAlfson

    I was able to get some results from packet capture testing port 32400:


    listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
    16:15:38.666747  In c0:bd:d1:58:1d:82 ethertype IPv4 (0x0800), length 78: 192.168.1.124.32400 > 192.168.1.199.53: 21698+ A? e14.whatsapp.net. (34)
    16:15:38.698634 Out 00:25:90:f4:54:61 ethertype IPv4 (0x0800), length 546: 192.168.1.199.53 > 192.168.1.124.32400: 21698 8/13/6 A 173.193.205.3, A 158.85.58.28, A 158.85.58.118, A 169.47.5.199, A 169.45.248.175, A 169.47.5.232, A 174.37.199.200, A 169.45.248.101 (502)

     

    .199 is my Sophos UTM Box

    .124 is my VMS server running the CCTV application

    .118 is my Plex server

Children
No Data
Unfiltered HTML