Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 16 replies
  • Subscribers 3 subscribers
  • Views 65634 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Please help: All DNAT rules suddenly stopped working, affecting remote access and external access

traderjay

Hey Guys – I am completely stumped and need some help! All of sudden my DNAT rules stopped working and it is affecting my remote desktop, Plex server and CCTV camera access from outside of the network. Below is a screenshot of my current firewall and DNAT rules.

I’ve not touched them for months and everything is working perfectly until applying the recent updates. As you can see, I even Any->Any rule to isolate the problem without much success :(

 

 

 

This is the firewall log when I try to use remote desktop:

2016:10:03-12:17:44 homestation ulogd[4782]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="00:25:90:f4:54:61" srcip="204.79.197.200" dstip="192.168.1.101" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="64961" tcpflags="RST"

 

This message comes up when I try to access my Plex Server remotely:

2016:10:03-12:24:44 homestation ulogd[4797]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="02:ff:70:00:07:0b" dstmac="00:25:90:f4:54:61" srcip="192.168.1.118" dstip="192.168.1.199" proto="17" length="30" tos="0x00" prec="0x00" ttl="64" srcport="23235" dstport="5351"

 

 



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    Sometimes a firmware upgrade effects the residing configurations in UTM. The first and foremost step after an update is to restore a backup from the previous version. Can you try that and update us if the issue resolves? 

    Contrary to this, I am unable to understand why all the ports are mapped with the DNAT rule 3, always map required ports or have an additional IP on such requirement.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    I tried the restore process and I am still unable to access the server from outside of the network. Can you also clarify what do you mean by:

    "Contrary to this, I am unable to understand why all the ports are mapped with the DNAT rule 3, always map required ports or have an additional IP on such requirement."

     

     

    Just to confirm is the backup/restore tool accessed via this page and clicking on the highlighted green arrow:

    I just get logged out of the UTM but I am not sure if the restore process is successful.

    sadfa

  • 0 in reply to traderjay

    Please help me out guys :( This is causing major issues. Will re-installing Sophos UTM and reloading the config help?

  • 0 in reply to traderjay

    Hi,

    Yes, you access the correct page to restore the config. After the successful restore, UTM will log out and you need to login again.

    I think, I found the issue. In the no 1 DNAT rule, the going to object should be External WAN (address) instead of (network). PFA screenshot and configure the DNAT rule exactly.

    Any help with that?

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Hi sachingurung- It is still not working :( None of the ports are visible outside of the network...

  • 0 in reply to traderjay

    Hi,

    Take SSH to UTM and login as root. Execute,

    tcpdump -nei any port 3389

    and try to establish an RDP connection on homestation. Do you see any logs here? Please post them here.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    I don't see any logs at all and even tried with a few other ports :(

  • 0 in reply to sachingurung

    Actually how long does it take for the logs to appear?

  • 0 in reply to sachingurung

    here are additional capture data with port 3389

     


    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
    23:18:20.097947 Out 00:25:90:f4:54:60 ethertype IPv4 (0x0800), length 91: 192.168.0.10.3389 > 8.8.8.8.53: 158                                                                     
    23:18:20.128167  In f0:f2:49:8c:75:b2 ethertype IPv4 (0x0800), length 107: 8.8.8.8.53 > 192.168.0.10.3389: 15                                                                    

  • 0 in reply to traderjay

     Hi,

    If you see no logs for TCP dump on port 3389 then there is no request hitting UTM to access the server. Can you post a screenshot of the inside configuration of the DNAT rule and the host definitions defined in the policy?

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Reply Children
No Data
Unfiltered HTML