Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 16 replies
  • Subscribers 3 subscribers
  • Views 65624 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Please help: All DNAT rules suddenly stopped working, affecting remote access and external access

traderjay

Hey Guys – I am completely stumped and need some help! All of sudden my DNAT rules stopped working and it is affecting my remote desktop, Plex server and CCTV camera access from outside of the network. Below is a screenshot of my current firewall and DNAT rules.

I’ve not touched them for months and everything is working perfectly until applying the recent updates. As you can see, I even Any->Any rule to isolate the problem without much success :(

 

 

 

This is the firewall log when I try to use remote desktop:

2016:10:03-12:17:44 homestation ulogd[4782]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="00:25:90:f4:54:61" srcip="204.79.197.200" dstip="192.168.1.101" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="64961" tcpflags="RST"

 

This message comes up when I try to access my Plex Server remotely:

2016:10:03-12:24:44 homestation ulogd[4797]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="02:ff:70:00:07:0b" dstmac="00:25:90:f4:54:61" srcip="192.168.1.118" dstip="192.168.1.199" proto="17" length="30" tos="0x00" prec="0x00" ttl="64" srcport="23235" dstport="5351"

 

 



This thread was automatically locked due to age.
  • 0 in reply to sachingurung

    here are additional capture data with port 3389

     


    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
    23:18:20.097947 Out 00:25:90:f4:54:60 ethertype IPv4 (0x0800), length 91: 192.168.0.10.3389 > 8.8.8.8.53: 158                                                                     
    23:18:20.128167  In f0:f2:49:8c:75:b2 ethertype IPv4 (0x0800), length 107: 8.8.8.8.53 > 192.168.0.10.3389: 15                                                                    

  • 0 in reply to traderjay

     Hi,

    If you see no logs for TCP dump on port 3389 then there is no request hitting UTM to access the server. Can you post a screenshot of the inside configuration of the DNAT rule and the host definitions defined in the policy?

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to traderjay

    Jay the last capture you showed us is of a UDP port 53 request to Google DNS and the server's response.

     

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    sachingurung & balfson - from the bottom of my heart I want to say THANK YOU for all the help! It turned out that that issue is caused by the ISP's Piece of crap modem that somehow reset itself to default and lost the bridge mode. So I am effectively in a double NAT situation without noticing it. The modem somehow lost the ability to bridge and I had it swapped out and now everything is working! I did do a re-image and restored previous setting the process is flawless.

    How did I finally realize the issue? I tried to do a fresh UTM install and re-config things from scratch without much avail. Then with great sadness I decided to try another UTM called ClearOS and during the setup, it displayed the IP of my LAN and WAN port. The WAN IP is certainly not my public IP and thats how i realized it is not in bridge mode. ClearOS is just like a kid's toy vs the true enterprise grade Sophos UTM!

    So happy to have everything back up and I knew Sophos with such stellar reputation wouldn't break something this simple through an update!

  • +1 in reply to traderjay

    Hi,

    You're welcome, please contact us for any further assistance. 

    Thanks for choosing Sophos.

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Not a problem and I am sure many home users are eternally thankful to Sophos for making the UTM free for home use! Other alternatives simply don't come close to the functionality and support!

Unfiltered HTML