Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 10 replies
  • Subscribers 5 subscribers
  • Views 22017 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Port Forwarding on RED

Prakhar Jalan

Hello,

 

We have three devices in our network.

 

ADSL Router:

WAN IP - 185.168.41.75 (static)

LAN IP - 192.168.1.1

 

RED10:

WAN IP - 192.168.1.2

LAN IP - 50.50.50.1

 

CCTV DVR:

Port - 91

LAN IP - 50.50.50.233

 

 

We would like to access our DVR from the internet. We have enabled DMZ on our router on IP 192.168.1.2 (which is the RED10 device). And on the UTM, we have defined a DNAT rule with the destination being the DVR for all port 91.

 

We'd imagine this would work when we type 185.168.41.75:91 but unfortunately this configuration isn't working.

 

Any thoughts on what we are doing wrong here?

 

Thanks! :)



This thread was automatically locked due to age.
Parents
  • 0

    Can you show a screenshot of your DNAT rule?

    How is your RED tunnel configured (standard unified or any of the split settings)?

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Hello apijnappels,

    The RED is configured in split mode. I would like to point out that I have configured the RED with a static IP of 192.168.1.3 and GW of 192.168.1.1 (which is my ADSL router) in RED Client Management. Like I mentioned earlier, DMZ is enabled on the router with the WAN IP of the RED (i.e. 192.168.1.3).

     

    Here is the screenshot of the DNAT rule:

     

    Vasu 01 (50.50.50.1) is my RED network and Vasu DVR_Basement is my CCTV DVR (50.50.50.233).

     

    Your help is much appreciated.

    Thanks!

  • +2 in reply to Prakhar Jalan

    I think your problem is the split tunneling feature in combination with DNAT. Traffic from the DNAT rule will still come from an external IP-address which your RED network would most likely route directly to the internet (and not back to your UTM).

    It might work if you change the DNAT rule to a Full-NAT rule, but I haven't tried such thing. You could try it like this:

    For traffic from: any (or Internet IPv4)
    Using service: 90 (as in your screenshot)
    Going to: External WAN (Address) (this must be the public interface of the UTM where the traffic arrives).

    Change destination to: VASU DVR_Basement
    And the service: <leave blank if service is also 90>

    Change source to: UTM Internal (Address)
    And the service: <leave blank>

    This way you tell the UTM that traffic arriving on the correct interface on port 90 should be routed to the vasu dvr_basement destination but (important!) change the source to be your own UTM (or any other device inside your UTM network that is also in the RED tunnel's split network).

    Your destination network will then see traffic coming from UTM and send back replies.

     

    Like I said, I haven't done anything like this, so I'm not sure that it works, but it might just work with a Full NAT rule.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to Prakhar Jalan

    Apijnappels is 100% correct.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to apijnappels

    You were right apijnappels! It worked! Thanks a ton!

    Could you, however, kindly explain why you think the previous configuration wasn't working? Logically what I did made sense. For it to not work was quite weird.

     

    Thanks!

Reply Children
  • +1 in reply to Prakhar Jalan

    I already tried to explain it but I'll try again:

     

    Your DNAT rule did indeed translate and route traffic to the correct device behind your RED but the source of this traffic is then still the public IP-address of the host trying to reach your device (so basically an IP-address somewhere on the internet).

    If your device then sends back acknowldegment packages it will send them back to this address on the internet, but because you have split tunneling it will not send it out the same way it came in, but instead it will send it out on the internet connection at the RED location.

    Then the original source will get an ack package from your RED's internet location but it never send anything there and thus will discard that package.

    Now with the Full-NAT rule in place the UTM will not only change the destination to the device behind your NAT, but also changes the source address to an address that goes into the split-tunnel to your UTM. So your ACK-packages will be sent back to the UTM which has a connection tracker and thus knows that the ACK coming from your device should again be passed on to the original source using the same internet connection as where the traffic was delivered in the first place.

    Make sense now?

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Unfiltered HTML