I have a simple business rule that forwards traffic from a wan ip to an internal one, with several ports being forwarded. This is to enable a softphone on my mobile to connect to our internal phone system. I am currently testing alllowing only certain IPs on the wan to try to connect.
When the rule has the tcp ports required live, traffic gets rejected using Rule 0.
If I set the port forward wide open (any service) it all works fine and only shows the ports that I wanted to be forwarded.
This image is when only the specific ports are being forwarded.
This is when all ports being forwarded.
This is the rule. Only difference between the two when working is that ANY is in place of the two service items. It is at the very top of the firewall list at this time.
I am really at a loss why Rule0 seems to be interfering for this rule when all the ports should be OK.
Anyone have any ideas?
The "TCP" src_port is different on each of your screen shots, you may need to add you service items like in the format below.
Just a guess, as you've not shown how they're set up.
Here is how the services are setup (one for the TCPs, and one for the UDP range) and what ports etc are needed according to Mitel. The rule in the firewall is reflexive so should also return traffic.
Sophos XG Certified Administrator
Just to be sure, we are not talking about invalid traffic drops?
I honestly don't know. I had a look through at the contrack timeout article over the weekend, but not sure how it would apply, as thats to do with timeouts, whereas my issue doesnt have anything to do with time, I think.
I am just confused about it. All the other rules I have created for other services work as I expect them too.
Do you have a tcpdump of the connection?
Maybe the handshake works fine?
Please try to disable the masq in your DNAT rule.
You have to change all of the source ports to 1:65535 for this to work.
This is what we have had to do.
Discussed it finally with Mitel yesterday morning, and this is what they recommended.
This is what made it work.
Thanks for everyones input.