I was wondering if anyone has been able to successfully configure Sophos XG 18.0.1 so that Plex remote access is enabled. Prior to v18, I had created a firewall business application rule based on the various posts in this forum and it worked just fine. Since the upgrade to v18 (and the separation of NAT rules from firewall rules and the automatic migration of same), I have had difficulties enabling remote access.
The relevant part of my setup is Sophos XG with two WAN connections on Port2 and Port4. Port1 is for the LAN. Plex is installed on a container in a VLAN (which I'll call the Users VLAN).
There is only one firewall rule for the Users VLAN, the settings of which are fairly straightforward, to accept:
I've attempted to create a DNAT rule to enable Plex remote access, as follows:
On the Plex server, I've set "Manually specify public port" to port 32335.
The settings in Plex show that the connection between my Plex server and public IP address on port 32335 is fine, but no connection between the latter and the internet.
I suspect the problem has something to do with the DNAT rule above, but for the life of me can't figure it out. I initially had Original destination set to include Port2 and Port4 (both WAN connections) but removed one just to see if that might be the problem. Doing so didn't make a difference. I also tried setting Translated source to MASQ, which also didn't seem to help. Then I tried moving the DNAT rule to the top of the list, which also made no difference.
In the firewall log, I see a number of entries with the following pattern:
I'm a bit perplexed by these entries. I understand that rule 0 is the default drop rule, but as far as I can tell, the DNAT rule I've created above should specifically allow that traffic through, so I don't understand why access is being denied. I've searched for other posts regarding rule 0, but none of them seem to apply (overlapping rules, wrong port, etc.).
I'm at a bit of a loss at what else to do. Might there be an issue with the settings for the DNAT rule? Is there a need to create a "reflexive" NAT rule as well? Might it have something to do with the firewall rule? Any thoughts or suggestions would be most appreciated.
Managed to figure it out. Just needed to create a firewall rule. Not quite sure it it's as limited as it should be, but meh it works. Anyhoo, just sharing in case someone else encounters the same issue…
I suspect you do not need both DNAT and PAT.
Thanks very much Ian. Given that I've manually set the public port on the Plex server to 32335 and the port on the internal Plex server is 32400 according to the Plex documentation, it would be helpful to understand why I would not need port address translation.
Because you are running a Nat doing that function.Ian
Thank you. I'm perhaps not fully understanding your comment. I thought by "PAT" you were referring to the conversion of the port from 32335 to 32400 in the NAT rule above. Given that you've indicated that I am running that already, were you referring to something else?
You are running with a pat and a Nat in your Nat rule, you don’t need both.
Managed to figure it out. Just needed to create a firewall rule. Not quite sure it it's as limited as it should be, but meh it works. Anyhoo, just sharing in case someone else encounters the same issue.
I suppose what I find puzzling about this is the fact that the log entries seems to indicate that packets were being blocked by NAT rule 0, not a firewall rule (which showed as "NA").