Sophos XG 18 and Plex Remote Access

I was wondering if anyone has been able to successfully configure Sophos XG 18.0.1 so that Plex remote access is enabled. Prior to v18, I had created a firewall business application rule based on the various posts in this forum and it worked just fine. Since the upgrade to v18 (and the separation of NAT rules from firewall rules and the automatic migration of same), I have had difficulties enabling remote access. 

The relevant part of my setup is Sophos XG with two WAN connections on Port2 and Port4. Port1 is for the LAN. Plex is installed on a container in a VLAN (which I'll call the Users VLAN).

There is only one firewall rule for the Users VLAN, the settings of which are fairly straightforward, to accept:

  • Source Zone: Users VLAN
  • Source networks and device: Any
  • All the time
  • Destination Zones: WAN
  • Destination Networks: Any
  • Services: Any
  • Web Policy: No ads or explicit content; All other settings under Web filtering are deselected, other than Scan FTP for malware, which is on
  • App control is set to block very high risk (5)
  • IPS: Standard LAN to WAN
  • Traffic Shaping and DSCP are turned off

I've attempted to create a DNAT rule to enable Plex remote access, as follows:

  • Original source: Any
  • Original destination: #Port4
  • Original service: TCP - Source Port 1:65535 - Destination Port: 32335
  • Translated source: Original
  • Translated destination (DNAT): IP address of the Plex server/container
  • Translated service (PAT): TCP - Source Port 1:65535 - Destination Port 32400
  • Inbound interface: Any
  • Outbound interface: Any

On the Plex server, I've set "Manually specify public port" to port 32335.

The settings in Plex show that the connection between my Plex server and public IP address on port 32335 is fine, but no connection between the latter and the internet.

I suspect the problem has something to do with the DNAT rule above, but for the life of me can't figure it out. I initially had Original destination set to include Port2 and Port4 (both WAN connections) but removed one just to see if that might be the problem. Doing so didn't make a difference. I also tried setting Translated source to MASQ, which also didn't seem to help. Then I tried moving the DNAT rule to the top of the list, which also made no difference.

In the firewall log, I see a number of entries with the following pattern:

  • Log comp: Appliance Access
  • Log subtype: Denied
  • Firewall rule: N/A
  • NAT rule: 0
  • In interface: Port4
  • Out interface: <blank>
  • Src IP: [varies - IP address of Plex clients]
  • Dst IP: Public IP address of Port4
  • Src port: [varies - anything from 16720 to 20637 to 59232]
  • Dst port: 32335
  • Protocol: TCP
  • Rule type: 0
  • Message ID: 02002

I'm a bit perplexed by these entries. I understand that rule 0 is the default drop rule, but as far as I can tell, the DNAT rule I've created above should specifically allow that traffic through, so I don't understand why access is being denied. I've searched for other posts regarding rule 0, but none of them seem to apply (overlapping rules, wrong port, etc.).

I'm at a bit of a loss at what else to do. Might there be an issue with the settings for the DNAT rule? Is there a need to create a "reflexive" NAT rule as well? Might it have something to do with the firewall rule? Any thoughts or suggestions would be most appreciated.

  • Hi,

    I suspect you do not need both DNAT and PAT.


    V18.0.x - e3-1225v5 6gb ram on 4 port MB with 2 x APX120 - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Thanks very much Ian. Given that I've manually set the public port on the Plex server to 32335 and the port on the internal Plex server is 32400 according to the Plex documentation, it would be helpful to understand why I would not need port address translation. 

  • Because you are running a Nat doing that function.Ian

    V18.0.x - e3-1225v5 6gb ram on 4 port MB with 2 x APX120 - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Thank you. I'm perhaps not fully understanding your comment. I thought by "PAT" you were referring to the conversion of the port from 32335 to 32400 in the NAT rule above. Given that you've indicated that I am running that already, were you referring to something else?

  • You are running with a pat and a Nat in your Nat rule, you don’t need both.


    V18.0.x - e3-1225v5 6gb ram on 4 port MB with 2 x APX120 - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Managed to figure it out. Just needed to create a firewall rule. Not quite sure it it's as limited as it should be, but meh it works. Anyhoo, just sharing in case someone else encounters the same issue.

    • Source zones: WAN
    • Source networks and devices: Any
    • All the time
    • Destination zones: Users VLAN
    • Destination networks: #Port4
    • Services: TCP - Source Port 1:65535 - Destination Port: 32335

    I suppose what I find puzzling about this is the fact that the log entries seems to indicate that packets were being blocked by NAT rule 0, not a firewall rule (which showed as "NA").