This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG 18 and Plex Remote Access

I was wondering if anyone has been able to successfully configure Sophos XG 18.0.1 so that Plex remote access is enabled. Prior to v18, I had created a firewall business application rule based on the various posts in this forum and it worked just fine. Since the upgrade to v18 (and the separation of NAT rules from firewall rules and the automatic migration of same), I have had difficulties enabling remote access. 

The relevant part of my setup is Sophos XG with two WAN connections on Port2 and Port4. Port1 is for the LAN. Plex is installed on a container in a VLAN (which I'll call the Users VLAN).

There is only one firewall rule for the Users VLAN, the settings of which are fairly straightforward, to accept:

  • Source Zone: Users VLAN
  • Source networks and device: Any
  • All the time
  • Destination Zones: WAN
  • Destination Networks: Any
  • Services: Any
  • Web Policy: No ads or explicit content; All other settings under Web filtering are deselected, other than Scan FTP for malware, which is on
  • App control is set to block very high risk (5)
  • IPS: Standard LAN to WAN
  • Traffic Shaping and DSCP are turned off

I've attempted to create a DNAT rule to enable Plex remote access, as follows:

  • Original source: Any
  • Original destination: #Port4
  • Original service: TCP - Source Port 1:65535 - Destination Port: 32335
  • Translated source: Original
  • Translated destination (DNAT): IP address of the Plex server/container
  • Translated service (PAT): TCP - Source Port 1:65535 - Destination Port 32400
  • Inbound interface: Any
  • Outbound interface: Any

On the Plex server, I've set "Manually specify public port" to port 32335.

The settings in Plex show that the connection between my Plex server and public IP address on port 32335 is fine, but no connection between the latter and the internet.

I suspect the problem has something to do with the DNAT rule above, but for the life of me can't figure it out. I initially had Original destination set to include Port2 and Port4 (both WAN connections) but removed one just to see if that might be the problem. Doing so didn't make a difference. I also tried setting Translated source to MASQ, which also didn't seem to help. Then I tried moving the DNAT rule to the top of the list, which also made no difference.

In the firewall log, I see a number of entries with the following pattern:

  • Log comp: Appliance Access
  • Log subtype: Denied
  • Firewall rule: N/A
  • NAT rule: 0
  • In interface: Port4
  • Out interface: <blank>
  • Src IP: [varies - IP address of Plex clients]
  • Dst IP: Public IP address of Port4
  • Src port: [varies - anything from 16720 to 20637 to 59232]
  • Dst port: 32335
  • Protocol: TCP
  • Rule type: 0
  • Message ID: 02002

I'm a bit perplexed by these entries. I understand that rule 0 is the default drop rule, but as far as I can tell, the DNAT rule I've created above should specifically allow that traffic through, so I don't understand why access is being denied. I've searched for other posts regarding rule 0, but none of them seem to apply (overlapping rules, wrong port, etc.).

I'm at a bit of a loss at what else to do. Might there be an issue with the settings for the DNAT rule? Is there a need to create a "reflexive" NAT rule as well? Might it have something to do with the firewall rule? Any thoughts or suggestions would be most appreciated.



This thread was automatically locked due to age.
Parents Reply Children