Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 40 subscribers
  • Views 4839 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Synology NAS

Eduard Schick

Greetings,

I guess it's a simple and common asked issue, but unfortunatelly the search function seems to be disabled/malfunctioning right now - despite trying different keywords.
And some (video) guides that I found show some setups on old versions that contain completly different forms / fields.

I have a

  • Fritz!Box [X.X.4.1]
  • Sophos XG (18.0.4)
    • [X.X.4.2] WAN
    • [X.X.5.2] LAN
  • Synology NAS with [X.X.5.123]

Without the Sophos XG I would've set up an easy port-forwarding rule in the Fritz!Box to access the NAS. Now with the firewall in between them, I am utterly lost 2bh.
My goal is to access some ports/services from outside. My UniFi Network controller for example which runs in a docker container on the NAS and is accessable at port 8443 while on LAN.

Is there a step by step solution of what has to be done / forwarded and especially: How?
Please consider that I'm completly new not only to Sophos but to Firewalls in general.

Thx in advance for your help.



This thread was automatically locked due to age.
  • 0

    Hi,

    you will need to search for setting up a WAF connection to allow you to achieve what you are aiming for.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XGS118 waiting for licence to arrive - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • +1

    In Fritzbox under Internet -> Permit Access configure your XG-firewall as Exposed Host, that way all traffic will be delivered at Sophos (that is step 1 to make sure traffic reaches Sophos' WAN interface).

    Then in XG you can create DNAT rules Protect -> Rules and policies -> Add firewall rule -> Server access assistant DNAT

    From there an assistant will guide you through opening ports to the respective internal devices.

    You should first create your "services" under System -> Hosts & Services -> Services (otherwise they won't be available from the assistant in step 3).

    I think you should be able to get it going with this. If not, than ask again explaining where you need help.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Thanks you. It works like a charm!

    I've got one follow up question: Is it correct to set the source ports to 1:65535 for each of the different services?

    I've tried it with a single one at first:

    But this was not working at all. As I've seen in the log that different ports are being used and were not able to be "associated to any connection", I've increased the range to all ports.

    Is that supposed to be set like that or should I edit it to decrease threats?

    btw: Also tried it with other ports like 5000 for the Synology Web-Interface. Got same outcome and removed it again so it's not reachable that way anymore.

    Thanks again.

  • 0 in reply to Eduard Schick

    That is correct, the initiating side always uses a random port, only the destination port is the port you need to specify, source should almost always be 1:65535

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Unfiltered HTML