Thread Info
  • State Suggested Answer
  • Replies 20 replies
  • Answers 2 answers
  • Subscribers 14 subscribers
  • Views 2315 views
  • Users 0 members are here
Options
Suggested

Issues while creating a hairpin NAT

rfcat_vk
27 days ago

Hi folks,

another post on my issues about creating a firewall hairpin nat rule.

I have an NTP server on my network and I want devices to use it as a reference time source. I know the device works when I change network devices to query it for time, they update correctly.

When I built my own firewall rule using a linked NAT rule there was lots of queries to the rule but nothing was returned.

So, I have decided to use the XG build a server access rule.

I think one of the questions in the create wizard is wrong

It asks for the external source networks and devices, but never asks for the internal networks. You can add your internal networks which I did.

Next issue is the reflexive rule automatically created does not use the required service as entered in previous pages, just uses ANY which allows all traffic to bypass the specific NAT and linked NAT rules. Again you can change it to the required service.

Next issue is the created firewall rule appears to be wrong.

Destination zone is LAN but the destination network is the external interface which is a WAN zone.

The result is the rule does not work.

I have tried creating a FQDN for the external internal access to the NTP, but there is nowhere to add it to the rule along with a number of other issues of trying to add another external url for the same address, the XG does not like it.

Please advise what is required to make the hairpin NAT work. I have read the KBA and followed that document and ended up with the above issues.

Ian

.



corrected an incorrect edit.
[edited by: rfcat_vk at 9:46 PM (GMT -8) on 8 Feb 2021]
Parents
  • 0 26 days ago

    Sitting with the exact same issue the last 3 hours, please advise Sophos, my customer has a webserver that sits on the DMZ and creates connections to itself via the WAN IP.

    ----

    Best regards Martin ;-)

    Sophos UTM Certified Engineer v9.7
    Sophos  XG  Certified Architect v18.0
    Homelab: 2 x SG210 XG v18 (HA A/P) - 3xAPX530 - 1 x SG210 v9.7 - 1 x UTM 220 v9.7 - 1 x SG135 v9.7 (All Fullguard Plus licenses)

  • 0 26 days ago in reply to twister5800

    Another issue is, the internet can access my NTP server via the reflexive rule which is not the aim of the hairpin rule. I have disabled the reflexive rule. My internal device do not appear to be able to access the NTP server via the firewall rule.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with AP55c -20w. 
    2 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
Reply
  • 0 26 days ago in reply to twister5800

    Another issue is, the internet can access my NTP server via the reflexive rule which is not the aim of the hairpin rule. I have disabled the reflexive rule. My internal device do not appear to be able to access the NTP server via the firewall rule.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with AP55c -20w. 
    2 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
Children
No Data
Unfiltered HTML