Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Loopback NAT Rule not necessary any more with SonicOS7?

TeleporterTeleporter Newbie ✭
edited June 2023 in Entry Level Firewalls

I hope this is the accurate forum for this question.

I have recently created an IPv4 port forwarding across an TZx70 firewall (see details below). When I tried to access the external IP:Port from within the X0 subnet it immediately worked without the NAT Loopback rule we all know. When I searched for a document about SonicOS7 and NAT Loopback rules, I couldnt find any. So is it true that these rules are not necessar any more?


My rule looks like this:

Ingress: Any

Egress: Any

Original Source: Any

Original Destination: X1 IP

Original Service: my Ports (all of them tcp)

Translated Source: Original

Translated Destination: My Server's Private IP

Service: Original

Category: Entry Level Firewalls
Reply

Answers

  • prestonpreston Enthusiast ✭✭
    Hi @Teleporter , in addition to what Michael has said, in the later versions of firmware Gen6.5 and Gen7 there is an option when creating the incoming NAT policy "Enable DNS Doctoring" which should negate the need for a Loopback Policy, depending on the SonicWall's DNS settings.
  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited June 2023

    As an advocate for proper DNS implementations I strongly suggest to not use DNS Doctoring unless you're really familiar with all the aspects or working in a simpler environment. DNS Doctoring will probably break DNSSEC validation, will not work with DoH, DoQ, DoT or any other 3 letter acronym.

    @preston mentioned a valid solution (as always) and you should adjust your Access Rules from X1 IP to Private IP accordingly when tinkering with the DNS response.

    I almost forgot about DNS Doctoring, thanks for the reminder. 😉

    Update:
    It will also cause trouble if you publish multiple services on the same puzblic TO 
    to different private IPs, like HTTP/S to SMA and SMTP to ESA. 
    
    The DNS response would cover only one of this internal IPs.
    

    --Michael@BWC

Sign In or Register to comment.