Loopback NAT Rule not necessary any more with SonicOS7?

Teleporter · June 2023

I hope this is the accurate forum for this question.

I have recently created an IPv4 port forwarding across an TZx70 firewall (see details below). When I tried to access the external IP:Port from within the X0 subnet it immediately worked without the NAT Loopback rule we all know. When I searched for a document about SonicOS7 and NAT Loopback rules, I couldnt find any. So is it true that these rules are not necessar any more?

My rule looks like this:

Ingress: Any

Egress: Any

Original Source: Any

Original Destination: X1 IP

Original Service: my Ports (all of them tcp)

Translated Source: Original

Translated Destination: My Server's Private IP

Service: Original

BWC · June 2023

@Teleporter Loopback NAT Rules are still needed, if the original NAT Rule does not cover everything like in your Case (Ingres/Egress: Any, Orig Source: Any).

But as always, NAT Rule is not enough, a respective Access Rule is needed as well, like LAN (or Any) -> DMZ with Destination X1 IP.

In your case it sounds like LAN-LAN traffic which is IMHO allowed per default.

Nevertheless it's not a good idea to publish Services from the LAN zone, that's what DMZs are for, IMHO.

--Michael@BWC

preston · June 2023

Hi @Teleporter , in addition to what Michael has said, in the later versions of firmware Gen6.5 and Gen7 there is an option when creating the incoming NAT policy "Enable DNS Doctoring" which should negate the need for a Loopback Policy, depending on the SonicWall's DNS settings.

BWC · June 2023

As an advocate for proper DNS implementations I strongly suggest to not use DNS Doctoring unless you're really familiar with all the aspects or working in a simpler environment. DNS Doctoring will probably break DNSSEC validation, will not work with DoH, DoQ, DoT or any other 3 letter acronym.

@preston mentioned a valid solution (as always) and you should adjust your Access Rules from X1 IP to Private IP accordingly when tinkering with the DNS response.

I almost forgot about DNS Doctoring, thanks for the reminder. 😉

Update:
It will also cause trouble if you publish multiple services on the same puzblic TO 
to different private IPs, like HTTP/S to SMA and SMTP to ESA. 

The DNS response would cover only one of this internal IPs.

--Michael@BWC

Join the Conversation

Loopback NAT Rule not necessary any more with SonicOS7?

Answers

Hi @Teleporter , in addition to what Michael has said, in the later versions of firmware Gen6.5 and Gen7 there is an option when creating the incoming NAT policy "Enable DNS Doctoring" which should negate the need for a Loopback Policy, depending on the SonicWall's DNS settings.