NAT - Static route

Hi Mike,

Static routes are enabled by default when you create one under Configure > Routing > Static Routing.

There's no global way of disabling NAT services. You would just turn off any Business Application NAT rules that you have created under Protect > Firewall. 

For SNAT's you've created, it would be under your Firewall Rule > NAT & Routing

Cheers,
Karlos

Karlos,

I have no business application firewalls enabled. There is one Lan to Wan Firewall rule NAY Masquerade enabled, the moment I witch to none, it doesn't work despite me having put a static route 0.0.0.0 to default Gateway on Lan port 2

Hi Mike,

What is your end goal? You would like all traffic to be sent out a specific gateway? 

Masquerading is necessary to allow your LAN traffic to go out to the Internet because it needs a public IP to route out to the Internet. Disabling it will stop all LAN to WAN traffic.

If you are just trying to specify a specific gateway, leave your Rewrite source address (Masquerading) checkbox enabled and specify the gateway you'd like to use under Primary Gateway.

Best,
Karlos

Karlos said:

Hi Mike,

What is your end goal? You would like all traffic to be sent out a specific gateway? 

Masquerading is necessary to allow your LAN traffic to go out to the Internet because it needs a public IP to route out to the Internet. Disabling it will stop all LAN to WAN traffic.

If you are just trying to specify a specific gateway, leave your Rewrite source address (Masquerading) checkbox enabled and specify the gateway you'd like to use under Primary Gateway.

Best,
Karlos

 

Karlos,

At the moment I double NAT (my ISP will not put into bridge mode so there device does the NAT). I want all traffic (at the moment 172.16 etc) to go to the default ISP Gateway 192.168.0.254 and out onto the internet. From what I have read double NAT is not good. 

Double NATing is not recommended. Especially if you have internal servers you need access to from the outside.

On the XG side, the only configuration you need to setup is Masquerading your LAN to your WAN interface. It is your ISP router's responsibility to NAT traffic out to the Internet from there. 

Best,
Karlos

Karlos,

Thanks for your help, looking at the live connections I can see that between the ISP Router and the Sophos I am double Nat. I would like to establish the steps I need to stop nat on the sophos and only get this happening on the ISP router. I had assumed this was None under Firewall rule and a static route 0.0.0.0 to the ISP default gateway 192.168.0.254, tried this and did not work. 

Karlos,

Any thoughts.

Mike,

did you try to create a LAN to WAN firewall rule and unchecking the rewrite source address under Advanced section?

Mike,

did you try to create a LAN to WAN firewall rule and unchecking the rewrite source address under Advanced section?

Luk

Yes I tried that with primary gateway as DG

Mike,

check traffic using tcpdump to understand what XG is doing on output packets. Maybe it translates the packets even if the NAT is disabled on that rule.

One question: XG and Router are on the same network mask? Please upload a network diagram. It will help.

Thanks

lferrara said:

Mike,

check traffic using tcpdump to understand what XG is doing on output packets. Maybe it translates the packets even if the NAT is disabled on that rule.

One question: XG and Router are on the same network mask? Please upload a network diagram. It will help.

Thanks

 

Iferra,

I will check the TCPDUMP over the next few days. See attached network diagram

Genexis Fibre 192.168.0.x - Sophos 192.168.1.x - Unifi USG (currently but can take this out as per diagram) 192.168.2.x/3.x/4/x etc on VLAns

Thanks Mike for the network diagram.

If the "no nat" in the firewall does not work, I guess you cannot achieve it using XG. The only way I guess is to enable NAT on the Rules and let the XG traslates the internal IP to its WAN ip.

It is strange that it does not allow to do it.

What is wrong with double natting? I have the same at home where I have another NAT device.

Sophos should explain why the NO NAT on firewall rules does not work if the destination zone is WAN. I have other VLAN rules where NAT is not needed and it works.

Let's see if someone from Sophos can clarify it.

Hi Mike &  

To clarify, double NATing is absolutely possible. We only recommend against it as it can pose problems when DNATing into internal servers and with VPN connections. 

With that said, you'd prefer not to double NAT and just pass traffic from your LAN to WAN? You can do this transparently by converting your XG to Bridged Mode. For more information about that see our KB article: Sophos XG Firewall: How to deploy in bridge mode

It seems you are trying to achieve this but keep your XG in Gateway mode. I have not personally tested that setup of disabling MASQ on your LAN->WAN rule and just setting up the Primary Gateway as your WAN interface. A static default route should not be necessary when your Primary Gateway is specified. Perhaps disable that also, along with disabling MASQ and see if there is a difference. With those disabled, if it's still not working, run a packet capture as you send outbound Internet traffic from a LAN endpoint and post so I can understand better.

Thanks!

Best,

Karlos

Have you test with this?