This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Subnet not NATED

I have got the following topology:

PC <----> ROUTER <----> MPLS CIRCUIT <-----> XG FIREWALL <----> INTERNET

I have connect my PC to the Internet. I have put a NAT rule in the router. The firewall also has a NAT rule. Then, it works fine.

But when I deleted the NAT rule in the router then I have lost theconnectivity to the Internet. I couldnt reach the internet gateway IP. I could reach the WAN interface of the Sophos firewall.

I have to avoid NAT in the router because I need to keep the IP in order to apply web filtering only to that IP address behind of the router.

This thread was automatically locked due to age.

Parents

0 dirkkotte over 3 years ago

Can you show us the NAT-Rule from firewall? Check firewall-live-log and compare to your NAT-Rule. I think there is a mismatch.

Why you don't use "masquerading"?
Cancel
Vote Up 0 Vote Down

Cancel
0 Richard Guerrero over 3 years ago in reply to dirkkotte

Hello Dirk,

I am using masquerade (MASQ) in the Firewall (Sophos) , however I can't reach the ISP router interface from PC (behind the router Mikrotik in the remote location into my LAN). When I do both: SCRNAT in the router (remote location into my LAN) and also MASQ in the Firewall, then I can reach the Internet from PC and also from mikrotik router.

When I deleted the SRCNAT in the mikrotik router then I only could reach internet from mikrotik but not from PC. However, I am keeping the masquerade in the Firewall.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Richard Guerrero over 3 years ago in reply to dirkkotte

Hello Dirk,

I am using masquerade (MASQ) in the Firewall (Sophos) , however I can't reach the ISP router interface from PC (behind the router Mikrotik in the remote location into my LAN). When I do both: SCRNAT in the router (remote location into my LAN) and also MASQ in the Firewall, then I can reach the Internet from PC and also from mikrotik router.

When I deleted the SRCNAT in the mikrotik router then I only could reach internet from mikrotik but not from PC. However, I am keeping the masquerade in the Firewall.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 dirkkotte over 3 years ago in reply to Richard Guerrero

Would be great to see the masq-rule ... do you use "interface-network" within this definition?

So only the subnet behind the interface would be masqueraded.
Cancel
Vote Up 0 Vote Down

Cancel
0 Richard Guerrero over 3 years ago in reply to dirkkotte

I have applied these instructions: https://www.youtube.com/watch?v=HwrZ4HZD8xQ

But it doesnt work well.
Cancel
Vote Up 0 Vote Down

Cancel
0 dirkkotte over 3 years ago in reply to Richard Guerrero

This video is for an old version.

Currently, firewall rules and NAT/Masquerading rules are handled separate.

But there may be configuration errors. If you don't show us Firewall-Rule and NAT rule (and possible logging entires) .. i can't help...
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 3 years ago in reply to Richard Guerrero

¡Hola! Richard and welcome to the UTM Community!

Yes, UTM. I'll move this thread to the XG Community where you're more likely to get answers.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 Richard Guerrero over 3 years ago in reply to dirkkotte
Cancel
Vote Up 0 Vote Down

Cancel
0 Richard Guerrero over 3 years ago in reply to BAlfson

Hello Bob, thansk a lot.

I suspect that Firewall is not masking the remote network behind the router (LAN), because I could do ping to the Internet gateway (ISP interface in front of the Sophos firewall) however I could not do ping to the WAN interface of the firewall.
Cancel
Vote Up 0 Vote Down

Cancel