Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 8 replies
  • Subscribers 29 subscribers
  • Views 36871 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG DNS request route (internal dns forward)

DanSand

Hello together,

we have a problem with the dns request route configuration. We have multiple remote sites and a datacenter. The datacenter has a ad/dc with dns function. The clients in the remote site sends the dns requests to the Sophos XG 85/105/115 firewall. The firewall have a vpn connection to the datacenter and want to send the request for the datacenter domain to the datacenter sophos xg firewall.

We have added the following entry: Network -> DNS: Name: xxx.local

      Target: xx.xx.xx.xx (ad/dc ip)

This forward is not working. Have you an idea what the problem is ?



This thread was automatically locked due to age.
  • 0
    DanSand,

    without a proper static route all traffic by default will be forwarded to WAN interface on local XG.
    So you need to create a static route. Have a look at command you find at pag 36. Here the CLI Guide: docs.sophos.com/.../Sophos Firewall OS CLI Guide.pdf

    Let us know.

    Luk
  • +1
    Please see my response in the thread its a similar answer

    community.sophos.com/.../74246

    In that example 10.20.13.45 will be your AD/DC
  • 0
    Hello lferrara,

    Why need to create a static route? About the VPN connection, the data center is still reachable and known?
    With a static DNS entry in the XG firewall the request is forwarded to that server.
  • 0
    Hello Kranthi,

    with this commands it works fine.

    We have another problem with this configuration. We use two vpn connection to the datacenter with the Failover function.
    I think we have a problem with a static route to one vpn. What is with the second vpn ?
  • 0 in reply to DanSand
    Hello DanSand,

    Luk is right and I will try to explain why.

    The current version of XG Firewall does not have correctly implemented (against UTM v9) DNS Request Route feature. All DNS requests are forwarded to DNS servers to the Internet regardless of the setting for the DNS Request Route. And the second very import feature that is implemented in XG Firewall is an internal NAT for IPSec site-to-site VPN tunnels. These are two reasons why Kranthi advises to you to use those two commands in the device console.

    We can only hope that these bugs in the current version will be corrected in the version v2.

    I hope that Kranthi agree with me?

    alda


    P.S.

    Please see to next link from Copernicus Partner Preview where I dealt with them

    community.sophos.com/.../57844
  • 0
    To my knowledge it should only route thru the active tunnel route I have not tested this kind of setup with a failover but the XG should only consider the active tunnel route but option 1 you can define both your wan interfaces inside the tunnel networks but we need to make sure your dns server responds to the queries from the remote office wan ip addresses. Even if it's not there is a work around where in you can create a VPN to lan in your DC firewall with source being the remote wan ip s of your offices and destination being your dns server and snat all the wan IP address to the lan ip of the dc XG
  • 0 in reply to Kranthi
    Thanks, it works with one route to each vpn-tunnel.
  • 0 in reply to Kranthi

    on XG with SFOS 17.0.6 MR-6 would snatip from command line similar to what's described @ Sophos XG Firewall: How to allow branch office users to authenticate with the head office Active Directory Server be required when using dns request routing to send dns lookups for a domain to an internal dns server located across a RED interface link at another location?  There doesn't seem to be a RED equivalent of the ipsec_route command.

     

    update - answering my own question: yes, the snatip command in combination with any normal static routes to get traffic where it needs to go was required to make dns request routing to internal dns server at another location work across RED interfaces.  Examples where the first ip is the target dns server and the last ip is the lan interface of the local xg at the location where the dns request routing is configured:

     

    console> set advanced-firewall sys-traffic-nat add destination 10.20.0.1 snatip 192.168.202.1
    console> set advanced-firewall sys-traffic-nat add destination 10.20.0.2 snatip 192.168.202.1
    console> set advanced-firewall sys-traffic-nat add destination 10.20.0.3 snatip 192.168.202.1