Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 26 subscribers
  • Views 10106 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Adding a public IP subnet

JoshuaRinger

I have recently got myself a /29 subnet of public IPs from our ISP for hosting some extra services on-premises. I am wondering what the recommended way for setting these up through an XG would be?

My initial thought was to expose the public subnet on the DMZ, similar to this thread. However, I feel like using a bridge isn't really making the full use of the firewall to protect the servers on these public IP addresses.

Is there any way to expose services to the extra public addresses in a way similar to the WAN address in an 'ordinary' setup through application rules? (Perhaps taking advantage of alias interfaces?)

Thanks



This thread was automatically locked due to age.
Parents
  • 0

    Joshua,

    You can bridge WAN and DMZ but as I wrote in the other thread You should keep WAN and DMZ separated.

    Are the /29 IP addresses in the same subnet as WAN?

  • 0 in reply to lferrara

    They are on a different subnet from the WAN.

    And like I mentioned, I'd rather be able to leverage the firewall rules to help secure the servers on this subnet's IPs as well.

  • 0 in reply to JoshuaRinger

    Joshua,

    have a look at this article:

    http://www.isaserver.org/articles-tutorials/articles/2004pubdmzservers.html

    Talk with your ISP in order to make the DMZ working and let us know.

    Thanks.

  • 0 in reply to lferrara

    Thanks Luk,

    OK, so if I'm understanding where that article is going correctly, here is what I have set up currently:

    Port 2 is connected to my WAN with my WAN IP, eg. 1.2.3.4

    Port 3 is assigned the first useable IP from my public subnet, eg. 1.2.4.1/29

    I have a simple policy allowing all traffic from DMZ to WAN. My server on 1.2.4.2 has internet connectivity, so outgoing traffic is fine.

    Now, incoming is where it's getting tricky.

    I have set up an application rule (non-http) to allow web access:

    • source host: any
    • source zone: any
    • hosted address: (1.2.4.2) <-- ???
    • protected zone: dmz
    • protected server: (1.2.4.2)
    • forward tcp port 80 -> 80

    I have tried a network rule:

    • source zone: any
    • source network: any
    • source service: http
    • destination zone: dmz
    • destination network: (1.2.4.2)

    In both cases, requests from my private LAN reach the server just fine and page loads. However, requests from public that come into wan do not reach.


    I am reasonably sure the traffic is being directed to the right place. A traceroute to the server's public IP reaches my firewall's WAN address, just no further.

    Thoughts?

Reply
  • 0 in reply to lferrara

    Thanks Luk,

    OK, so if I'm understanding where that article is going correctly, here is what I have set up currently:

    Port 2 is connected to my WAN with my WAN IP, eg. 1.2.3.4

    Port 3 is assigned the first useable IP from my public subnet, eg. 1.2.4.1/29

    I have a simple policy allowing all traffic from DMZ to WAN. My server on 1.2.4.2 has internet connectivity, so outgoing traffic is fine.

    Now, incoming is where it's getting tricky.

    I have set up an application rule (non-http) to allow web access:

    • source host: any
    • source zone: any
    • hosted address: (1.2.4.2) <-- ???
    • protected zone: dmz
    • protected server: (1.2.4.2)
    • forward tcp port 80 -> 80

    I have tried a network rule:

    • source zone: any
    • source network: any
    • source service: http
    • destination zone: dmz
    • destination network: (1.2.4.2)

    In both cases, requests from my private LAN reach the server just fine and page loads. However, requests from public that come into wan do not reach.


    I am reasonably sure the traffic is being directed to the right place. A traceroute to the server's public IP reaches my firewall's WAN address, just no further.

    Thoughts?

Children
No Data