Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 27 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 30878 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

xg firewall home and nas or any devices on my network

Daniel C

hi everyone !

 

So i'm testing xg firewall on a virtual machine on my nas.

 

So i configured it this way :

 

* my dsl modem (router, freebox for the one who knows it) in 192.168.1.254 (no dhcp). DMZ : ip of the sophos wan port, 192.168.1.18

* the sophos xg virtual machine with

192.168.2.1 <= lan port

192.168.1.18 <= wan port

dhcp server from 192.168.2.5 to 192.168.2.50

 

* my nas : ip : 192.168.2.7

 

I have a domain name, which i pointed to my external IP address (from my network provider, free)

 

So, i try to reach my nas on my network, with my domain, but....no luck !

I created a business policy (dnat, full nat), like explained in the tutorial, but....it doesn't work. community.sophos.com/.../122976

i tried with https (on port 44300) and http (port 8080) but doesn't work.

 

so, did i do something wrong ?

what i have forgotten ?

 

could you please help me ?

(sorry for my english, i'm french :-))



This thread was automatically locked due to age.
  • 0 in reply to lferrara

    what I call the router, is my dsl modem.

    The router is the sophos actually.

     

    internet =======>dsl modem ============> sophos (virtual machine) =============> lan

    public IP ======> 192.168.1.254==========> port1(lan) 192.168.2.1 ==============>192.168.2.XX

                                   dmz : 192.168.1.18=======>port2(wan) 192.168.1.18

     

    is it more clear ?

     

    thanks for trying to help me :-)

  • 0 in reply to Daniel C
    Sorry Daniel, But still not clear. You have 192.168.1.254 and 192.168.1.18 on 2 different interfaces?
  • 0 in reply to lferrara

    On the dsl modem:

    The 192.168.1.254 is the physical IP of the dsl modem.

    The 192.168.1.18 is not an interface. In the configuration of my dsl modem, i can declare a dmz. This is where i  put the 192.168.1.18.

    Sorry if im not clear, but not easy in english

  • 0 in reply to lferrara

    On the dsl modem:

    The 192.168.1.254 is the physical IP of the dsl modem.

    The 192.168.1.18 is not an interface. In the configuration of my dsl modem, i can declare a dmz. This is where i  put the 192.168.1.18.

    Sorry if im not clear, but not easy in english

  • 0 in reply to lferrara

    hi,

     

    On the dsl modem:
    The 192.168.1.254 is the physical IP of the dsl modem.
    The 192.168.1.18 is not an interface. In the configuration of my dsl modem, i can declare a dmz. This is where i  put the 192.168.1.18.

    Sorry if im not clear, but not easy in english

     

    ps: most of the time, i received a message from the forum that says: my message is  "inappropriate" ? What does that mean ?

  • 0 in reply to Daniel C

    Daniel,

    your DSL modem has different interfaces and so different IP. Assign to DMZ interface a different IP than 192.168.1.x/24 and 192.168.2.x/24, for example 192.168.3.0 and adjust the other settings needed.

    Thanks

  • 0 in reply to lferrara

    Hi Luk

    i can't.

     

    On my dsl modem, the dmz must be in the same network as the dsl modem.

     

    let's start over :

    how do you configure the sophos ?

    port1 the lan : let says 192.168.2.XX

    port2 the wan: let says 192.168.1.XX

                             gateway : 192.168.1.254 (ip of my dsl modem)

    am I right ?

     

    so, on my dsl modem, i must declare a dmz, wich is the wan(port2) of the sophos ?

    i'm still right ?

  • 0

    Hi Daniel,

    Check if the traffic on the configure port reaches the XG. Take console access to the XG and run, tcpdump 'port 4430. If there is no traffic reaching the XG then check the local configuration on the DSL modem. Also, as Luk suggested you cannot configure similar subnet on two different interfaces.

    Thanks

  • 0 in reply to sachingurung

    hi

     

    What do you mean by "you cannot configure similar subnet on two different interfaces." ?

     

    you need to be more specific, cause i'm a noob.

     

    So, on my modem dsl :

    there is only ONE interface, which is : 192.168.1.254.

    On the configuration tool, I declare the dmz, which is the WAN IP of the sophos (port2: 192.168.1.18).

    I cannot declare a DMZ with another range IP. (192.168.2.XX for example). The IP must be in the same range as the dsl modem (192.168.1.XX)

    (i don't know if "range" is the good word here)

     

    thanks

     

    ps : yes, i have SUCH graphic skills ! i know :-) (i'm joking of course)

  • 0 in reply to sachingurung

    hi all

    i did what you asked.

    When i tried to connect to my nas, from my home (but with my domain name) :

    tcpdump 'port 44300

    18:37:04.966913 Port1, IN: IP 192.168.2.5.49392 > PUBLIC.IP.44300: Flags [ S ], seq 2612920556, win
    8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    18:37:04.967712 Port2, OUT: IP 192.168.1.18.49392 > PUBLIC.IP.44300: Flags [ S ], seq 2612920556, w
    in 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    18:37:07.972381 Port1, IN: IP 192.168.2.5.49392 > PUBLIC.IP.44300: Flags [ S ], seq 2612920556, win
    8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    18:37:07.972999 Port2, OUT: IP 192.168.1.18.49392 > PUBLIC.IP.44300: Flags [ S ], seq 2612920556, w
    in 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    18:37:13.977327 Port1, IN: IP 192.168.2.5.49392 > PUBLIC.IP.44300: Flags [ S ], seq 2612920556, win
    8192, options [mss 1460,nop,nop,sackOK], length 0
    18:37:13.978156 Port2, OUT: IP 192.168.1.18.49392 > PUBLIC.IP.44300: Flags [ S ], seq 2612920556, w
    in 8192, options [mss 1460,nop,nop,sackOK], length 0


    18 packets captured 
    18 packets received by filter 
    0 packets dropped by kernel



    i don't know what that mean.

    but it connect to my public IP.