Hi all,
I think this internal routing question goes hand in hand with my problem.
At one of our new locations where we installed a new AT&T fiber optic internet circuit we received different routing and IP information than for our other locations where we have fiber optic internet service. Usually (from Zayo, Verizon, etc.) we simply receive our IP addresses (IP subnet), a gateway and a subnet mask to configure the WAN interface with on our Sophos UTMs. At those locations and the new one we simple get fiber optic handoffs from the carriers that we run into our Sophos UTMs (with FleXi Port modules).
At our newest location where we are in the process of installing an AT&T fiber optic circuit we received the following:
AT&T Router WAN IP: 12.252.---.225/30
Customer Router IP: 12.252.---.226/30
Customer LAN IP: 12.97.---.120/29
SubNet Mask: 255.255.255.248
AT&T separates here into customer WAN and customer LAN. For us both subnets are WAN facing even the customer LAN portion. The customer LAN portion we actually want to use as our WAN IP addresses that we assign to our external interface. As always internally we use the Sophos UTM DHCP service to assign internal IP addresses.
To me this looks like as if I had to do some additional WAN routing.
How do I configure all this on just the Sophos UTM? If you can help, please explain the steps in detail. I do not want to install a separate additional router that is in between the Sophos UTM and the carrier handoff.
Your help is greatly appreciated!
We are really stuck here.
Best,
Daniel
Hi, Daniel, and welcome to the UTM Community!
I just finished solving an IPsec VPN problem with an AT&T uVerse Residential Gateway for a client in Memphis. The blasted device couldn't be configured as a bridge.
AT&T's solution was some sort of hybrid NAT where web accesses went out with the client's IP, but UDP 500 and pings from the client's central site were sent from the public IP of the AT&T Gateway. It took two hours of monkeying with that thing and two different AT&T support engineers before that became clear.
If AT&T can't give you a proper connection that behaves well, you will wind up wasting hours and then paying someone like me $500+ to help you figure out what's going on and then how to make things work. Good luck!
Cheers - Bob
Hi Bob,
Thank you for your response. I appreciate it. Do you have no idea at all how AT&T wants their customers to implement the scenario I described? Not even in theory? AT&T calls this product unmanaged EaMIS. As far as I know it is one of their enterprise products.
Thanks,
Daniel
Hi Bob,
One additional piece of information I received:
"AT&T uses router IP addresses for their EaMIS connections. The LAN IP addresses are the public IP addresses, the /30 WAN block is used to establish the link across the Ethernet connection. You assign the Customer Router IP (12.252.---.226) to your WAN port and then the LAN block to the port that will be connecting to your firewall."
Any idea how to interpret this information and implement it on the Sophos UTM? I am sure it would help others in the future who have ordered the same product from AT&T.
Best,
Daniel
Sounds like AT&T gobbledygook to me, Daniel. Since this is a business connection, I would have to assume that they've given you a simple router where the default gateway for your interface is the IP on the router port to which your External interface is connected. Does that work?
Cheers - Bob
Hi Bob,
No router was provided by AT&T since EaMIS is an unmanaged circuit. It is the customers responsibility to provide a router - in our case the Sophos UTM. We want to use the Sophos UTM as our firewall as well as for routing. My assumption is that AT&T wants us to implement it as follows:
[Internet] ----- [AT&T Core Router] ----- [Customer Managed Router] ----- [Customer Firewall] ----- [LAN]
We are trying to implement it as follows:
[Internet] ----- [AT&T Core Router] ----- [Sophos UTM (Customer Managed Router and Customer Firewall combined] ----- [LAN]
I am pretty sure that we can do all the routing with the Sophos UTM. I just don't know at this point how to implement it. I looked at the different static routing and NAT options on the Sophos UTM but I am unsure how to proceed. Looking back at what AT&T provided, I assume it will work like this:
[Internet]
|
|
[AT&T Core Router]
LAN: 12.252.---.225 (Gateway for Sophos UTM 1)
|
Network: 12.252.---.224/30
|
WAN: 12.252.---.226
[Sophos UTM 1]
LAN: 12.97.---.121 (Gateway for Sophos UTM 2)
|
Network: 12.97.---.120/29
|
WAN: 12.97.---.122 - 12.97.---.126 (Our internet IP addresses for servers, etc.)
[Sophos UTM 2]
LAN: 10.0.0.254 (Gateway for LAN)
|
Network: 10.0.0.0/24
|
[LAN]
Unfortunately I don't know how to configure Sophos UTM 1 and Sophos UTM 2 on just one single physical Sophos UTM. I am sure there is some internal routing that can be configured to achieve this. I just have no idea what it could be. For Sophos UTM 2 I would use Masquerading. Unfortunately Masquerading can only send traffic to a physical Sophos UTM interface and not some configured other internal subnet. For Sophos UTM 1 I would use some type of NAT or Static Routing but unfortunately don't know what works in this case since I am not familiar with the different NAT and Static Routing options and how they work.
In case you have some further input I would appreciate it. I have a call scheduled with an AT&T engineer on Friday early afternoon and want to go into this meeting with as much information as possible because I highly doubt that the AT&T engineer is a Sophos UTM expert as well :)
Best,
Daniel
Hi,
I have not really made progress on this since it works without using our customer IP subnet. Currently, as a workaround, we are simply using Masquerading, 12.252.---.226 as the Sophos UTM WAN IP address and 12.252.---.225 as the gateway. It looks like it is possible to configure NAT rules for our scenario and add our customer IP subnet as additional IP addresses for the WAN interface. In theory this all works as long as you don't use the web filter. As soon as you use the web filter (and internal proxy I guess) the settings for outgoing IP address get ignored and the primary WAN IP address is used for outgoing traffic. I read this somewhere else in a different thread but have not really found a solution yet or a recommended way of implementing this properly. As soon as I have a solution, I will post it here.
Best,
Daniel
Here is a more detailed explanation with screen shots on how we configured this on our Sophos UTM: https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/77171/how-do-i-configure-at-t-eamis-wan-subnet-routing
As of Sophos UTM 9.5 it is still not working when the Web Protection > Web Filtering is active for a certain network or host.
Please post a solution in case you have solved for this scenario.
