Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 15 replies
  • Subscribers 6 subscribers
  • Views 5767 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routing traffic through wrong interface

cwoller

Hi guys.

It is a bit complicated so I try to break down my problem as much as understandable.

I have a UTM SG310, running on current FW 9.604-2.

On this UTM, there are public IP adresses (/28), bound to eth1, connected to a corporate Internet-connection. On eth7, I have a dialup cable modem connection for my internal users accessing the web so that they don't use bandwidth on my corporate connection. So it looks like the following:

internal network -> UTM (eth1) -> public /28 network -> corporate Internet router from my ISP

internal network -> UTM (eth7) -> dialup modem (FritzBox)

Some weeks ago, I removed two of the IP (.10 and .14) that was bound to eth1 and put them on a different firewall, just for physical separation of DMZ and internal network. 

My problem is now, that accessing both IP (.10 and .14) gets handled different from my SG310:

1) accessing the .10 from my internal network gets routet as it should over eth7.

1.1) accessing the internet in general from my internal netweork gets routed as it should over eth7.

2) accessing the .14 from my internal network gets routed wrongly over eth1.

When attaching Wireshark between UTM's eth1 and my corporate Internet router, I see private IP adresses (I use for internal network) trying to access the internet.

I tried everything to get the traffic for .14 over eth7 but without success:

  • masquerading
  • nat rule
  • statical routing to the .14
  • multipath rule
  • rebooting the UTM 

All without access.

I am lost, does anybody have any idea or hint for me?

Best regards, Christian



This thread was automatically locked due to age.
Parents
  • 0

    Hi Christian,

    Is the .14 defined as a Host in the UTM? If so, my first idea would be to have a look at Definitions & Users, Network Definitions, and click the button labeled as "show where this object is in use". It might be a rule routing this Host thru ETH1 that you are not aware of. Or maybe the Host is member of a group that is treated somewhere.

    Basically there are two possibilities: The Host is routed according to your rules over ETH1, and you missed one of the rules. Or it is not covered by any rules and the general routing takes place over ETH1.

    If this doesn't work out, I hope someone else can help you further. It could be that there are some leftover rules which are not shown in the GUI. This could be fixed on command line. Or probably by deleting the host within the GUI and setting it up again.

    Good luck!

    Axel

  • 0 in reply to reag

    Hi Axel.

    Just a quick response about what I found:

    I found the reason, why I can route .10 through eht7. My bad: we put Cloudflare between us and the .10. So, our sites that are bound through .10 are resolving with a different IP, this is why .10 routing through eth7 correctly. It looks like this:

    internal network: www. xyz . com (resolves to Cloudflare's IPs) -> UTM:eth7 -> Cloudflare -> (different firewall):.10 -> apache

    I guess that, without Cloudflare, .10 wouldn't go over eht7.

     

     

    So my situation currently is:

    UTM:eth1 is default gateway (gw => 123.123.123.1) and has bound the following IP adresseses

    123.123.123.3/28 to 123.123.123.14/28, with the exception of .10 and .14.

    UTM:eth7 is default gateway (gw => 192.168.178.1) and is on DHCP, DHCP-server is a FritzBox.

     

    So here comes the point that may be I am thinking wrong about:

    I thought, I can route from internal network (192.168.0.x/24) to 123.123.123.14 through eth7, but this isn't possible.

    When I should guess why, I would say that this is because I want to access an IP-Adress wich Subnet is bound to a different interface. This puts me in a problematic situation and I currently have no solution to fix this.

    Regards, Christian

  • 0 in reply to cwoller

    Christian, good to hear you found out about the first issue. The new issue is above my horizon, but I guess someone else on here will be able to help.

    A quick idea I have for you: as far as I know, firewall rules are walked thru from top to bottom. So probably re-arranging some of your rules could help. Place the rule "from 0.x. to .123.14 thru ETH7" above the rules for the default gateway and it may work. I don't know if the same applies for routing, but it could be.

    But, I don't want you to look into stuff that is probably not really true, so I am hoping someone else will chime in.

  • 0 in reply to reag

    Hi.

    Do you mean re-arranging NAT rules? We do not have such thing than a common/general gateway firewall rule.

    We do this either by NAT (that automatically create firewall rules) and Multi-path.

    I am not quite sure, that putting them higher to the top has an effect. I was thinking about splitting our /28 into smaller parts. But a) I don't know, if this is possible, b) something complete new for me and c) for my understanding, we have first to move the IP addresses for our services because currently they are spread across the /28 space.

    Hgrmpf. ;-)

    Regards, Christian

  • 0 in reply to cwoller

    I need a picture.    I think you describe something like this:

    Intranet                                                   Intranet
    |                                                               |
    New Firewall                                             UTM ---- dial-up users
    |                                                               |
    --------------------Internal Network--------------
       |
    Internal Clients

     

    I think you want UTM to send some internet-bound traffic to "New Firewall" even though UTM can easily send it to the Internet using its own interface.  Is this correct?

    Which device is the default gateway for your Internal Clients -- UTM, New Firewall, or a router that is not shown?

    We also need clarity about the traffic that you want to redirect:

    - no filtering expected - traffic should flow directly from Internal Client to New firewall

    - UTM filtering with a Transparent Mode proxy - traffic should flow to UTM but be forced over to New Firewall after filtering.

    - UTM filtering with a Standard Mode proxy - traffic is sent to UTM then relayed to New Firewall after filtering.

    I am not convinced that any of these things are possible, but we need to start with a more precise problem statement.

  • 0 in reply to DouglasFoster

    Hi Douglas. I am not good at ASCII art, so I painted it on a paper:

     

    The UTM eth1 interface has 123.123.123.3/28 as primary IP with some other IPs, relating to this subnet. We use eth1 for incomming traffic such as Citrix, in/outbound Email, ... . The interface eth7 is on DHCP by the FritzBox router. eth7 is the gateway, handling client traffic (http(s)) that goes out on the internet. So when I open up a client browser and go to ripe.net, I see the IP of the FritzBox, not the one of eth1.

    The new firewall has 123.123.123.10/28 and 123.123.123.14/28. When I now try to access a site that resolves to 123.123.123.10/28 from a client on the internal network, traffic gets routed through UTM eth1 and the new Firewall drops it because it sees that the IP packages has a private IPv4 address - the one from the internal client.

    What I want is, that clients go through UTM eth7, even when accessing 123.123.123.10/28 and 123.123.123.14/28.

    Regards, Christian

  • 0 in reply to cwoller

    I basically see two options for you:

    1. SNAT traffic from INTERNAL using service ANY to .10 translate source to fritzbox.

    2. Route the traffic thru fritzbox, so it physically takes the long route.

     

    If this does not help: at least your painting looks great! :-)

  • 0 in reply to reag

    Hi.

    SNAT is always my first option for things like this, so I tried this without success.

    Same result, the request times out because the other firewall sees incoming requests from internal client ip addresses and drops it. The leaves the UTM over eth1, SNAT gets ignored.

    I guess, I have to consider splitting my subnet and bind one part at the new firewall and one at the UTMs eth1. I think, the UTM cannot route traffic for a subnet, bound to eth1 over a different interface... Maybe I have here a misunderstanding of IP routing in general and this has nothing to do with UTM in special.

    reag said:

    If this does not help: at least your painting looks great! :-)

    :-D

    Regards, Christian

Reply
  • 0 in reply to reag

    Hi.

    SNAT is always my first option for things like this, so I tried this without success.

    Same result, the request times out because the other firewall sees incoming requests from internal client ip addresses and drops it. The leaves the UTM over eth1, SNAT gets ignored.

    I guess, I have to consider splitting my subnet and bind one part at the new firewall and one at the UTMs eth1. I think, the UTM cannot route traffic for a subnet, bound to eth1 over a different interface... Maybe I have here a misunderstanding of IP routing in general and this has nothing to do with UTM in special.

    reag said:

    If this does not help: at least your painting looks great! :-)

    :-D

    Regards, Christian

Children
No Data
Unfiltered HTML