Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 15 replies
  • Subscribers 6 subscribers
  • Views 5767 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routing traffic through wrong interface

cwoller

Hi guys.

It is a bit complicated so I try to break down my problem as much as understandable.

I have a UTM SG310, running on current FW 9.604-2.

On this UTM, there are public IP adresses (/28), bound to eth1, connected to a corporate Internet-connection. On eth7, I have a dialup cable modem connection for my internal users accessing the web so that they don't use bandwidth on my corporate connection. So it looks like the following:

internal network -> UTM (eth1) -> public /28 network -> corporate Internet router from my ISP

internal network -> UTM (eth7) -> dialup modem (FritzBox)

Some weeks ago, I removed two of the IP (.10 and .14) that was bound to eth1 and put them on a different firewall, just for physical separation of DMZ and internal network. 

My problem is now, that accessing both IP (.10 and .14) gets handled different from my SG310:

1) accessing the .10 from my internal network gets routet as it should over eth7.

1.1) accessing the internet in general from my internal netweork gets routed as it should over eth7.

2) accessing the .14 from my internal network gets routed wrongly over eth1.

When attaching Wireshark between UTM's eth1 and my corporate Internet router, I see private IP adresses (I use for internal network) trying to access the internet.

I tried everything to get the traffic for .14 over eth7 but without success:

  • masquerading
  • nat rule
  • statical routing to the .14
  • multipath rule
  • rebooting the UTM 

All without access.

I am lost, does anybody have any idea or hint for me?

Best regards, Christian



This thread was automatically locked due to age.
  • 0 in reply to DouglasFoster

    Hi.

    DouglasFoster said:

    You cannot have your new firewall entirely on the internet.

    Hm, I am not sure what you mean because this is the way it works right now. The only side effect I am seeing is, that I cannot route from one FW to the other.

    The value for me is, that I have physically divided networks with own IP addresses, servers and switches behind both firewalls.

    So, if we assume, a hacker has access to a server behind one of my firewalls, he is on the internal side of my network, when the firewall is the UTM. Even if there is a VLAN, dividing the hacked server and my client network, he is behind my UTM. I don't have to care about Switch-ACLs, VLANs or any other stuff that puts walls between the hacked server and my internal client network.

    Now, he "only" is behind a second firewall and hasn't any physical connection to the network behind the UTM. Right, he is on the server, but is not able to get into production systems or databases any other than is on the network behind the second firewall. So let's say, he is on the "public side" of our network. 

    Changing the source address (the one that the communication comes from when communicating with the internet) is done by UTM itself, when using a different interface than eth1. We once used this for outgoing emails send through a specific public IP address.

    I agree about SNAT. But, as written before, it does not work for me here and I was curious about why.

    Regards,

    Christian

  • 0 in reply to cwoller

    It sounds like your real objective is a DMZ, to separate dial-up from internal users.   The DMZ needs its own subnet on a private IP, perhaps 10.10.10.0/24.   Options can be:

    One device, three interfaces:

    Internet-UTM-Internal
                   \___DMZ-dialup

    Two devices:

    Internet-UTM-DMZ-Firewall-Internal
                    \___dialup

    or

    Internal-Firewall-DMZ-UTM-Internal
                    \___dialup

    Assuming that you want UTM filtering on both dial-up and internal connections, UTM needs to be in front, so I would just use the UTM with three interfaces, eliminating the firewall.   Then you configure what can and cannot be done using standard UTM features like Allowed Networks lists and User Groups.

    UTM with three zones can be a little tricky because you have to configure each proxy separate to ensure that you have correctly controlled what is allowed from DMZ to Internal.   There is a KB article to help.

    The DMZ eliminates the need for SNAT.    

  • 0 in reply to DouglasFoster

    Hi.

    First, let me thank you all for your thoughts and your support :-)

    DouglasFoster said:

    It sounds like your real objective is a DMZ, to separate dial-up from internal users.   The DMZ needs its own subnet on a private IP, perhaps 10.10.10.0/24.   Options can be:

    You are right, my objective is a DMZ with own private IPv4/v6 subnets, physically divided from my UTM and its networks.

    If you mean by "dial-up" that users connecting over the internet into the internal network, than the answer is no. I mentioned "dialup" above, meaning that the internet line is a dialup and not a permanent connection. It gets kicked every 24h and has to dial up again. And this line is only used for getting web traffic for our internal users into the internet. There are no other services associated with this internet connection.

    To make this clear, there is no reason for _direct_ communication from the DMZ (behind the new firewall) to the (internal network behind the) UTM.

    In the DMZ behind the new firewall, there are only webservers and some (next-/own/...)-cloud stuff, that can be securely accessed through the internet. No user has direct access to the network behind the new firewall, no DHCP is running there, no VPN access is allowed for anyone.

    I am currently in the phase of talking with my carrier about splitting our /28 in two /29 networks, so that my UTM and my new firewall have its own real IPv4 networks. I think, this makes routing a lot easier.

    Regards, Christian

  • 0 in reply to south side

    south side said:

    Don't use the wrong interface it will not be helpful in future to know about the interfaces

    What? Is this a Spambot?

Unfiltered HTML