Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 27 replies
  • Subscribers 3 subscribers
  • Views 34137 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DMZ built of combination of MASQUERADE and/or FullNAT and/or DNAT???

Connaisrien
I spent many many hours during the last few weeks , trying about everything I found in here in order to have a FULL DMZ using 1 free interface,

I works, kinda,  but not completely, there's always something that goes wrong.

I also tried this:
UTM: Accessing Internal or DMZ servers from Internal Networks using DNAT

in any way I could understand it...
doesn't work

I can say that it's not completely DMZed because , when I remove the UTM from the connection and put the cable directly into the PC, or use USB tethering from my phone I can properly achieve what I'm trying to do...
also 
when having a look at the live-log I can see that there are white lines, 
concerning the PC, who is alone on the interface, wich is on a different subnet, so I can't be mistaken , in theory there should be red and green lines right?


Please , please , please,  HOW can I DMZ  1 interface, there has to be someone who knows the recipe ?


This thread was automatically locked due to age.
Parents
  • 0
    When you try to connect with the UTM in place does the vpn fail to connect or you can connect just not browse? It would be helpful to see logs from the firewall, ips, web filtering as there should be a clue there if the UTM is dropping or not allowing the traffic out.

    What port are you using for Openvpn? Do you have https scanning enabled as it could interfere with traffic on port 443.

    I would suggest you may have too many variables in play with your current UTM configuration. In order to troubleshoot better I would start with a fresh configuration with minimal rules to allow access. Test that it is working and then add/enable features such as IPS, web filtering etc. 

    A NAT masq rule and a firewall to allow Internal Network -> any -> Internet should be all that's necessary for basic functionality.
  • 0 in reply to dilandau
    When you try to connect with the UTM in place does the vpn fail to connect or you can connect just not browse?


    probelm =browse only , the OpenVPN client claims to be successfully connected.

     It would be helpful to see logs from the firewall, ips, web filtering as there should be a clue there if the UTM is dropping or not allowing the traffic out.


    I attached the requested logs, I did cleared them before connecting OpenVPn, and trying to browse .
    IPS is empty, probably because it's OFF
    http.log ( pasted because of the 5 upload files limit)
    see below

    and I did cleaned the firewall.log keeping the entries concerning the OpenVPN-connecting-Linux-PC( pasted because of the 5 upload files limit)
    see below


    What port are you using for Openvpn? 

    I did asked this to the VPN-service-provider back in january:
    UDP: 9201, 1194, 8080, 53
    TCP: 443, 110, 80


    Do you have https scanning enabled as it could interfere with traffic on port 443.


    I don't know where in the UTM that is...


    A NAT masq rule and a firewall to allow Internal Network -> any -> Internet should be all that's necessary for basic functionality.


    That's what I did , following your recommendations from an earlier post in this very thread
    Since this PC is alone on it's interface ( named DMZ) then it's easy for me to disconnect all the others on other interfaces, by removing the ethernet cables thus removing the traffic , and noise in the logs...

    the way I see it , the thing is that the DNS requests formulated by the PC(=192.168.14.204) after being connected to the OpenVPN-server, are addressed to the UTM's internal-interface(named DMZ=192.168.14.102), instead of being sent inside the tunnel to the OpenVPN-server, but since all the PC's traffic is redirected inside the tunnel with local IP as the destination IP for DNS request, so thoses packets get on the other side of the tunnel for an IP which is local on my side of the tunnel ...( see attached screenshots  of interface + dhcp etc..)

    but why does it works perfectly using a Tomato-router while being DHCP also, is it because the DHCP server on DMZ interface has it'S own IP address for Primary DNS , instead of being the Tunnel's DNS, ???( see attached screenshots  of interface + dhcp etc..)

    http.log
    **********
    2014:04:07-22:43:04 steliebeach httpproxy[19344]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="706" message="reloading config"
    2014:04:07-22:43:05 steliebeach httpproxy[19344]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="parse_address" file="util.c" line="581" message="getaddrinfo: passthrough6.fw-notify.net: Name or service not known"
    2014:04:07-22:43:05 steliebeach httpproxy[19344]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_filter" file="confd-client.c" line="2818" message="failed to resolve passthrough6.fw-notify.net, using 2a01:198:200:680::8080"
    2014:04:07-22:43:06 steliebeach httpproxy[19344]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="748" message="reloading config done, new version 6670"
    2014:04:07-22:43:08 steliebeach httpproxy[19344]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="epoll_loop" file="epoll.c" line="868" message="starting exit cleanup"
    2014:04:07-22:43:08 steliebeach httpproxy[19344]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="scan_exit" file="scanner.c" line="569" message="scanner subsystem shutting down"
    2014:04:07-22:43:12 steliebeach httpproxy[19344]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="scan_exit" file="scanner.c" line="575" message="scanner subsystem shut down"
    2014:04:07-22:43:12 steliebeach httpproxy[19344]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="epoll_exit" file="epoll.c" line="689" message="epoll subsystem shutting down"
    2014:04:07-22:43:12 steliebeach httpproxy[19344]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="epoll_exit" file="epoll.c" line="704" message="epoll subsystem shut down"
    2014:04:07-22:43:12 steliebeach httpproxy[19344]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="disk_cache_exit" file="diskcache.c" line="44" message="writing cache index"
    2014:04:07-22:43:12 steliebeach httpproxy[19344]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="disk_cache_exit" file="diskcache.c" line="46" message="writing cache index done"
    2014:04:07-22:43:12 steliebeach httpproxy[19344]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="main" file="httpproxy.c" line="359" message="shutdown finished, exiting"
    ***************
    packetfilter.log
    *************
    2014:04:07-22:40:55 steliebeach ulogd[4296]: id="2014" severity="info" sys="SecureNet" sub="packetfilter" name="DNS request" action="DNS request" fwrule="60011" initf="eth2" srcmac="0:1b:38:78:28:5e" dstmac="0:14[:D]1:25[:D]:e0" srcip="192.168.14.204" dstip="192.168.14.102" proto="17" length="62" tos="0x00" prec="0x00" ttl="64" srcport="23159" dstport="53" 

    2014:04:07-22:41:22 steliebeach ulogd[4296]: id="2014" severity="info" sys="SecureNet" sub="packetfilter" name="DNS request" action="DNS request" fwrule="60011" initf="eth2" srcmac="0:1b:38:78:28:5e" dstmac="0:14[:D]1:25[:D]:e0" srcip="192.168.14.204" dstip="192.168.14.102" proto="17" length="62" tos="0x00" prec="0x00" ttl="64" srcport="15527" dstport="53" 

    2014:04:07-22:41:23 steliebeach ulogd[4296]: id="2014" severity="info" sys="SecureNet" sub="packetfilter" name="DNS request" action="DNS request" fwrule="60011" initf="eth2" srcmac="0:1b:38:78:28:5e" dstmac="0:14[:D]1:25[:D]:e0" srcip="192.168.14.204" dstip="192.168.14.102" proto="17" length="62" tos="0x00" prec="0x00" ttl="64" srcport="32762" dstport="53" 

    2014:04:07-22:41:33 steliebeach ulogd[4296]: id="2014" severity="info" sys="SecureNet" sub="packetfilter" name="DNS request" action="DNS request" fwrule="60011" initf="eth2" srcmac="0:1b:38:78:28:5e" dstmac="0:14[:D]1:25[:D]:e0" srcip="192.168.14.204" dstip="192.168.14.102" proto="17" length="62" tos="0x00" prec="0x00" ttl="64" srcport="11585" dstport="53" 

    2014:04:07-22:41:52 steliebeach ulogd[4296]: id="2014" severity="info" sys="SecureNet" sub="packetfilter" name="DNS request" action="DNS request" fwrule="60011" initf="eth2" srcmac="0:1b:38:78:28:5e" dstmac="0:14[:D]1:25[:D]:e0" srcip="192.168.14.204" dstip="192.168.14.102" proto="17" length="62" tos="0x00" prec="0x00" ttl="64" srcport="13088" dstport="53" 

    2014:04:07-22:41:53 steliebeach ulogd[4296]: id="2014" severity="info" sys="SecureNet" sub="packetfilter" name="DNS request" action="DNS request" fwrule="60011" initf="eth2" srcmac="0:1b:38:78:28:5e" dstmac="0:14[:D]1:25[:D]:e0" srcip="192.168.14.204" dstip="192.168.14.102" proto="17" length="62" tos="0x00" prec="0x00" ttl="64" srcport="31529" dstport="53" 

    2014:04:07-22:41:57 steliebeach ulogd[4296]: id="2014" severity="info" sys="SecureNet" sub="packetfilter" name="DNS request" action="DNS request" fwrule="60011" initf="eth2" srcmac="0:1b:38:78:28:5e" dstmac="0:14[:D]1:25[:D]:e0" srcip="192.168.14.204" dstip="192.168.14.102" proto="17" length="62" tos="0x00" prec="0x00" ttl="64" srcport="29133" dstport="53" 

    2014:04:07-22:42:51 steliebeach ulogd[4296]: id="2014" severity="info" sys="SecureNet" sub="packetfilter" name="DNS request" action="DNS request" fwrule="60011" initf="eth2" srcmac="0:1b:38:78:28:5e" dstmac="0:14[:D]1:25[:D]:e0" srcip="192.168.14.204" dstip="192.168.14.102" proto="17" length="62" tos="0x00" prec="0x00" ttl="64" srcport="6253" dstport="53" 

    2014:04:07-22:42:52 steliebeach ulogd[4296]: id="2014" severity="info" sys="SecureNet" sub="packetfilter" name="DNS request" action="DNS request" fwrule="60011" initf="eth2" srcmac="0:1b:38:78:28:5e" dstmac="0:14[:D]1:25[:D]:e0" srcip="192.168.14.204" dstip="192.168.14.102" proto="17" length="62" tos="0x00" prec="0x00" ttl="64" srcport="49907" dstport="53" 

    2014:04:07-22:43:17 steliebeach ulogd[4296]: id="2014" severity="info" sys="SecureNet" sub="packetfilter" name="DNS request" action="DNS request" fwrule="60011" initf="eth2" srcmac="0:1b:38:78:28:5e" dstmac="0:14[:D]1:25[:D]:e0" srcip="192.168.14.204" dstip="192.168.14.102" proto="17" length="62" tos="0x00" prec="0x00" ttl="64" srcport="44417" dstport="53" 

    2014:04:07-22:43:38 steliebeach ulogd[4296]: id="2014" severity="info" sys="SecureNet" sub="packetfilter" name="DNS request" action="DNS request" fwrule="60011" initf="eth2" srcmac="0:1b:38:78:28:5e" dstmac="0:14[:D]1:25[:D]:e0" srcip="192.168.14.204" dstip="192.168.14.102" proto="17" length="62" tos="0x00" prec="0x00" ttl="64" srcport="12849" dstport="53" 

    2014:04:07-22:43:52 steliebeach ulogd[4296]: id="2014" severity="info" sys="SecureNet" sub="packetfilter" name="DNS request" action="DNS request" fwrule="60011" initf="eth2" srcmac="0:1b:38:78:28:5e" dstmac="0:14[:D]1:25[:D]:e0" srcip="192.168.14.204" dstip="192.168.14.102" proto="17" length="62" tos="0x00" prec="0x00" ttl="64" srcport="35826" dstport="53" 
    ****************
Reply
  • 0 in reply to dilandau
    When you try to connect with the UTM in place does the vpn fail to connect or you can connect just not browse?


    probelm =browse only , the OpenVPN client claims to be successfully connected.

     It would be helpful to see logs from the firewall, ips, web filtering as there should be a clue there if the UTM is dropping or not allowing the traffic out.


    I attached the requested logs, I did cleared them before connecting OpenVPn, and trying to browse .
    IPS is empty, probably because it's OFF
    http.log ( pasted because of the 5 upload files limit)
    see below

    and I did cleaned the firewall.log keeping the entries concerning the OpenVPN-connecting-Linux-PC( pasted because of the 5 upload files limit)
    see below


    What port are you using for Openvpn? 

    I did asked this to the VPN-service-provider back in january:
    UDP: 9201, 1194, 8080, 53
    TCP: 443, 110, 80


    Do you have https scanning enabled as it could interfere with traffic on port 443.


    I don't know where in the UTM that is...


    A NAT masq rule and a firewall to allow Internal Network -> any -> Internet should be all that's necessary for basic functionality.


    That's what I did , following your recommendations from an earlier post in this very thread
    Since this PC is alone on it's interface ( named DMZ) then it's easy for me to disconnect all the others on other interfaces, by removing the ethernet cables thus removing the traffic , and noise in the logs...

    the way I see it , the thing is that the DNS requests formulated by the PC(=192.168.14.204) after being connected to the OpenVPN-server, are addressed to the UTM's internal-interface(named DMZ=192.168.14.102), instead of being sent inside the tunnel to the OpenVPN-server, but since all the PC's traffic is redirected inside the tunnel with local IP as the destination IP for DNS request, so thoses packets get on the other side of the tunnel for an IP which is local on my side of the tunnel ...( see attached screenshots  of interface + dhcp etc..)

    but why does it works perfectly using a Tomato-router while being DHCP also, is it because the DHCP server on DMZ interface has it'S own IP address for Primary DNS , instead of being the Tunnel's DNS, ???( see attached screenshots  of interface + dhcp etc..)

    http.log
    **********
    2014:04:07-22:43:04 steliebeach httpproxy[19344]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="706" message="reloading config"
    2014:04:07-22:43:05 steliebeach httpproxy[19344]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="parse_address" file="util.c" line="581" message="getaddrinfo: passthrough6.fw-notify.net: Name or service not known"
    2014:04:07-22:43:05 steliebeach httpproxy[19344]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_filter" file="confd-client.c" line="2818" message="failed to resolve passthrough6.fw-notify.net, using 2a01:198:200:680::8080"
    2014:04:07-22:43:06 steliebeach httpproxy[19344]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="748" message="reloading config done, new version 6670"
    2014:04:07-22:43:08 steliebeach httpproxy[19344]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="epoll_loop" file="epoll.c" line="868" message="starting exit cleanup"
    2014:04:07-22:43:08 steliebeach httpproxy[19344]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="scan_exit" file="scanner.c" line="569" message="scanner subsystem shutting down"
    2014:04:07-22:43:12 steliebeach httpproxy[19344]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="scan_exit" file="scanner.c" line="575" message="scanner subsystem shut down"
    2014:04:07-22:43:12 steliebeach httpproxy[19344]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="epoll_exit" file="epoll.c" line="689" message="epoll subsystem shutting down"
    2014:04:07-22:43:12 steliebeach httpproxy[19344]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="epoll_exit" file="epoll.c" line="704" message="epoll subsystem shut down"
    2014:04:07-22:43:12 steliebeach httpproxy[19344]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="disk_cache_exit" file="diskcache.c" line="44" message="writing cache index"
    2014:04:07-22:43:12 steliebeach httpproxy[19344]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="disk_cache_exit" file="diskcache.c" line="46" message="writing cache index done"
    2014:04:07-22:43:12 steliebeach httpproxy[19344]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="main" file="httpproxy.c" line="359" message="shutdown finished, exiting"
    ***************
    packetfilter.log
    *************
    2014:04:07-22:40:55 steliebeach ulogd[4296]: id="2014" severity="info" sys="SecureNet" sub="packetfilter" name="DNS request" action="DNS request" fwrule="60011" initf="eth2" srcmac="0:1b:38:78:28:5e" dstmac="0:14[:D]1:25[:D]:e0" srcip="192.168.14.204" dstip="192.168.14.102" proto="17" length="62" tos="0x00" prec="0x00" ttl="64" srcport="23159" dstport="53" 

    2014:04:07-22:41:22 steliebeach ulogd[4296]: id="2014" severity="info" sys="SecureNet" sub="packetfilter" name="DNS request" action="DNS request" fwrule="60011" initf="eth2" srcmac="0:1b:38:78:28:5e" dstmac="0:14[:D]1:25[:D]:e0" srcip="192.168.14.204" dstip="192.168.14.102" proto="17" length="62" tos="0x00" prec="0x00" ttl="64" srcport="15527" dstport="53" 

    2014:04:07-22:41:23 steliebeach ulogd[4296]: id="2014" severity="info" sys="SecureNet" sub="packetfilter" name="DNS request" action="DNS request" fwrule="60011" initf="eth2" srcmac="0:1b:38:78:28:5e" dstmac="0:14[:D]1:25[:D]:e0" srcip="192.168.14.204" dstip="192.168.14.102" proto="17" length="62" tos="0x00" prec="0x00" ttl="64" srcport="32762" dstport="53" 

    2014:04:07-22:41:33 steliebeach ulogd[4296]: id="2014" severity="info" sys="SecureNet" sub="packetfilter" name="DNS request" action="DNS request" fwrule="60011" initf="eth2" srcmac="0:1b:38:78:28:5e" dstmac="0:14[:D]1:25[:D]:e0" srcip="192.168.14.204" dstip="192.168.14.102" proto="17" length="62" tos="0x00" prec="0x00" ttl="64" srcport="11585" dstport="53" 

    2014:04:07-22:41:52 steliebeach ulogd[4296]: id="2014" severity="info" sys="SecureNet" sub="packetfilter" name="DNS request" action="DNS request" fwrule="60011" initf="eth2" srcmac="0:1b:38:78:28:5e" dstmac="0:14[:D]1:25[:D]:e0" srcip="192.168.14.204" dstip="192.168.14.102" proto="17" length="62" tos="0x00" prec="0x00" ttl="64" srcport="13088" dstport="53" 

    2014:04:07-22:41:53 steliebeach ulogd[4296]: id="2014" severity="info" sys="SecureNet" sub="packetfilter" name="DNS request" action="DNS request" fwrule="60011" initf="eth2" srcmac="0:1b:38:78:28:5e" dstmac="0:14[:D]1:25[:D]:e0" srcip="192.168.14.204" dstip="192.168.14.102" proto="17" length="62" tos="0x00" prec="0x00" ttl="64" srcport="31529" dstport="53" 

    2014:04:07-22:41:57 steliebeach ulogd[4296]: id="2014" severity="info" sys="SecureNet" sub="packetfilter" name="DNS request" action="DNS request" fwrule="60011" initf="eth2" srcmac="0:1b:38:78:28:5e" dstmac="0:14[:D]1:25[:D]:e0" srcip="192.168.14.204" dstip="192.168.14.102" proto="17" length="62" tos="0x00" prec="0x00" ttl="64" srcport="29133" dstport="53" 

    2014:04:07-22:42:51 steliebeach ulogd[4296]: id="2014" severity="info" sys="SecureNet" sub="packetfilter" name="DNS request" action="DNS request" fwrule="60011" initf="eth2" srcmac="0:1b:38:78:28:5e" dstmac="0:14[:D]1:25[:D]:e0" srcip="192.168.14.204" dstip="192.168.14.102" proto="17" length="62" tos="0x00" prec="0x00" ttl="64" srcport="6253" dstport="53" 

    2014:04:07-22:42:52 steliebeach ulogd[4296]: id="2014" severity="info" sys="SecureNet" sub="packetfilter" name="DNS request" action="DNS request" fwrule="60011" initf="eth2" srcmac="0:1b:38:78:28:5e" dstmac="0:14[:D]1:25[:D]:e0" srcip="192.168.14.204" dstip="192.168.14.102" proto="17" length="62" tos="0x00" prec="0x00" ttl="64" srcport="49907" dstport="53" 

    2014:04:07-22:43:17 steliebeach ulogd[4296]: id="2014" severity="info" sys="SecureNet" sub="packetfilter" name="DNS request" action="DNS request" fwrule="60011" initf="eth2" srcmac="0:1b:38:78:28:5e" dstmac="0:14[:D]1:25[:D]:e0" srcip="192.168.14.204" dstip="192.168.14.102" proto="17" length="62" tos="0x00" prec="0x00" ttl="64" srcport="44417" dstport="53" 

    2014:04:07-22:43:38 steliebeach ulogd[4296]: id="2014" severity="info" sys="SecureNet" sub="packetfilter" name="DNS request" action="DNS request" fwrule="60011" initf="eth2" srcmac="0:1b:38:78:28:5e" dstmac="0:14[:D]1:25[:D]:e0" srcip="192.168.14.204" dstip="192.168.14.102" proto="17" length="62" tos="0x00" prec="0x00" ttl="64" srcport="12849" dstport="53" 

    2014:04:07-22:43:52 steliebeach ulogd[4296]: id="2014" severity="info" sys="SecureNet" sub="packetfilter" name="DNS request" action="DNS request" fwrule="60011" initf="eth2" srcmac="0:1b:38:78:28:5e" dstmac="0:14[:D]1:25[:D]:e0" srcip="192.168.14.204" dstip="192.168.14.102" proto="17" length="62" tos="0x00" prec="0x00" ttl="64" srcport="35826" dstport="53" 
    ****************
Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML