Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 27 replies
  • Subscribers 3 subscribers
  • Views 34111 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DMZ built of combination of MASQUERADE and/or FullNAT and/or DNAT???

Connaisrien
I spent many many hours during the last few weeks , trying about everything I found in here in order to have a FULL DMZ using 1 free interface,

I works, kinda,  but not completely, there's always something that goes wrong.

I also tried this:
UTM: Accessing Internal or DMZ servers from Internal Networks using DNAT

in any way I could understand it...
doesn't work

I can say that it's not completely DMZed because , when I remove the UTM from the connection and put the cable directly into the PC, or use USB tethering from my phone I can properly achieve what I'm trying to do...
also 
when having a look at the live-log I can see that there are white lines, 
concerning the PC, who is alone on the interface, wich is on a different subnet, so I can't be mistaken , in theory there should be red and green lines right?


Please , please , please,  HOW can I DMZ  1 interface, there has to be someone who knows the recipe ?


This thread was automatically locked due to age.
Parents
  • 0
    @dilandau  the objective, I don't know I read at a couple of places here, that a DMZed interface needed firewall+masquerading+DNAT or Firewall+fullNAT, 

    I didn't manage to get any results with FullNAT, 
    I also read that Masquerading is SNAT, so I figured that was the reason , I read that what was neeeded is firewall+masquerading+DNAT
    I'm not hosting any server, all I want is a full DMZed interface, I want devices connected to that interface to have a FULL unfiltered unbiased unfirewalled un-nothing access to the internet, like if it was directly connected.

    so if I understand what your saying, is that the DNAT + firewall#4 is needed ONLY if I'm hosting, and I would need unsollicited packets coming in ...
    in my case connections are always initiated from inside, no need for that...

    so for the other item, I think I get this, internet does not equal anyIPv4....
    so by designating internet, instead, I would NOT have to drop packets in rule#1...since the firewall would drop them anyway...
    good point !
    finally 
    firewall live log shows white lines concerning the DMZed interface, webfiltering is OFF, IPS is applied only to interface-MAIN and interface-GUEST, so DMZ is not concerned
    the problems with web-browsing :
    well the wheel spins to oblivion, 
    but If I :
    ping www.google.com
    or
    traceroute www.google.com
    I get "unknown host" 
    but if I do it with an address
    ping 8.8.8.8
    or
    traceroute 8.8.8.8
    it's successful

    so that must be DNS...
  • 0 in reply to Connaisrien
    I'm not hosting any server, all I want is a full DMZed interface, I want devices connected to that interface to have a FULL unfiltered unbiased unfirewalled un-nothing access to the internet, like if it was directly connected.


    For this all that are necessary is Firewall rules to allow traffic and a NAT Masq rule.

    so if I understand what your saying, is that the DNAT + firewall#4 is needed ONLY if I'm hosting, and I would need unsollicited packets coming in ...
    in my case connections are always initiated from inside, no need for that...


    Yes. that is correct.

    so for the other item, I think I get this, internet does not equal anyIPv4....
    so by designating internet, instead, I would NOT have to drop packets in rule#1...since the firewall would drop them anyway...
    good point !


    Yes, the Internet object is the same as ANY but is bound to the Interface with the Default gateway. So it only always traffic that traverses the External Interface.

     IPS is applied only to interface-MAIN and interface-GUEST, so DMZ is not concerned


    You can't turn the IPS on for specific interfaces, so add the DMZ to the local networks or if you want it unfiltered create an exception for the DMZ network. Check the IPS log, it may be blocking the DNS traffic or it may be an Issue with OpenVpn as Barry mentioned.
  • 0 in reply to dilandau

     

    dilandau said:
    Yes, the Internet object is the same as ANY but is bound to the Interface with the Default gateway. So it only always traffic that traverses the External Interface.

     

    What if there are 2 external interfaces, and the one designated as the default gateway is NOT the one the traffic sould go through,

    how the firewall rule should be then?

    It cannot be AnyIPv4, it cannot be InternetIPv4, what should it be ? 

    External(Address) or External(Network) or ???

    Thanks.

  • 0 in reply to Connaisrien

    The Traffic Selector would be 'Internal (Network) -> {Services?} -> Any' for a WAN connection without a default gateway.

    Back before we had Uplink Balancing with Multipath rules, we had to use Policy Routes to get traffic to go out a second WAN interface.  I would give your second WAN connection a default gateway and use Multipath rules to select which traffic should go through which connection.  This would make your existing WAN-1 firewall rules also work for WAN-2.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Connaisrien

    The Traffic Selector would be 'Internal (Network) -> {Services?} -> Any' for a WAN connection without a default gateway.

    Back before we had Uplink Balancing with Multipath rules, we had to use Policy Routes to get traffic to go out a second WAN interface.  I would give your second WAN connection a default gateway and use Multipath rules to select which traffic should go through which connection.  This would make your existing WAN-1 firewall rules also work for WAN-2.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML