Hi, first post, sorry for the noob question, haven't played with firewalls in quite a while.
Due to some recent developments in security (and some other more avanced issues) I have decided to look for a firewall solution instead of further relying on the internet router provided by my ISP.
So I have set up Sophos UTM 9 and am slowly trying to test/enable the various services we use at home.
Surfing/Streaming is working fine with some small modifications; Online Games however are not working yet.
Currently in use at home are Origin, Steam and The Elder Scrolls Online; Origin works more or less ootb, the other two dont.
I have the following setup:
ISP provides Dynamic IP to ISP-provided Modem/router (i.e can't set to bridge/modem only mode); i have defined the UTM WAN interface as Exposed Host.
I have set up Web Protection and Network Protection/Firewall; Firewall contains a rule which allows all Game Ports (TESO/Steam) through. (Internal IF->InternetIPv4 for all Ports in OnlineGames group).
Now when i try to connect to Steam I can see a ton of allowed packages going out, no dropped ones. Nevertheless the login fails.
For TESO I see a single SYN request going out, no dropped packages either.
Back in the old days I had set up a Masq rule on my firewall (which back then got the puplic IP directly), but in this case I'm not sure how to properly configure it.
There is an additional twist which i am not sure it matters, but I thought I'd mention it:
ISPRouter -> Port1 ([192.168.128.1/18] <---------------------------------------------------------------------------------------------------------------|
-> Port4 ([192.168.193.1/24] -> Port Fwd -> [192.168.193.20/24] SophosUTM -> [192.168.128.200/18] -> [192.168.128.13] Static IP Test machine
I switch only the route/default gw ([192.168.128.200 or 192.168.128.1 ] to test with or without Sophos...
Not sure whether it is an issue that the internal interface of the Sophos is on the same network as one of the ntworks of the ISP router
Thanks for any pointers,
regards,
Thomas
Edit:
Ok, just to be sure I've adjusted the network settings to have the test machine and Sophos internal IF on a separate net - its now:
ISPRouter -> Port4 ([192.168.193.1/24] -> Port Fwd -> [192.168.193.20/24] SophosUTM -> [192.168.127.1/24] -> [192.168.127.13] Static IP Test machine
No change unfortunatly
Edit2:
So I've set up a DNAT rule basically forwarding all ports in the given portrange to the single target testmachine. Not the way to have it later (as I'd hope to have multiple machines being capable of running online games) but a usefull test.
No luck unfortunatly.
I have found out that the UTM does connection tracking to ensure that an internally opened connection is allowed throught the firewall; this is not displayed in the logs usually (I wondered why I didnt see any packages at all replying to the outgoing connections)
So I have checked conntrack table on the CLI -> but still no luck in finding responses.
I see the New Request with status Unreplied but no updates to it with the given mark.
I have doublechecked the exposed host/portforward on the router and that is working - i see tons of scans from the outside;)
At a loss :(
Edit3:
Hm confused. Added a SNAT rule replacing internal IP with WAN IP... That works... Removed all DNAT rules ... still works.
So basically the ISP router didnt know what to do with the outgoing unknown IP (from NAT'ed network) I guess...
Now i need to find out whether i need that for all non Web requests ...;)
This thread was automatically locked due to age.