Nat don't forward

Hi, and welcome to the UTM Community!

Please insert a picture of your NAT rule.

Cheers - Bob

Hi, thank you :)

Yes with pleasure :

And the Livelog with 1 test on 443 :

also :

On Haproxy device, which IP address is configured as a default gateway, is it 192.168.0.100 (UTM) ?

not for now this is still freebox (192.168.0.254)

Sophos ping normaly haproxy (192.168.0.247) :

In my opinion that is the problem, because you are only translating destination IP, not the source one. I don't know what is Freebox, but I guess it is also some kind of stateful firewall device. Packet flow is:

Public IP -> Freebox -> UTM -> Haproxy -> Freebox (denied - no session state in the NAT table).

Try with Full NAT instead of DNAT and define UTM LAN IP as a changed source. Anyway, it is not recommended to use UTM with only one interface for firewall functionalities (you have probably seen warning during the setup).

In my opinion that is the problem, because you are only translating destination IP, not the source one. I don't know what is Freebox, but I guess it is also some kind of stateful firewall device. Packet flow is:

Public IP -> Freebox -> UTM -> Haproxy -> Freebox (denied - no session state in the NAT table).

Try with Full NAT instead of DNAT and define UTM LAN IP as a changed source. Anyway, it is not recommended to use UTM with only one interface for firewall functionalities (you have probably seen warning during the setup).

I did not think about it
I try it tonight (in France it is 6:50 p.m.)

I have not been warning since I attached two physical cards but i just use one

I could simulate wan on my current lan to improve perf?

I do not want to put my box in bridge that's why I thought using one nic (for lan)

EDIT :

Just test and it's ok with full nat :

Same time (19:00) here in Serbia...;)

Try with Full NAT, it should work. In worst case you can reconfigure your network infrastructure like this (scenario that I have in my office with ISP cable modem that doesn't support bridging):

Internet -> Freebox (192.168.0.254) -> (192.168.0.100) UTM (192.168.1.100) -> LAN (192.168.1.0/24)

Yes with the full natIt Works! thank you very much :)

Yes I will organize my architecture like this, it will be cleaner and better organized

Hello everyone !

I'm still in this mode but i encounter a problem
with full nat i change the source and therefore the logs of my servers not see the real IP user

Is there a solution?

thank you

Once the address is NAT-ed the source IP is not visible on the server side. That is one of the basic principles of Internet and using private IP ranges.

With DNAT it's ok however

Sure, because DNAT only translates destination and not source address. SNAT translates only source IP addresses (also known as MASQ). Full NAT do it both.