Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 12 replies
  • Subscribers 4 subscribers
  • Views 16205 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Nat don't forward

UserUser1


Hello, sorry for my english

I use Sophos UTM 9 Home Edition on a virtual machine with the ESXi hypervisor.

I have a "Freebox" (192.168.0.254), which is a fairly simple box, I do not want to put myself in bridge (too inconvenient) so i decide to put the firewall sphos in the DMZ (all ports are redirected to sophos (192.168.0.100))

I created a rule NAT (DNAT / SNAT) which states that all requests on port 443 (public port) are redirected to the LAN interface (192.168.0.0) on a haproxy machine (192.168.0.247) to port 5443 (local port)

In the logs when I access a public IP:443 I see in the livelog that the request is accepted (white) but nothing happens ..

On my Sophos UTM I have only one interface (LAN)

Do you have an idea ?

thank you very much



This thread was automatically locked due to age.
Parents
  • 0

    Hi, and welcome to the UTM Community!

    Please insert a picture of your NAT rule.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi, thank you :)

    Yes with pleasure :

    And the Livelog with 1 test on 443 :


    also :

  • 0 in reply to UserUser1

    On Haproxy device, which IP address is configured as a default gateway, is it 192.168.0.100 (UTM) ?

  • 0 in reply to vilic

    not for now this is still freebox (192.168.0.254)

    Sophos ping normaly haproxy (192.168.0.247) :

  • 0 in reply to UserUser1

    In my opinion that is the problem, because you are only translating destination IP, not the source one. I don't know what is Freebox, but I guess it is also some kind of stateful firewall device. Packet flow is:

    Public IP -> Freebox -> UTM -> Haproxy -> Freebox (denied - no session state in the NAT table).

    Try with Full NAT instead of DNAT and define UTM LAN IP as a changed source. Anyway, it is not recommended to use UTM with only one interface for firewall functionalities (you have probably seen warning during the setup).

  • 0 in reply to vilic

    I did not think about it
    I try it tonight (in France it is 6:50 p.m.)

    I have not been warning since I attached two physical cards but i just use one

    I could simulate wan on my current lan to improve perf?


    I do not want to put my box in bridge that's why I thought using one nic (for lan)

    EDIT :


    Just test and it's ok with full nat :

  • 0 in reply to UserUser1

    Same time (19:00) here in Serbia...;)

    Try with Full NAT, it should work. In worst case you can reconfigure your network infrastructure like this (scenario that I have in my office with ISP cable modem that doesn't support bridging):

    Internet -> Freebox (192.168.0.254) -> (192.168.0.100) UTM (192.168.1.100) -> LAN (192.168.1.0/24)

Reply
  • 0 in reply to UserUser1

    Same time (19:00) here in Serbia...;)

    Try with Full NAT, it should work. In worst case you can reconfigure your network infrastructure like this (scenario that I have in my office with ISP cable modem that doesn't support bridging):

    Internet -> Freebox (192.168.0.254) -> (192.168.0.100) UTM (192.168.1.100) -> LAN (192.168.1.0/24)

Children
Cookie Information Banner