Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 21590 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

firewall rules without NAT/MASQ

BjörnSteinmann

I'm in the phase of evaluating Sophos UTM as the standard firewall product for a large company. One thing that I stumbled upon - and which would be a show stopper - is that you can't use any firewall rules without activating masquerading. Though for many users this seems logic as they want to hide their private IP address space behind a public IP. But in my case I just want to have a firewall between two networks without doing NAT.

When setting up the UTM through the initial wizard it automatically created a MASQ rule on the WAN interface. As I didn't want that I removed that rule in the next step. Then I created firewall rules (like allow ping from any4 to any4). The hosts on the LAN side can't ping anything on the WAN side. While troubleshooting I tried many things, nothing helped until I re-entered the MASQ rule.

Is MASQ/NAT required for the firewall to work? If so, why? Is there a workaround to get firewalling without NAT (like activating MASQ but also creating a NAT excemption rule)? Firewall in bridge mode is no option as I don't need a transparent firewall but a device routing between two different IP networks.

Also I have noted that I can't add a default route the traditional way. If I create a route to 0.0.0.0/0 UTM tells me that I have to do that via the WAN interface (checkbox default gateway). I could live with that but I can think of situations where this would be counter-productive. Fun fact here: when SSHing into the UTM and issuing 'netstat -arn' I don't see the default rule. Why is that?



This thread was automatically locked due to age.
  • 0

    Hi,

    By default, masquerading is required to communicate with the internet resources unless the UTM is deployed in a bridge mode and there is a separate gateway that suffices the web request. This is not a UTM behavior but how things work technically. You cannot access external resources with your internal IP address floating in the WAN. 

    In UTM, the source address is only translated if the packet leaves the gateway system via the specified interface. Note further that the new source address is always the current IP address of that interface (meaning that this address can be dynamic).

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    sachingurung said:

    Hi,

    By default, masquerading is required to communicate with the internet resources unless the UTM is deployed in a bridge mode and there is a separate gateway that suffices the web request. This is not a UTM behavior but how things work technically. You cannot access external resources with your internal IP address floating in the WAN.

    Unfortunately I have to disagree! You are right on the fact that NAT would be necessary when connecting a private IP address space to the Internet as of course RFC1918 IP address space will be dropped by any ISP router. But that was not my question - please read careful.

    I don't want to use the Sophos UTM to connect to the Internet but want to have some firewalling capabilities for traffic between two private IP address spaces. Imagine you would put a firewall between your datacenter and the user network. What should I do then? Create 1:1 NAT rules for every server in the datacenter? Spill hundreds of IP addresses for those 1:1 NAT rules? Clients reaching datacenter services through IP addresses different to the IP addresses used in the datacenter making support an unmanageable situation. Think of that...

    Deployment in bridge mode on the other hand is having the same IP network on both sides of the firewall. Most vendors call that transparent firewall. That could be the workaround for the datacenter example I gave but noone in the IP world would address the example given with a transparent firewall.

    Please think a bit outside of your box. The problem I have at hand is that I have an upstream firewall that does the NAT. The Sophos UTM is intended to separate the secure network behind the upstream firewall from a development/test network where anything can go wrong and I want to protect the network from that. Double NAT is bullshit and services like SIP will not work in such a situation. Bridge mode between secure and dev network is also unwise as it would require a complete IP address migration on 200 machines.

    It all might come to a simple answer: Sophos UTM is not the right product for my purpose (as virtually every other vendor can do firewalling without NAT). As there is a strong inclination to Sophos UTM I would have to tell my boss why we can't use it for the problem at hand. So I'm still asking: Why is MASQ required for firewalling? If the answer is: "by design" then I have something at hand. Anyway I'm still open to workarounds.

    Thanks so far for the effort sachingurung!

  • 0 in reply to BjörnSteinmann

    I will do some testing if I get time, but I have no idea why you would not be able to disable MASQ and just use routing to handle everything you describe.  Perhaps you need to remove the default gateway in the internet setup and then add a static route manually?  If all you want to do is act as a firewall between two internal networks, why deploy a UTM device at all?  You could to the very same thing using something like iptables with FirewallBuilder and get just as good of results for simple firewall functionality.

  • 0

    In fact I had situations where I needed configurations as described by you.
    In General I would say start without the wizzard and create the rules as you need them. I didn't get any Trouble if running without NAT, and yes I've created a Scenario, where I put a UTM behind some famous "fritzbox" and separated a Network behind the utm, having Firewall rules and network-Separation and Routing, all without NAT.

    One Thing I could imagine, that you got stuck, as you started to create icmp roules and tried to ping. Ping is Special for the utm, as there are checkboxes for "utm is pingable" and Forwards pings. If you don't enable those checkboxes, you won't be able to ping, even if you have icmp allow rules.

    I'd say what you want is possible with utm...

    Cheers Rolf

  • 0

    OK guys, many thanks for your help and suggestions so far. unfortunately it didn't help. anyway I'd like to update to everyone...

    @: this was my very first idea when confronted with the problem. but Sophos UTM doesn't let you do that. uncheck the "default gateway" checkbox from the WAN interface, go to static routes and add a network 0.0.0.0/0 and it tells you "default gateway can only be defined via the checkbox in interface settings". that is the reason why i was specifically mentioning that Sophos "raped" the routing of the underlying Linux and the default gateway doesn't show up on "netstat -arn".

    @: you are right on the "forward ping" checkbox but the "utm is pingeable" has nothing to do with that - that is to being able to ping the outside interface from the Internet. anyway i played with all checkboxes earlier and nothing helped.

    @: i completely wasted an hour of my time by putting the firewall in bridge mode. i noticed a big flaw in the approach because I can't define which bridge leg is outside and which is inside. in this configuration the firewall is prone to man-in-the-middle-attacks. i can't even imagine how one could use the Sophos in transparent mode with that in mind. really dangerous!!! anyway a complete waste of time as the problem is essentially the same: as long as i haven't created a MASQ rule no traffic is forwarded through the firewall.

    i still have two ideas about the problem: it is a BUG in UTM 9.4 or the "raped routing" has a problem with egres of RFC1918 IP addresses to the Internet. then this would be a feature and the "MASQ trick" is the BUG. i'll keep you updated...

  • 0 in reply to BjörnSteinmann

    Without NAT , you're adding a router and its internal LAN(s) to your existing network.

    Routing to these new internal LANs must be setup on your existing network.  Either use static routes , or a routing protocol like OSPF

  • 0 in reply to BjörnSteinmann

    Björn, you're having classic "newbie" problems here.  This all works very easily and elegantly, but you're approaching this as if it were a traditional firewall.  Whenever my company started a new activity, I would hire top outside experts to help us with the first two installations and then to watch my team develop the next solution, only intervening to discuss alternatives.  I realize you may not have that flexibility, but it wouldn't hurt to ask.  I've followed very experienced CCIE's that made a mess of the UTM configuration because they hadn't understood the metaphors when designing their solutions.

    As was stated above, pinging is regulated on the 'ICMP' tab of 'Firewall'.  However, I believe that that affects only traffic leaving an Interface with a defined default gateway.  To allow pings between LANs, explicit firewall rules are required.  Note that "Ping" is not included in the "Any" service.

    From your description, I will guess that you will want a default gateway for your connection to your edge router and that your setup will require the use of three defined Interfaces if you're connecting a production LAN with a test LAN.  As long as the edge router has a route for your production LAN, you should be fine.

    Although WebAdmin automatically creates routes for the IPs and networks defined on its interfaces, manual firewall rules are required to allow traffic to pass.

    Cheers - Bob

    PS Your English is perfect, but I could tell that it's not your native language because of a cultural tip.  A native English speaker would not use the term "bull shit" in this case, feeling the term to be too vulgar.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BjörnSteinmann

    Hi Bjorn,

    The UTM defines which leg is the outside by which side it contacts the default gateway on. However this is not quite the case because like most other vendors the UTM does not have the concept really of "in" and "out" except what flows down the default gateway path. 

    Now if you need the original IPs to flow across the UTM to another part of the network then you can simply set up a static gateway routes for the applicable network resources on either side of the UTM to reach another router which is directly subnet aware of the subnets either side is trying to reach. Default gateways set up on interfaces do not automatically set up masquerade rules.

    Interfaces do not need default gateway routes however these are best practice for 0.0.0.0/0 routes. Now I'm paraphrasing here but the default gateway route is applied on the interface and not part of the routing table that's visible to the user from SSH (but are to the routing table under Support > Advanced > Routes Table and defined as "default via"). You should use a default gateway specifically so anything the that you've not set up as a static route goes to the appropriate next hop. Now I'm guessing you have a fairly logical architecture that realistically you have a single core gateway path for unknown network resources whether this be another core router or an EDGE device.

    What you have suffered here is the Wonder Wizard of Woeful Wonderment, you sound like you know what you're needing to do so do not use the Wizard and configure it manually.

    Because the UTM is going to be an interconnecting point between your two sides of the network then you would do as follows:

    • Network A points either directly at the UTM or to a core router that points at the UTM for the resources for Network B
    • Network B points either directly at the UTM or to a core router that points at the UTM for the resources for Network A
    • The UTM has a default gateway set up on one of the interfaces (preferable) that any unknown traffic needs to go to either a core router responsible for the next hop or an EDGE device responsible for masquerading for internet traffic
    • Do not enable any masquerading rules if not required
    • Create a firewall rule that allows the ICMP protocol that has the source and destination as both Networks A & B
    • To add to Balfsons comment, under the ICMP tab for the firewall, enable the checkboxes for:
      • ICMP through gateway
      • ICMP through gateway from External Networks
      • Gateway forwards pings

    The UTM can do firewalling without NAT. If masquerading does occur through some kind of magical trickery then you need to create a NoNAT rule that applies to the subnets the UTM will have flowing through it from either side for any service.

    To also add to BAlfsons reply, engage with Sophos Pre-sales to fully understand from a home grown Sophos Engineer who have all the resources at their fingertips to help you understand if this appliance is right for you. BAlfson is right, what you're asking for should not be done in a forum like this and as this is pre-sales there are whole teams and channels dedicated with helping you spend money with Sophos :)

    Emile

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?