firewall rules without NAT/MASQ

Question

I'm in the phase of evaluating Sophos UTM as the standard firewall product for a large company. One thing that I stumbled upon - and which would be a show stopper - is that you can't use any firewall rules without activating masquerading. Though for many users this seems logic as they want to hide their private IP address space behind a public IP. But in my case I just want to have a firewall between two networks without doing NAT. 
 When setting up the UTM through the initial wizard it automatically created a MASQ rule on the WAN interface. As I didn't want that I removed that rule in the next step. Then I created firewall rules (like allow ping from any4 to any4). The hosts on the LAN side can't ping anything on the WAN side. While troubleshooting I tried many things, nothing helped until I re-entered the MASQ rule. 
 Is MASQ/NAT required for the firewall to work? If so, why? Is there a workaround to get firewalling without NAT (like activating MASQ but also creating a NAT excemption rule)? Firewall in bridge mode is no option as I don't need a transparent firewall but a device routing between two different IP networks. 
 Also I have noted that I can't add a default route the traditional way. If I create a route to 0.0.0.0/0 UTM tells me that I have to do that via the WAN interface (checkbox default gateway). I could live with that but I can think of situations where this would be counter-productive. Fun fact here: when SSHing into the UTM and issuing 'netstat -arn' I don't see the default rule. Why is that?

Emile Belcourt · Answer

Hi Bjorn, 
 The UTM defines which leg is the outside by which side it contacts the default gateway on. However this is not quite the case because like most other vendors the UTM does not have the concept really of "in" and "out" except what flows down the default gateway path. 
 Now if you need the original IPs to flow across the UTM to another part of the network then you can simply set up a static gateway routes for the applicable network resources on either side of the UTM to reach another router which is directly subnet aware of the subnets either side is trying to reach. Default gateways set up on interfaces do not automatically set up masquerade rules. 
 Interfaces do not need default gateway routes however these are best practice for 0.0.0.0/0 routes. Now I'm paraphrasing here but the default gateway route is applied on the interface and not part of the routing table that's visible to the user from SSH (but are to the routing table under Support > Advanced > Routes Table and defined as "default via"). You should use a default gateway specifically so anything the that you've not set up as a static route goes to the appropriate next hop. Now I'm guessing you have a fairly logical architecture that realistically you have a single core gateway path for unknown network resources whether this be another core router or an EDGE device. 
 What you have suffered here is the Wonder Wizard of Woeful Wonderment, you sound like you know what you're needing to do so do not use the Wizard and configure it manually. 
 Because the UTM is going to be an interconnecting point between your two sides of the network then you would do as follows: 
 
 Network A points either directly at the UTM or to a core router that points at the UTM for the resources for Network B 
 Network B points either directly at the UTM or to a core router that points at the UTM for the resources for Network A 
 The UTM has a default gateway set up on one of the interfaces (preferable) that any unknown traffic needs to go to either a core router responsible for the next hop or an EDGE device responsible for masquerading for internet traffic 
 Do not enable any masquerading rules if not required 
 Create a firewall rule that allows the ICMP protocol that has the source and destination as both Networks A & B 
 To add to Balfsons comment, under the ICMP tab for the firewall, enable the checkboxes for:
 
 ICMP through gateway 
 ICMP through gateway from External Networks 
 Gateway forwards pings

The UTM can do firewalling without NAT. If masquerading does occur through some kind of magical trickery then you need to create a NoNAT rule that applies to the subnets the UTM will have flowing through it from either side for any service. 
 To also add to BAlfsons reply, engage with Sophos Pre-sales to fully understand from a home grown Sophos Engineer who have all the resources at their fingertips to help you understand if this appliance is right for you. BAlfson is right, what you're asking for should not be done in a forum like this and as this is pre-sales there are whole teams and channels dedicated with helping you spend money with Sophos :) 
 Emile

firewall rules without NAT/MASQ

Submitted a Tech Support Case lately from the Support Portal?