firewall rules without NAT/MASQ

OK guys, many thanks for your help and suggestions so far. unfortunately it didn't help. anyway I'd like to update to everyone...

@darrellr: this was my very first idea when confronted with the problem. but Sophos UTM doesn't let you do that. uncheck the "default gateway" checkbox from the WAN interface, go to static routes and add a network 0.0.0.0/0 and it tells you "default gateway can only be defined via the checkbox in interface settings". that is the reason why i was specifically mentioning that Sophos "raped" the routing of the underlying Linux and the default gateway doesn't show up on "netstat -arn".

@HerrnRolf Mueller: you are right on the "forward ping" checkbox but the "utm is pingeable" has nothing to do with that - that is to being able to ping the outside interface from the Internet. anyway i played with all checkboxes earlier and nothing helped.

@sachingurung: i completely wasted an hour of my time by putting the firewall in bridge mode. i noticed a big flaw in the approach because I can't define which bridge leg is outside and which is inside. in this configuration the firewall is prone to man-in-the-middle-attacks. i can't even imagine how one could use the Sophos in transparent mode with that in mind. really dangerous!!! anyway a complete waste of time as the problem is essentially the same: as long as i haven't created a MASQ rule no traffic is forwarded through the firewall.

i still have two ideas about the problem: it is a BUG in UTM 9.4 or the "raped routing" has a problem with egres of RFC1918 IP addresses to the Internet. then this would be a feature and the "MASQ trick" is the BUG. i'll keep you updated...

Hi Bjorn,

The UTM defines which leg is the outside by which side it contacts the default gateway on. However this is not quite the case because like most other vendors the UTM does not have the concept really of "in" and "out" except what flows down the default gateway path. 

Now if you need the original IPs to flow across the UTM to another part of the network then you can simply set up a static gateway routes for the applicable network resources on either side of the UTM to reach another router which is directly subnet aware of the subnets either side is trying to reach. Default gateways set up on interfaces do not automatically set up masquerade rules.

Interfaces do not need default gateway routes however these are best practice for 0.0.0.0/0 routes. Now I'm paraphrasing here but the default gateway route is applied on the interface and not part of the routing table that's visible to the user from SSH (but are to the routing table under Support > Advanced > Routes Table and defined as "default via"). You should use a default gateway specifically so anything the that you've not set up as a static route goes to the appropriate next hop. Now I'm guessing you have a fairly logical architecture that realistically you have a single core gateway path for unknown network resources whether this be another core router or an EDGE device.

What you have suffered here is the Wonder Wizard of Woeful Wonderment, you sound like you know what you're needing to do so do not use the Wizard and configure it manually.

Because the UTM is going to be an interconnecting point between your two sides of the network then you would do as follows:

• Network A points either directly at the UTM or to a core router that points at the UTM for the resources for Network B
• Network B points either directly at the UTM or to a core router that points at the UTM for the resources for Network A
• The UTM has a default gateway set up on one of the interfaces (preferable) that any unknown traffic needs to go to either a core router responsible for the next hop or an EDGE device responsible for masquerading for internet traffic
• Do not enable any masquerading rules if not required
• Create a firewall rule that allows the ICMP protocol that has the source and destination as both Networks A & B
• To add to Balfsons comment, under the ICMP tab for the firewall, enable the checkboxes for:
  • ICMP through gateway
  • ICMP through gateway from External Networks
  • Gateway forwards pings

The UTM can do firewalling without NAT. If masquerading does occur through some kind of magical trickery then you need to create a NoNAT rule that applies to the subnets the UTM will have flowing through it from either side for any service.

To also add to BAlfsons reply, engage with Sophos Pre-sales to fully understand from a home grown Sophos Engineer who have all the resources at their fingertips to help you understand if this appliance is right for you. BAlfson is right, what you're asking for should not be done in a forum like this and as this is pre-sales there are whole teams and channels dedicated with helping you spend money with Sophos :)

Emile

Hi Bjorn,

The UTM defines which leg is the outside by which side it contacts the default gateway on. However this is not quite the case because like most other vendors the UTM does not have the concept really of "in" and "out" except what flows down the default gateway path. 

Now if you need the original IPs to flow across the UTM to another part of the network then you can simply set up a static gateway routes for the applicable network resources on either side of the UTM to reach another router which is directly subnet aware of the subnets either side is trying to reach. Default gateways set up on interfaces do not automatically set up masquerade rules.

Interfaces do not need default gateway routes however these are best practice for 0.0.0.0/0 routes. Now I'm paraphrasing here but the default gateway route is applied on the interface and not part of the routing table that's visible to the user from SSH (but are to the routing table under Support > Advanced > Routes Table and defined as "default via"). You should use a default gateway specifically so anything the that you've not set up as a static route goes to the appropriate next hop. Now I'm guessing you have a fairly logical architecture that realistically you have a single core gateway path for unknown network resources whether this be another core router or an EDGE device.

What you have suffered here is the Wonder Wizard of Woeful Wonderment, you sound like you know what you're needing to do so do not use the Wizard and configure it manually.

Because the UTM is going to be an interconnecting point between your two sides of the network then you would do as follows:

• Network A points either directly at the UTM or to a core router that points at the UTM for the resources for Network B
• Network B points either directly at the UTM or to a core router that points at the UTM for the resources for Network A
• The UTM has a default gateway set up on one of the interfaces (preferable) that any unknown traffic needs to go to either a core router responsible for the next hop or an EDGE device responsible for masquerading for internet traffic
• Do not enable any masquerading rules if not required
• Create a firewall rule that allows the ICMP protocol that has the source and destination as both Networks A & B
• To add to Balfsons comment, under the ICMP tab for the firewall, enable the checkboxes for:
  • ICMP through gateway
  • ICMP through gateway from External Networks
  • Gateway forwards pings

The UTM can do firewalling without NAT. If masquerading does occur through some kind of magical trickery then you need to create a NoNAT rule that applies to the subnets the UTM will have flowing through it from either side for any service.

To also add to BAlfsons reply, engage with Sophos Pre-sales to fully understand from a home grown Sophos Engineer who have all the resources at their fingertips to help you understand if this appliance is right for you. BAlfson is right, what you're asking for should not be done in a forum like this and as this is pre-sales there are whole teams and channels dedicated with helping you spend money with Sophos :)

Emile