This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DMZ network, seperate interface, cross contamination??

I am trying to setup a 2nd LAN on my UTM, Its for someones offsite location. It uses a seperate internal NIC and I want to give it a specific static public IP.

Ive followed multiple articles about setting up DMZ's but im still getting cross contamination of the traffic.

Is there any decent Articles that explains the whole process?

Ive tried using DNAT & SNAT, Full NAT? Auto FW rules on and off, creating FW rules to block traffic between the 2 networks......

I can still ping the other network on both sides even with all ICMP options disabled.

I do not have the DMZ network added to Web filtering or IPS.

Do i also need to setup a Multipath rule?

Thanks

This thread was automatically locked due to age.

Parents

0 sachingurung over 8 years ago

Hi JK,

I am unable to understand your requirement. What is that you are trying to achieve? Are you looking for a setup where both the LAN should be separate and should not allow communication between the two?

Thanks

Sachin Gurung
Team Lead | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 JohnKenny1 over 8 years ago in reply to sachingurung

OK, So we have a network using Sophos UTM. But we just added a friends server for there offsite server. Its got its own NIC and is on a different subnet.

Basically I want all traffic from a public IP to go to there router, but i dont want traffic to cross between there network and ours which its doing now both ways.

JK
Cancel
Vote Up 0 Vote Down

Cancel
0 JohnKenny1 over 8 years ago in reply to JohnKenny1

What is the Best NAT type to use for my situation? Is there anyway to setup the 2nd internal NIC which there drayteks WAN port connects to, to work as if its directly connected to the WAN ip ie no NATing?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 JohnKenny1 over 8 years ago in reply to JohnKenny1

What is the Best NAT type to use for my situation? Is there anyway to setup the 2nd internal NIC which there drayteks WAN port connects to, to work as if its directly connected to the WAN ip ie no NATing?
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 BAlfson over 8 years ago in reply to JohnKenny1
This is still confusing, John - why would you want to connect the Draytek's WAN port to an internal NIC?

If I understand your situation, I would do the following:

Put an Additional Address on the External interface named, e.g., "Client"

Add a DMZ Interface for the client's server

Make a Host definition for the client's server named, e.g., "Client's Server" - be careful to obey #3 in Rulz.

Assuming that the client's traffic will all come from a limited number of IPs, make a Host/Network definition for that named, e.g., "Client's IPs"

Make a NAT rule: 'DNAT : Client's IPs -> Any -> External [Client] Address : to Client's Server : Automatic firewall rules'

You will want a masq rule like 'DMZ (Network) -> External [Client]' and a firewall rule like 'Client's Server -> Any -> Internet : Allow'

Be sure to change your current firewall rules to use "Internet" instead of the "Any" network object - this prevents "Internal (Network)" from reaching the client's server.

Is that what you're trying to accomplish?

Cheers - Bob
Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

DMZ network, seperate interface, cross contamination??

Submitted a Tech Support Case lately from the Support Portal?