NAT pool

I think what you need is uplink balancing but, that is not possible through a single ISP and the additional address. This is a potential feature request you can raise on Sophos Ideas.

Thanks

We do not have multiple uplinks so not trying any uplink balancing. Only want to have SNAT with multiple source addresses as below

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to-source x.y.z.1-x.y.z.3

 It seems UTM web interface cannot handle this. I did submit a feature request.

We do not have multiple uplinks so not trying any uplink balancing. Only want to have SNAT with multiple source addresses as below

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to-source x.y.z.1-x.y.z.3

 It seems UTM web interface cannot handle this. I did submit a feature request.

Hi, selva, and welcome to the UTM Community!

May I ask why you want to do this - what benefit you hope to achieve?

Cheers - Bob

Hi Bob.

Thanks.

Well, that's how a client's cisco router was set up (with a nat pool of 4 public IPs) and I wanted to recreate the original config as closely as possible. Having multiple IPs could help avoid ephemeral port exhaustion, but is unlikely in the setup I was working on. That said, iptables can handle it, so no real reason not to allow in UTM's UI...

Selva

What is the cisco router suppose to do?  It seems to me like cisco routers are pushing stateless traffic to a stateful firewall.  Which has been a nightmare in my case.

It's not a Cisco and doing iptables at the command line could void the warranty.  Open a ticket with Sophos Support and see if they'll let you make a change at the command line.  There are tricks that will let you automate something after a reboot is complete.

An alternative would be an inexpensive switch in front of the External NIC.  You then could put 4 IPs on four External NICs, use a different masq rule for each and then use Uplink Balancing to distribute the traffic over the four Interfaces.  If the switch can do VLANs, you can accomplish the same thing with a single NIC.  Will that skin your cat?

Cheers - Bob

Bob does that have to be a layer 3 switch?

My experience with sophos support has been pathetic, so I'll pass that.

This is my first and very likely last sophos appliance for clients[*], so either I'll do some such hackery if/when it hurts. I wish I could wear my sysadmin hat without fear of losing warranty. I'm surprised that UTM has no officially sanctioned CLI.

Thanks for taking time to comment.

[*] The free UTM license is great for home use though...

More thank like off topic but somethings people say the right thing and my brain goes "ding1" then proceed to fix something.

I saw an 8-port VLAN switch on NewEgg for $65 that would do the trick - not layer 3 that I know of.

Cheers - Bob

I have a spare HP Procurve 1810G-24 switch.  If I have a Cisco Router connected to it, would I have to tag all the vlans in the switch for DMZ zone?

UTM can work with VLANs, I think the Procurve can connect to a device on an untagged port, tag the traffic and send in out on a VLAN to the DMZ port of the UTM.  Is that the question you were asking?

Cheers - Bob