Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 4 subscribers
  • Views 8620 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Port Forwarding Question

WrlsFanatic

I'll start by apologizing. I have tried hard to get port forwarding to work, but not only is the wording of the settings in UTM a little confusing, but I'm still learning some networking concepts, which complicates the issue. Here is my setup:

I0P Router External IP: 36.12.18.18

ISP Router Internal IP: 10.10.10.254

External UTM Interface IP: 10.10.10.100

Internal UTM Interface IP: 15.15.15.100

All of my internal IPs are on the 15.15.15.0/24 subnet. I have a number of different services that I need to forward for various reasons to those 15.15.15.0/24 addresses. Any help setting those up would be GREATLY appreciated. Even pointing me in the right direction (since DNAT didn't seem to be the right setup) would be great.

My two primary questions:

  1. When I'm building the rule, I tell it where the traffic is "coming from". Since there is the ISP router involved, do I say that the traffic is "coming from" that IP or should I set that to the address of the external servers that will be trying to access my internal devices?
  2. When I'm building the rule, I tell it where the traffic is "going to". Should I tell it that it's "going to" my external IP address or is it "going to" the UTM external gateway IP?


This thread was automatically locked due to age.
Parents
  • 0

    Forwarding has to be done on the ISP router, optionally on the UTM, too. But i would avoid Double NAT in any case unless there is absolutely no other way.

    The connection that hits the UTM will then have the original IP as source, in no case the IP of the ISP router in the transfering network 10.10.10. I would simply Route between the internal Networks, no aditionally NAT or masquerading on the UTM.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • 0 in reply to kerobra_retired

    I've been warned about double NATing, but I can't avoid it. The ISP router doesn't work in full bridge and I can't replace it. I should also have clarified that the forwarding rules are setup properly on the router. Not only is it simple, but in my head it's more obvious how that looks (ie. it's coming from the external server and it's "going to" my external IP.

    So I should set it up as a DNAT rule with the "coming from" address as the internal gateway of the ISP router, correct?

Reply
  • 0 in reply to kerobra_retired

    I've been warned about double NATing, but I can't avoid it. The ISP router doesn't work in full bridge and I can't replace it. I should also have clarified that the forwarding rules are setup properly on the router. Not only is it simple, but in my head it's more obvious how that looks (ie. it's coming from the external server and it's "going to" my external IP.

    So I should set it up as a DNAT rule with the "coming from" address as the internal gateway of the ISP router, correct?

Children
  • +1 in reply to WrlsFanatic

    No you need to set the first rule on the ISP router, target for your service is then the UTM's IP in the 10.10.10 network.

    Then as I said incoming connections should hit it (visible in firewall live log) with source external IPs.

    So the UTM NAT rule has then to be your designated service (e.g. HTTPS)  hitting the 'external' UTM address (important) with changing the destination (DNAT) to the internal IP.

    Firewall rule will then have to be 'Internet IPv4', HTTPS, 'internal (LAN) IP of your Webserver' for example. Or simply use automatic firewall rule checkbox  in the NAT rule.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • 0 in reply to kerobra_retired

    I finally got the DNAT rule working, thank you! I just had to choose the "Any" as the "coming from" and 10.10.10.100 as the "going to" address. I setup several services already. Thank you for the help!

Unfiltered HTML