Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 18328 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DMZ, VPN Client, Routing, FW

Sally

DMZ, VPN Client, Routing, FW

 

 

Hello,

 

I would like to setup a router (VPN Client) in a DMZ and route traffic from LAN over DMZ to Open VPN Tunnel. I have the following configuration till now:

 

WAN Interface (Ethernet) : 82.x.x.x

LAN: 192.168.0.0 /24

DMZ: 10.0.0.0 /8

 

 Ping and Web Access to DMZ Router are working. 

 

Firewall Rules for DMZ:

 

LAN to DMZ / Services http, https and ping allowed

 

Interesting for me is, that when i deactivate this rule, I’m still able to reach the routers web interface via https?

 

 

 

If i want to establish an vpn tunnel with the router in the DMZ, do i need a separate masquerading rule.

 

At the moment i have the rule LAN to External (WAN), do i also need DMZ to External (WAN)??

 

 

 

When i want to route specific traffic over the tunnel, lets say http / https, what kind of firewall rules / configuration i need?

 

Is there a way to split the traffic, and route specific requests to a public website direct, without going over the tunnel?

 

 

Any help would be highly appreciated.

 

 

 

Thanks

Sally



This thread was automatically locked due to age.
Parents
  • 0

    Also I would like just allow specific services from LAN to DMZ and DMZ to LAN, do I have to create a Rule like DMZ to LAN Block all, and add a separate Rule after like DMZ to LAN https, http ??

     

    Thanks a Lot!

    Sally

  • 0 in reply to Sally

    Also I would like just allow specific services from LAN to DMZ and DMZ to LAN, do I have to create a Rule like DMZ to LAN Block all, and add a separate Rule after like DMZ to LAN https, http ??

    - No, by default all traffic is blocked unless you specifically allow it, so you don't need a block rule and then an allow rule, just the allow rule will suffice. However when you are using web filtering then http(s) traffic will be handled by the web filter and not by the firewall, so you may need to make adjustments in web filtering config if you want to prohibit certain http(s) targets to be reachable from other subnets.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to apijnappels

    Hi Apijnappels,

     

    thanks for the information. As the UTM can not act as VPN Client yet, I would like to use my second router to accomplish the following:

    - Router in the DMZ 

    - Router connect to an external OpenVPN Server

    - Specific Traffic for example Internet traffic Requests should be routed over the VPN Tunnel

    - VPN Tunnel terminate in the DMZ, so Traffic will be filtered by the UTM from DMZ to the LAN Network

     

    Any advice how to accomplish this?

    Thx

    Sally

  • 0 in reply to Sally

    You will need to make sure that all required subnets are configured in the VPN tunnel (DMZ, LAN, Remote subnet(s)). Then in the UTM I think you need to create static routes where you route the required traffic from LAN to the router in DMZ (who in turn should send it into the tunnel).

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to apijnappels

    Thanks, this means I have to add a Interface or a Gateway Route in this case? Do I have to add beside the Masquerading Rule also a NAT Rule to get this work? 

    Thx

    Sally

     

Reply Children
  • 0 in reply to Sally

    DMZ Configuration is:

    10.0.0.1 /8 "no Gateway"

     

    DMZ Router:

    10.0.0.2

    255.0.0.0

    GW: 10.0.0.1

    DNS: 10.0.0.1

     

    VPN Connection with the other side is established, but no traffic is going over the tunnel till yet.

     

    Getting from the VPN Site the following Subnet Config:

     

    Local Address: 172.21.28.71
    Remote Address: 172.21.28.71

     

    Do I have to add the Remote Subnet also to the UTM??

     

    Thx

    Sally

  • 0 in reply to Sally

    This is difficult to follow because there's no diagram and there are so many questions.

    The one thing I would recommend is NOT using 10.0.0.0/8.  That will conflict with all of the "VPN Pool" Network objects and possibly with your ISP.  Subnets in 10.0.0.0/8 should only be used by very large organizations and ISPs.  Subnets in 192.168.0.0/16 should be reserved for home networks and public hotspots not behind a UTM.  Most UTM admins should use private subnets in 172.16.0.0/12.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML