Static Route in SG UTM 9.x

Hi Uwe,

in my understanding you need a DNAT. With a DNAT rule you could rewrite the destination addresses of data packets.

You find it under Network Protection -> NAT.

Best

Alex

Hi Alex,

DNAT can't solve the Problem:

the requirement:

all traffic coming from the internal Network, for example 192.168.1.0 going to the public Network 188.144.0.0 255.254.0.0 have send to the internal host 192.168.1.253. Only this host sent this packets to the public Network 188.144.0.0 255.254.0.0.

In DNAT I can only define "Using Service" not a Destination public Network.

Best regards,

Uwe

Hi Uwe,

sorry for misunderstanding.

The UTM is the standard gateway for your PCs?

So the packet should travel the following way:

PC -> UTM -> internal Gateway(192.168.1.253) -> UTM -> Internet

So the Gateway rule has only to be active for other hosts than 192.168.1.253. Or is 192.168.1.253 not using UTM?

And are you using Proxy on UTM? Or is the service not related to Port 80/443?

Best regards

Alex

Hi Alex,

the UTM is the Standard Gateway for all PC's.

We have the following Firewall-rule: internal Net-> http,https -> Internet ipv4.

All PC's can access the Internet with this rule.

Only for a Special Application with a Special Hardware - in Germany: Connector for eHealth - we have send all traffic to the internet-Net 188.144.0.0 mask 255.254.0.0 to the internal connector with the ip-address 192.168.1.253, the connector sends this requests to the Internet.

In Firewall-Log I see, that all (tcp) traffic from internal Net: 192.168.1.xy:all Ports to 188.144.7.78:80 are blocked.

In the UTM we have defined a static Gateway route for this.

After adding the Windows command on our terminalserver: route add 188.144.0.0 mask 255.254.0.0 192.168.1.253 it works.

We use no Proxy on UTM. we have some doctor's surgery, which have no terminalserver, so in this Offices we have to add the command on each PC. I hope, I can solve it with a configuration in the UTM.

Best regards,

Uwe

Hi Alex,

after some tests, I have added a second Firewall-rule:

internal net->web Surfing->188.144.0.0 255.254.0.0

Now it works.

But why I Need a second rule.

The first rule is:

internal net-> web Surfing->Internet IPv4

Best regards,

Uwe

Hallo Uwe,

freut mich, dass es läuft. Die FW-Regel ist notwendig, da 188.44.0.0 nicht im Objekt Internet IPv4 enthalten ist. Denn „the Internet objects are bound to the default Gateway interface“.

Du kannst in der ursprünglichen Regel das Objekt Internet IPv4 durch any ersetzen.

Beste Grüße

Alex

Hallo Uwe,

(Sorry, my German-speaking brain isn't creating thoughts at the moment. [:(])

The next time you need to do something similar, you will want to consult Accessing Internal or DMZ Webserver from Internal Network.

MfG - Bob (Bitte auf Deutsch weiterhin.)