Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 6024 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Struggling a bit with WAN to LAN access

David Harrison2

I have just installed UTM 9 on my home network.

 

Interfaces configured as below

I have configured NAT Masq as below

From my "Internal" network I have no problems accessing machines on the internal network, or on the "Internet" interface ( even hosts on the internet as the G/W for my "Internet" interface is my cable modem).

 

From my "Internet" network I am unable to access any host on the "Internal" network.

I have created an open rule as below - but I still can't access by "Internal" hosts from the "Internet" network

 

Any ideas on why I might be missing?

 

David



This thread was automatically locked due to age.
Parents
  • 0

    You should declare victory and stop, because your problem configuration is secure and your intended configuration is not.

    The Masquerading rule only applies to outbound connections.   A DNAT rule will allow you to map incoming traffic on a specific port to a specific internal address and port.   Any-to-any is not possible by any method because you have one Internet address and multiple internal addresses, so there is ambiguity.

    If you enable any form of remote access, assume that the bad guys on the other side of the planet will find it and attempt to use your devices for themselves.   Consequently, you should use UTM features for any remote access, such as SSL VPN, WAF, or HTML5 VPN.  You should also use ONeTime Password for re mote access, to prevent password guessing attacks.

    If another device is is already providing perimeter security, then you need to clarify what UTM is supposed to accomplish.   Perhaps you should configure UTM in bridge mode behind that device.

    Read the Wiki articles to understand UTM architecture and design issues that are not in the manual or help system.

  • 0 in reply to DouglasFoster

    Hi Douglas,

    Thanks for your reply.

    What I'm thinking of implementing is the following;

    Sophos UTM primarily for protection for internal users accessing the internet via browsing etc, and also to do some traffic monitoring, shaping and QOS - primarily to make sure my and my wife's bandwidth is preserved! So Sophos UTM is really for outbound protection.

    The firewall and routing functions inbound I plan to do with pfSense, downstream from the UTM, mainly to segment my network further and support for VLANs and my VMware environment.

    David

  • 0 in reply to David Harrison2

    David, I don't think you will be able to do what you think you want with the UTM and that you should just stick with the pfSense.  The systems' metaphors are significantly different and you have so much to learn with the UTM that you will decide to delete the pfSense once you learn how to harness the power of WebAdmin for the UTM.  In any case, good luck!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to David Harrison2

    First things first:

    As already mentioned above, what you want to accomplish is perfectly possible with just the Sophos UTM (and maybe also with just pfSense but I don't know pfSense myself). So investing in this setup is not the best thing you can do.

    However, I think you can still do what you want....

     

    I assume this is your current setup:

    Internet ==> Router ==> Sophos UTM ===> pfSense 

    Your outbound systems are in between UTM and pfSense and behind pfSense are some services that need to be reachable from outside?

     

    As I understand from Balfson's post, your Sophos UTM is already behind a NAT router so that router should have a DMZ or exposed host setting pointing to the UTM for anything to get to the UTM in the first place.

    You will also want your UTM to forward all "incoming" traffic from it's WAN side to pfSense. You can make a DNAT rule on the UTM:

    Traffic from: Internet IPv4 (or any)
    Using service: any (better is to create a group containing just the ports that really need to be forwarded)
    Going to: External (WAN Address)

    Change destiniation to: WAN address of pfSense box
    And the service to: <leave empty>

    Tick the box "automatic firewall rule" and you should be good to go.

     

    Again you'd better invest your time in creating the environment you want using just one product, either Sophos or pfSense. Maintaining multiple devices is error prone, more work and solving problems is also a lot harder than when you just use only one product.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Also, Arno, he wants to guarantee download bandwidth for his wife and himself - is he willing to drastically limit others' download bandwidth in order to do that?  again, STEEP LEARNING CURVE.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to apijnappels

    Also, Arno, he wants to guarantee download bandwidth for his wife and himself - is he willing to drastically limit others' download bandwidth in order to do that?  again, STEEP LEARNING CURVE.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML