Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
I have a Sophos UTM SW with 3 network interface, eth0 for lan (192.168.1.0/24), two for wan ( eth1 on j.x.y.z/24 and eth2 on n.x.y.0/30).
The two wan are configured with own default gateway, uplink balancing uses either interface and multipath roules states that j.x.y.z/24 is default and n.x.y.0/30 has as source some internal IP, and this configuration works fine.
The focus is on eth2 with sophos ip n.x.y.2, n.x.y.2/30, that has gateway n.x.y.1, since we need to add another subnet on this interface we ask to provider to extend range, but in reply
provider states that added a "routed subnet" (that is n.x.y.80/29, so with disjoined ranges) and routed all traffic regarding this last subnet to the sophos on n.x.y.2 .
I've tried to configure a new vlan interface on the n.x.y.80/29 (with ip .81) , add additional address and a lot of static routes, pbr routed and masquerading with no success.
So, 2 questions:
What's the correct way to configure this kind of "routed subnet" to use (e.g. ping) IP addresses n.x.y.80/29 (so 81-86) from outside?
Why I cannot ping ip address of the interface selecting ip of the vlan just configured? What I'm missing?Thank you,
Ciao Emanuele - first I've seen you here - welcome to the UTM Community!
I'm having trouble following your notation, so, in the future, please obfuscate IPs like 151.x.y.185, 10.y.z.1, 172.16.z.1 and 192.168.z.1.
Normally, one would create a DMZ with public IPs, but you didn't say what you want to do with these additional IPs. Do you intend to DNAT traffic to these IPs to private IPs in the LAN or ???
Cheers - Bob
In reply to BAlfson:
I've posted something a long time ago, thank you for welcome!
I missed the notification, so I see your reply only now.
With notation you specified, the network involved are those:
eth0: 192.168.x.253/24 (act as gateway for LAN),
eth1 31.y.z.196/24 gateway 31.y.z.193 (wan)
eth2 on 213.j.k.2/30, network 213.j.k.0/30 gateway 31.y.z.1 (wan)
eth2.1 on 213.j.k.81, network 213.j.k.80/29 (this is the "new" routed subnet, wan, that has to use eth2 as gateway.)
The first step (that I cannot achieve) is to reach, also with a simple ping, the ip on the eth2.1 interface, I want use IPs from eth2.1 with DNATs as you state, but I cannot "see" (neither via ping or traceroute) ip on eth2.1 when the IP of other WAN interfaces pings correctly.
I engaged the provider, since I have do a lot (also improbable) static routing/pbr/SNAT configuration, also tried with adding eth2.1 subnet as additional IPs instead creating the virtual interface, I have the strong suspect that there is a misconfiguration on the other side (some ports of 213.j.k.81 seems to be opened also if my eth2 and eth2.1 are disabled).
The question was about what are best practices to configure a situation like this one, that (as I intended) is something like that:
Doing this, I manage to ping the 213.j.k.1 gateway from interface eth2.1 (I managed to solve my previous question#2 with PBR ).
Does that seems correct?
In reply to Emanuele Monari:
So, finally, it was an error on provider configuration, DNAT are now working.
Now I try with some other configuration in order to obtain 213.j.k.81 pingable from outside.
Thank you for now, Bob, If you want tell me your point of view, I'll listen to it at all.