We'd love to hear about it! Click here to go to the product suggestion community
Hi,I have a virtual UTM running on a ESXi server, two intefaces:- ETH0, with a public IP - ETH1, with a local subnet 126.96.36.199
My problem is that I can't reach/ping anything on the WAN when I ping over the private interface (188.8.131.52):
PING 184.108.40.206 (220.127.116.11) from 18.104.22.168 eth1: 56(84) bytes of data.
From 22.214.171.124: icmp_seq=1 Destination Host Unreachable
From 126.96.36.199 icmp_seq=1 Destination Host Unreachable
From 188.8.131.52 icmp_seq=2 Destination Host Unreachable
I have another Vmware guest in the private subnet with IP 184.108.40.206 with 220.127.116.11 (the private ip of the UTM) from where I can succesfully route out.I have set a Masquerading rule for that (Network: internal / Interface: public).But I have no routing directly from 18.104.22.168.This is my routes table:
default via 22.214.171.124 dev eth0 table 200 proto kernel onlink default via 126.96.36.199 dev eth0 table default proto kernel metric 20 onlink 10.0.0.0/16 dev eth0 proto ipsec scope link src 188.8.131.52 10.242.2.0/24 dev tun0 proto kernel scope link src 10.242.2.1 127.0.0.0/8 dev lo scope link 184.108.40.206/24 dev eth1 proto kernel scope link src 220.127.116.11 18.104.22.168/27 dev eth0 proto kernel scope link src 22.214.171.124 broadcast 10.242.2.0 dev tun0 table local proto kernel scope link src 10.242.2.1 local 10.242.2.1 dev tun0 table local proto kernel scope host src 10.242.2.1 broadcast 10.242.2.255 dev tun0 table local proto kernel scope link src 10.242.2.1 broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 broadcast 126.96.36.199 dev eth1 table local proto kernel scope link src 188.8.131.52 local 184.108.40.206 dev eth1 table local proto kernel scope host src 220.127.116.11 broadcast 18.104.22.168 dev eth1 table local proto kernel scope link src 22.214.171.124 broadcast 126.96.36.199 dev eth0 table local proto kernel scope link src 188.8.131.52 local 184.108.40.206 dev eth0 table local proto kernel scope host src 220.127.116.11 broadcast 18.104.22.168 dev eth0 table local proto kernel scope link src 22.214.171.124 unreachable default dev lo table unspec proto kernel metric 4294967295 error -101unreachable default dev lo table unspec proto kernel metric 4294967295 error -101unreachable default dev lo table unspec proto kernel metric 4294967295 error -101local ::1 dev lo table local proto unspec metric 0 unreachable default dev lo table unspec proto kernel metric 4294967295 error -101What am I missing?
When you initiate a PING from an interface in UTM 9, using ping -I eth1 126.96.36.199, UTM9 will try to send out the traffic from the eth1 interface. That is why you'll not be able to ping any Internet IPs using this on the LAN interface. You can also observe this using another SSH session and doing a tcpdump for the destination traffic or on the interface.This works fine as long as you try it on your different WAN interfaces to check the connectivity.
Hope this helps.
Also, 172.168.x.y is not an IP range reserved for private subnets. 188.8.131.52 is a public IP belonging to Oath Holdings in New York City.
Cheers - Bob
In reply to Jaydeep:
Hi Jaydeep Well, how can I fix this?What I am trying to do is to set up a vpn connection from my office to my branch where I can use the branch internet connection as a gateway to leave traffic from that tunnel out to the internet.VPN is up and working, but I am not able to make the traffic leave the remote private Lan.
Not sure what I am missing: in the branch office I have some computers that are able to exit the Lan.Any idea what I have overseen?
In reply to BAlfson:
Thank you pointing this out for me. You are right, this is not a private IP-range, should be something between 172.16.0.1 to 172.31.255.254.
In reply to GKR:
Yes, I missed that too. Thanks, Bob.Please post if you still face the issue after correcting the IP address scheme.
Yes, I haven't been able to route out from the Sophos UTM.this is what I want to do:use a vpn tunnel and the remote ip as a gateway.so I can connect from the branch (France) to the HQ (Germany) and route out from there to the public internet.Vpn tunnel is up, but traffic doesnt leave the vpn remote subnet.
Please show us pictures of the Edits of the IPsec Connection and Remote Gateway en France. Also of the corresponding configuration on the other side in Germany.