This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NATing each VLAN to a /29 IP?

Our ISP provided us with a public /29 subnet. As an example, let's say they assigned us 172.16.254.0/29.

Our gateway address is 172.16.254.1.

We directly connected the Sophos UTM on eth1 to their GW.

We assigned to eth1 the IP address 172.16.254.2/29.

 

We have an active Link Aggregation lag0.

We added multiple VLAN Interfaces to lag0: VLAN10, VLAN20, VLAN30. Each with it's own private network.

 

Our goal is to assign each VLAN it's unique public ip address: VLAN10=172.16.254.3, VLAN20=172.16.254.4, VLAN30=172.16.254.5.
In other words: Facing outward, each computer should communicate with internet services with public IP assigned to the VLAN the computer is connected to. And I should be able to add Portmappings from the public IP to servers within the respective VLANs.

Unfortunately, I don't know how I can assign the public IPs to the respective VLANs.

I tried adding Additional Addresses and using Masquerading, but that only results in a loss of connection. I assume that the packet is still sent, but that the response does either not reach the UTM, or the UTM does not remember which computer in which VLAN started the request. I hope you can help.



This thread was automatically locked due to age.
Parents
  • You need to add the additional IP's to the WAN or ISP interface (make sure they are turned on too with the green slider)

    You can then use masquerading or source NAT to do this (outgoing) and then you will need to add DNAT for incoming connections.

    You don't assign a vlan to an interface for natting but rather that vlan's subnet eg 192.168.1.0/24 >> 172.16.254.3 (either create a masquerade or source nat rule)

    And then, don't forget to check your firewall rules to allow the traffic or your web filter if you have that proxy going too.

    Nice little explanation here:

    https://www.stephenwagner.com/2010/07/03/astaro-security-gateway-snat-dnat-1-to-1-nat-and-full-nat-howto/

  • I did add Additional Addresses on the WAN interface and use Masquerading. It is now working. I don't know why this didn't work before, although I did not do anything different now.

    Anways, I am still having an issue with the DNAT. It just does not work and I can't figure it out. It does not show up in the Firewall logs and I have not the slightest idea how I could even check where the issue is...

  • Okay, I enabled logging on the auto-created firewall rule. Still nothing on HTTP and HTTPS.

    Just for fun I tried to connect over port 5555. Suddendly the attempt show up in the firewall log as blocked.

    Then I tried to connect via port 8080 (which is also in the Web Surfing group shown in the picture above.) Suddenly I see a whole bunch of messages like those.

    What is going on? Why the heck does Port 80 and 443 show nothing and Port 8080 does, although they are ALL in the Web Surfing group???

    21:55:10 NAT rule #3 TCP  
    xxxxxxx : 52559
    WAN[HUG-IP] : 8080
     
               
    21:55:10 Auto-generated rule #1 TCP  
    xxxxxxx : 52559
    HUGVWEB01 : 8080
     
           
  • Take the "Web surfing out" and replace with http or https. Check "automatic firewall rule" and "log initial packets"

    The above should show up in the firewall log then. Once up and running, you can then leave as above or create manual firewall rules.

     

    The web surfing group is generally to allow users on a lan to surf the web using those protocols and not really used for DNAT's.

    DNAT's for most part, are normally created for a single port also. eg a DNAT for http, DNAT for https, DNAT for ftp etc.

  • Louis-M said:

    Take the "Web surfing out" and replace with http or https. Check "automatic firewall rule" and "log initial packets"

    The above should show up in the firewall log then. Once up and running, you can then leave as above or create manual firewall rules.

    For the sake of testing I did that. Exactly the same behaviour. It does not show up in the firewall log at all. If I replace port 80 with port 8080, it shows up and works. Something is really broken here.

     

    Louis-M said:

    The web surfing group is generally to allow users on a lan to surf the web using those protocols and not really used for DNAT's.

    DNAT's for most part, are normally created for a single port also. eg a DNAT for http, DNAT for https, DNAT for ftp etc.

    I disagree. The group is absolutely fine if I want to forward the ports in that group. And using groups in NAT is also possible and a better solution if you do port-forwarding for a service like HTTP/HTTPS. If groups were not intended to be used at that place, Sophos wouldn't allow them. And technically they work just fine. Used them for years.

  • You learn something new everyday. Never thought about groups for NAT. Interesting, I'll give it a shot.

    Have you tried moving your DNAT rule up to position 1? And is the web proxy in use?

  • It makes sense if you port-forward certain services. For customers that were on SBS I would just create a group and put in 80/443/25 and so on and name it "SBS connectivitiy" or something. That way you don't clutter the view.

    I created a new topic with the DNAT issue because from the title, this issue is solved. Thanks again.

    community.sophos.com/.../dnat-works-for-any-port-besides-80-and-443

Reply Children
No Data