This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Masquerading not working

Hi,

I have the following configuration in UTM9 behind an ISP modem. ISP modem LAN IP address is 172.16.5.1

 

Sophos UTM WAN Interface

--------------------------------------

(Assigned by DHCP from ISP Modem)

IP: 172.16.5.60

Subnet Mask: 255.255.255.0

Gateway: 172.16.5.1

DNS: 8.8.8.8

 

Sophos UTM LAN Interface

--------------------------------------

IP: 192.168.2.100

Subnet Mask: 255.255.255.0

 

Firewall Rule

---------------------------------

Internal (Network) -> Any -> Any -> Allow

 

Masquerading

----------------------------------

Internal (Network) -> External (WAN)

 

-------------------------Problem----------------------------------

From Sophos UTM9 (Support -> Tools -> Ping

From WAN interface ping ISP modem is successfull

From LAN interface ping ISP modem is failing

From LAN computers to ISP modem ping failing, internet not working.

 

 

Please support to solve the issue.

 

 



This thread was automatically locked due to age.
Parents
  • Did you activate IPv4 Default GW at external WAN interface?

    Best regards 

    Alex 

    -

  • Yes, the gateway IP address is given in the WAN interface.

    I have removed masquerading and added a SNAT then the ping from LAN interface is successful. I checked with wire shark, when masquerading is enabled the outgoing packets are not getting the IP change through NAT, when in SNAT the IP is changing to WAN interface IP. So the connection upto ISP modem is OK when SNAT is configured.

    Still the internet is not working, when doing ping to 8.8.8.8 the packet is not going out of the UTM.

    The UTM is a VM installed in vMware player in windows 10. The VM have 2 virtual LAN cards which is using a single physical LAN card in the windows. when I set the SNAT, the Firewall logs shows that the ping to 8.8.8.8 is accepted, but the wireshark in windows doesnt show the packet.

  • Jose S said:

     

    ...The UTM is a VM installed in vMware player in windows 10. The VM have 2 virtual LAN cards which is using a single physical LAN card in the windows. when I set the SNAT, the Firewall logs shows that the ping to 8.8.8.8 is accepted, but the wireshark in windows doesnt show the packet.

     

    Huh, in a VM with one physical network card. That sound really complicated to me. Because there are several ways of using the host network in VMware on a windows system, bridging or NAT. Maybe if it’s possible to use VLANs that would be more easy to understand (for me).
    So, sorry I didn’t have more hints here.
     
    Best regards 
    Alex 

    -

  • Check Network Protection -> Firewall -> ICMP for allowing ICMP (and thus Ping) traffic

    I would advise against using a virtualization platform on top of a normal OS. Rather use a Type 1 hypervisor that's bare metal.

    Also using just one NIC makes things much more complicated like mentioned before. We don't know how your clients behind the UTM are communicating to the outside, are you using VLAN's to segregate network segments or is your client also a virtual machine living inside your vmware player?

    We don't know whether or not you have configured web protection so really there's not a lot we can do without having more information about how your situation is set up.

    Did I mention already that you'd better have 2 physical NIC's and a Type 1 hypervisor (ESXi or Hyper-V)?

    If you're only testing things out I think you can manage with vmware player, but in that case your "client behind the UTM" should really also talk to the UTM as their default gateway, but your Windows client is started before the UTM is started and so it may have a different gateway.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply
  • Check Network Protection -> Firewall -> ICMP for allowing ICMP (and thus Ping) traffic

    I would advise against using a virtualization platform on top of a normal OS. Rather use a Type 1 hypervisor that's bare metal.

    Also using just one NIC makes things much more complicated like mentioned before. We don't know how your clients behind the UTM are communicating to the outside, are you using VLAN's to segregate network segments or is your client also a virtual machine living inside your vmware player?

    We don't know whether or not you have configured web protection so really there's not a lot we can do without having more information about how your situation is set up.

    Did I mention already that you'd better have 2 physical NIC's and a Type 1 hypervisor (ESXi or Hyper-V)?

    If you're only testing things out I think you can manage with vmware player, but in that case your "client behind the UTM" should really also talk to the UTM as their default gateway, but your Windows client is started before the UTM is started and so it may have a different gateway.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Children
No Data