Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 4 subscribers
  • Views 715 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Some specific question regarding articles - Sophos UTM: Best practices for DNS Configuration, and Full NAT questions

Cris Rowley

Hi,

I apologize up front for what may be terribly obvious to you who have been doing this stuff for some time, or have been in the business for a while. I am an old engineer in a new world and I am having to hit the ground running as I have other things to do like get my +certs and CCNA finished up. At least this all helps my learning experience, but I would rather be studying for tests right now. I would appreciate any help/advice/guidance offered by the community.

I am pretty excited because I just set up my UTM home box (PC based for SOHO and home network). I did the basic install wizard and it has the (3)  basic installed firewall rules; DNS, Email, and Web Surfing. My network is kind of complicated with many different hosts and devices so as you can imagine, immediately after, family members were notifying me of connection issues. The playstation won't connect, my PC wont get to battle.net the ROKU and Fire, etc. So of course I start reading and find Bob's Rulz which are helpful but just a little over my head UTM wise in a couple areas. Enough so that when I read them it was enlightening but also created more questions too.

I have looked and looked for a real "beginners (or idiots as it were) guide" to working with the UTM complete with what if's and example "how to's" but I can't seem to find one anywhere on the forum. Just snippets of info spread out all over the place. Hopefully I missed it and someone can point me in the right direction. It seems that when I search for a specific issue I am having, there are a plethora of answers but most lead only to some answers and more confusion. I am surely willing to learn this stuff if I can get my hands on some meaty learning material

The playstation issue was addressed in rule 2 but as one poster said, it seems to open up security too much. So I read further and read articles on DNS forwarding and full NAT. Those articles made it seem that full NAT and DNS forwarding are something that need to be done in order for things to run smoother. So I went down those roads in hopes of resolving some issues. I got stuck on a fundamental question; what is my domain name? It is my network and really never needed a name. Is it the organization I defined in the UTM setup? I needed a domain name to get through the best practices for DNS config section "Request Routing" where it says "Domain [your domain]". In the absence of a domain, how am I to proceed? If I am going to need a domain for other reasons, i would prefer to get it set up and move on but I am not sure how to go about it.

Then there is the article on full NAT. I get the whole idea of why it is needed and why things aren't getting back in past the UTM, I am just a little lost on doing the actual procedure as the instructions in the article "almost" apply to my scenario. Is my UTM a DNS forwarder by definition as it has to play middle box between the Internet and my network? Or not, because I have defined the DNS addresses as part of the best practices article. IF so then I go down the road of "not a DNS forwarder", right?

Anyway, here is the part I am stuck on;

step 5 - my internal NIC is192.168.0.1, so use that or the other".".".".0

step 6 - I have no idea what to include here because we find out as we go what will and will not get through to the outside hosts. Game boxes and tv connections E.G. Amazon fire and ROKU are having issues. I don't believe I want to use "any", right?

step 7 - Is this the address of the NIC connected to my modem? If so, it is served by DHCP so it will change. Or do I use a "0" in the last octet of the served address?

step 8 - I do not have a server on my LAN so what do I put in that box?

step 9 - again a vague statement for a beginner.. Specific examples would be extremely helpful here. Is that the "Internal" defined as 192.168.0.1, or "Internal" defined as 192.168.0.0?

 

If the UTM is not used as a DNS forwarder: 

If the UTM is not used as a DNS forwarder, you can either perform steps analogous to the above on your DNS server, or create a Full-NAT rule on the UTM to allow it to forward traffic properly.

  1. Browse to Network Protection | NAT | NAT.
  2. Click New NAT rule...
  3. Under Position, change the number such that it is the same as your existing DNAT rule.
    • This will cause the new rule to be immediately above the existing rule.
    • If the Full-NAT rule is below the DNAT rule, the DNAT rule will apply instead, and the Full-NAT rule will not work.
  4. Change Rule Type to Full NAT (Source + Destination).
  5. Under For traffic from, choose your affected internal network.
    • For example: Internal (LAN) (Network)
  6. Under Use service, choose the appropriate service or group of services (eg. HTTP, HTTPS, etc).
  7. Under Going to, choose the external address of the server to be forwarded.
    • For example: External (WAN) (Address)
  8. Under Change the destination to, choose the internal address of the server.
  9. Under Change the source to, choose your UTM's internal address object for the appropriate internal network.
    • For example: Internal (LAN) (Address)


This thread was automatically locked due to age.
Parents
  • 0

    I have tried to document all that I have learned.   Start with the remaining articles in the Recommended Reading section.

    I think the problem is with web filtering.   Especially for your TV and Gaming devices, it is important to be using Transparent Mode web filtering, and probably exempt from most everything, or exempt from web filtering completely.   This will work better if you have a static address on those devices. 

    I have learned that DNS forwarding can interfere with RBLs (specifically Zen, possbily others), so I recommend disabling all outbound-DNS forwarding.

    You do not have an internal DNS server, so you should not need to worry about your domain.

    You can send me a PM if this does not move your effort forward at all.

Reply
  • 0

    I have tried to document all that I have learned.   Start with the remaining articles in the Recommended Reading section.

    I think the problem is with web filtering.   Especially for your TV and Gaming devices, it is important to be using Transparent Mode web filtering, and probably exempt from most everything, or exempt from web filtering completely.   This will work better if you have a static address on those devices. 

    I have learned that DNS forwarding can interfere with RBLs (specifically Zen, possbily others), so I recommend disabling all outbound-DNS forwarding.

    You do not have an internal DNS server, so you should not need to worry about your domain.

    You can send me a PM if this does not move your effort forward at all.

Children
  • 0 in reply to DouglasFoster

    As I've said elsewhere, Doug, I think zen is an outlier and should be handled with a Request Route instead of removing Forwarders as that would also require work at the command line to maintain reasonably-fast DNS resolution.  I still think DNS best practice represents the best solution.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML