expose host to the Internet

Hi Thomas,

if your host should be directly connected to the internet don’t use the UTM. Otherwise the host can be published via NAT or webserver protection. In webserver protection only http/s can be published. For other ports you have to rely on NAT.

Best regards 

Alex 

Hi Thomas,

...appear directly in the Internet. (Well, it would be acceptable if the server didn't know its external IP address...)

as stated by Alexander, DNAT or Webserver-protection are the options

For incoming traffic, I added a DNAT rule: "Change the destination IP address to my server's if packets arrive on its public IP address.

That's OK. Doesn't it was working?

I also added a SNAT rule saying: replace the sending IP address with the server's public IP address of traffic comes from my server's internal IP address.

You don#t need an additional SNAT-rule for incomming Traffic (or the answer-packets).

Do I also need to configure any multipath rules?

Multipath is for Traffic initiated from internally. Otherwise, the inbound Interface is used for outbound traffic too.

Or should I use masquerading instead of SNAT?

Only necessary for outbound initiated traffic.

Which IP address should I use for firewall rules protecting this host?

Because DNAT is configured granularly, i use the "automatic firewall rules for NAT here. 

(if you don't wish this ... do it, copy the content from "automatic Firewall rule ... disable auto-FW-rule)

Is there a way to make the UTM transparent so that the server also sees the public IP address? (nice to have)

With DNAT the Source IP isn't altered

Is this setup correct?

Does shomething not working?

Did I miss anything?

possible ;-)

Can/should I use full NAT instead of SNAT and DNAT?

use SNAT / FullNAT only, if you wish to change the Source IP. (depend on environment)

Is this setup also good in terms of performance?

Theoretically DNAT is more performant than WAF ... and less secure.

There's also some web server protection.

Yes, and you should use it ... if possible

But it seems that this is only for web servers. If using other services, I cannot use this feature, I guess.

Correct

It seems quite some work for a simple job.

not really

I still keep thinking that there might be a simple option to use/reserve a specific "additional IP address" for a specific host, but there is none, right?

That's Possible ... create an additional/alternate IP (best practice: use 32 bit Network-definition y.x.z.w\32 )

Hallo Tom and welcome to the UTM Community!

Alex and Dirk have given you great advice, but I still have some comments.

A Full NAT is not equal to a DNAT and an SNAT.  Your DNAT+SNAT is correct.

To make the UTM transparent so that the server has a public IP requires that you have a DMZ with a subnet of public IP addresses and that you do not define any IPs in this subnet as Additional Addresses on the WAN interface.  You then have your ISP route the IPs in your "public" DMZ to the IP of your WAN interface.

The simple option for reserving a specific IP consists of not using it in an SNAT or DNAT for any other internal IP.

Cheers - Bob

^^Bob, how is this practically implemented in utm?  Say your isp assigned you 5 usable ip's, how are they distributed to utm and servers?

With only five IPs, I would not use a DMZ with public IPs, rather Additional Addresses on the WAN interface and then DNATs and SNATs with internal servers in private IP ranges.

Cheers - Bob

I was just reading up else where that att offers a block of 8 IP's for $15 additional.  Of these 8, 5 are actually usable for clients.  I don't recall how the others are distributed for I believe they are used for broadcast, gateway and some other function? 

With /29 Subnet you got 8 IP addresses.

There are 2 unusable ... the first (Network address) and the last (broadcast address)  in the block.

One IP is assigned the Firewall as "default gateway" for this network.

So there are 5 IP's for devices.