Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 12926 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Forward IP address in Sophos

Andy Johnson

Hi, Here is my network setup:

[Internal Devices with static IP assigned from DHCP by UTM]<-->[wireless Router/switch in AP mode]<-->[UTM]<-->Verizon Fios Router<-->Internet

Everything is working fine on network and I love Sophos for flexibility of doing stuff in a centralized manner.

Yesterday, I added FreenNas server (which I assigned a static IP from my Sophos UTM DHCP) and also enabled OwnCloud plugin which get new internal IP address from DHCP pool.

Now I want to expose that own cloud to my WAN so that I can access it from anywhere outside my home network. Currently its IP address is 192.168.2.10 (I will assign it eventually a static IP address)

 I believe, I am still playing with double NAT since my Fios router is distributing IPs in the range of 192.168.1.x and UTM is distributing IPs on 192.168.2.x.

So now I want to forward that IP address which I can access it using a domain name (one I will get it from no-ip). How can I achieve that? Can someone please advice me on it?

I also would like to expose my UTM webadmin using another domain name at some point of time.

Thanks a lot

Andy

 



This thread was automatically locked due to age.
Parents
  • 0

    Hey Andy.

    Since you are double NATting, you need to first create a NAT rule in your Fios router forwarding the port to Sophos UTM's IP and then a DNAT rule forwarding packets arriving at the external interface of the UTM with that port to 192.168.2.10.

    If possible talk to your ISP for instructions on bridging that Fios router and providing the external IP directly to Sophos UTM. It would make your life a whole lot easier.

    Regards,

    Giovani

     

  • 0 in reply to giomoda

    Giovani,

    Thanks for your response. I forwarded port 80 to an WAN address of my UTM on my fios router.

    I created new NAT rule as follows:

    Rule Type: DNAT

    For Traffic From: External (WAN) (Address)

    Using Service: Http

    Going To: FreeNas IP Address (192.168.2.172)

     

    Action:

    Change the destination to: OwnCloud (192.168.2.10)

    And Service To: Http

    Automatic Firewall Rule: Checked.

     

    Now it is hitting the Sophos UTM but http://myexternalIPAddress throws an Sophos error that Connection to server has timed out

     

    Can you please suggest the solution to it?

    Am I doing the right thing?

     

    Thanks

    Andy

     

  • 0 in reply to Andy Johnson

    EDIT: sorry, I gave you wrong instructions for the DNAT part before. I corrected it below.

    Hey Andy.

    I think your DNAT rule should be:

     

    Rule Type: DNAT

    For Traffic From: Any or Internet IPv4

    Using Service: Http

    Going To: External (WAN) (Address)

    Change Destination to: Owncloud (192.168.2.10)

     

    Also, this would only work when accessing from outside your network. This DNAT rule would not work if you test it from within 192.168.2.0/24 network, you need to test it using another connection like 4G or something.

    If you want to access your Owncloud from the internal network using the external URL, you could create a static DNS pointing myexternal to 192.168.2.10. As long as your client queries UTM for DNS resolution, the UTM should point it to your owncloud IP. That way DNAT would cover access when you are outside your network and static DNS would cover access when you are inside your network. For creating a static DNS, edit your "OwnCloud" network definition, expand "DNS settings" and add your external URL into "Hostname".

     

    Regards,

    Giovani

  • 0 in reply to giomoda

    Giovani,

    I made changes as you suggested and it seems to be working fine.

     

    As you mentioned about creating a static DNS, I really don't know how to create one but when I tried the external url, i can still access it from withing my internal network. Here are my firewall rules. I want to confirm that I don't provide access to any unneeded intruders in my home network:

     

    1. Internal Network --> Any Service --> Any
    2. External (WAN) (Address) --> Any Service --> Internal (Network)
    3. Internal (Network) --> Any Service --> Internal (Network)                      ---> I had to do it to make my FreeNas network share working

    I have one Masq rule:

    Internal (Network) --> External (WAN)

     

    I am sorry if this sounds dumb configuration but I mostly followed people's video to bring up my configuration. Please advice if I need to tighten up my security by doing something else OR by restricting any of the rules above.

    Thanks

    Andy

     

     

Reply
  • 0 in reply to giomoda

    Giovani,

    I made changes as you suggested and it seems to be working fine.

     

    As you mentioned about creating a static DNS, I really don't know how to create one but when I tried the external url, i can still access it from withing my internal network. Here are my firewall rules. I want to confirm that I don't provide access to any unneeded intruders in my home network:

     

    1. Internal Network --> Any Service --> Any
    2. External (WAN) (Address) --> Any Service --> Internal (Network)
    3. Internal (Network) --> Any Service --> Internal (Network)                      ---> I had to do it to make my FreeNas network share working

    I have one Masq rule:

    Internal (Network) --> External (WAN)

     

    I am sorry if this sounds dumb configuration but I mostly followed people's video to bring up my configuration. Please advice if I need to tighten up my security by doing something else OR by restricting any of the rules above.

    Thanks

    Andy

     

     

Children
  • 0 in reply to Andy Johnson

    #2 has no effect, Andy.  #3 is only needed in case of a bridge where you have different Ethernet segments in the same subnet but on two different, physical NICs.

    When dealing with blocked/missing packets, it pays to observe #2 through #5 in Rulz.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    BAlfson said:

    #2 has no effect, Andy.  #3 is only needed in case of a bridge where you have different Ethernet segments in the same subnet but on two different, physical NICs.

    When dealing with blocked/missing packets, it pays to observe #2 through #5 in Rulz.

    Cheers - Bob

     

    Bob,

    you are correct. I disabled both rules #2 and #3 and everything still is in place and working. In fact, I was worrying the most about #2 since I was allowing access to my internal network for any services from external address.

    I also will follow your Rulez link and try to digest it.

    You truly a rock star.

    Thanks a bunch

     

Unfiltered HTML