How to connect vm Sophos firewall port with vm ubuntu port in VMEsxi?

Hello,

both servers are virtual machines on the same ESXi-host?

Please suplly us with the ip-adresses, the NICs and the gateways

yes sir, ubuntu server and sophos firewall as vm on the same ESXi.

for ip :  

- ip ubuntu server : 192.168.1.4/24
- ip sophos (2 interface) 
      port2 (as gateway ip ubuntu server) >> 192.168.1.3/24
      port1 (interface connect to client) >> 192.168.1.2/24
- ip client : 192.168.1.1/24
- ip vm esxi : 192.168.1.5/24

I would suspect that the firewall is not seeing any of the traffic because the VM switch is routing all the traffic on the same network.

Ian

when i'm set specific zone & specific source (not any) still client can ping vm ubuntu server

That's my point as well!

Even if you defined two interfaces for the sophos vm, you have put them into the same IP network. This will not work as desired.

Firewalling is only working when the firewall is BETWEEN the source and the target.

So you could use 192.168.10.1 on port1 and the 192.168.10.0 /24 network for your clients.

Then the Sophos vm will route the traffic between its two legs port 1 in 192.168.10.0 /24 and port2 in 192.168.1.0 /24.

Then your firewall rules will start to work - magic!

ok sir, i try it.
from trying 2 network schema, for ip :  

- ip ubuntu server : 192.168.10.2/24
- ip sophos (2 interface) 
      port2 (as gateway ip ubuntu server) >> 192.168.10.1/24
      port1 (interface connect to client) >> 192.168.1.2/24
- ip client : 192.168.1.1/24
- ip vm esxi : 192.168.1.5/24


summary :  
 1. client can ping interface vm firewall (port 1, port 2) & ip vm esxi, but cannot ping ip ubuntu (rto)
 2. ubuntu can ping interface vm firewall (port 1, port 2) , but cannot ping ip vm esxi & cannot ping ip client


i have done for :  

 1. add static routing in sophos
 2. add gateway in interface client & ubuntu
 3. delete firewall rules & ACL rules in vm sophos firewall











can you help me sir for this case? 

ok sir, i try it.
from trying 2 network schema, for ip :  

- ip ubuntu server : 192.168.10.2/24
- ip sophos (2 interface) 
      port2 (as gateway ip ubuntu server) >> 192.168.10.1/24
      port1 (interface connect to client) >> 192.168.1.2/24
- ip client : 192.168.1.1/24
- ip vm esxi : 192.168.1.5/24


summary :  
 1. client can ping interface vm firewall (port 1, port 2) & ip vm esxi, but cannot ping ip ubuntu (rto)
 2. ubuntu can ping interface vm firewall (port 1, port 2) , but cannot ping ip vm esxi & cannot ping ip client


i have done for :  

 1. add static routing in sophos
 2. add gateway in interface client & ubuntu
 3. delete firewall rules & ACL rules in vm sophos firewall











can you help me sir for this case? 

I am confused: at first you wanted to BLOCK icmp packets from client reaching the ubuntu server, now that we achieved this, you want them to get through?

You will nedd to define a firewall-rule to access your FTP-server on the ubuntu-system from your client. That's all.

And static routing on the Sophos-system is not needed, as the Sophos-VM has a leg in both networks. So the IP-routing already "knows" about  these two networks. The rest was already correct, the clients has to have 192.168.1.2 as gateway and the ubuntu-server has to use 192.168.10.1 as gateway.

You are almost done.

oh i see, ok sir.

now I haven't applied any filter rules yet. but why client can't ping ip ubuntu? (request time out)