Sophos Firewall Route traffic through GRE Tunnel

Hello,

I am really struggling with this and would greatly appreciate any help that could be given. I have set up an X4B.net GRE tunnel using this guide: https://support.sophos.com/support/s/article/KB-000035813?language=en_US#GRE_route. This seems to be functioning and I can ping the remote gateway from the Sophos Firewall (as long as I do not select an interface under Diagnostics > Tools > Ping).

The difficulty that I am currently having is that I can't seem to find a way of routing SMTP traffic to the GRE tunnel. As this is a GRE tunnel, nothing for it shows in the control panel so I am not sure how to route this traffic as there is no visible interface for this tunnel.

GRE / IPIP is the only option that I have at the moment and routing SMTP through the X4B tunnel is supported, I just don't know how to configure this on the Sophos Firewall.

I have tried creating a NAT rule but every time I send an email to the Sophos Firewall, it's sent out via the WAN port instead of the GRE tunnel.

I'd really appreciate any help that could be given. I've spent days on this and I am really unfamiliar with the Sophos Firewall as I am still currently using the Sophos UTM and haven't yet moved over fully to the Sophos Firewall.

Cheers,
Richard



Added TAGs
[edited by: Raphael Alganes at 1:04 AM (GMT -8) on 19 Feb 2024]
  • Hello  ,

    Thanks for reaching out to Sophos Community

    Could you check in your SF console and select option. Then, Enter the following command. - system route_precedence show

    The result must show the following:

    Routing Precedence:
    1. Policy routes
    2. VPN routes
    3. Static routes

    If the VPN routes is not above the Static routes, re-arrange the route precedence by entering the following command.

    system route_precedence set policyroute vpn static

    Kindly let us know how it goes. Have a nice day and thank you for choosing Sophos.

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hi Raphael,

    Thank you so much for getting back to me and for providing me with the info and commands. I ran the first command and this returned the following:

    Routing Precedence:
    1. Static routes
    2. SD-WAN policy routes
    3. VPN routes

    I don't seem to have "Policy routes" but I have "SD-WAN policy routes".

    The second command didn't work for me (not sure why?), but I tried "sdwan_policyroute" instead, which it did accept. The routes now show as:

    Routing Precedence:
    1. SD-WAN policy routes
    2. VPN routes
    3. Static routes

    I've tried sending another test email after making that change but it's still routing through the WAN port (PortB) and showing the WAN IP address as the sender of the message in the email header.

    I am not sure if I have missed something, I have a feeling that routing needs to be set up via the CLI? I only have a MASQ NAT rule set up at the moment. I used this guide: Sophos Firewall: How to setup MTA mode when you have multiple WAN ports or alias IP addresses.

    Regards,
    Richard

  • Hello  

    What's the route you have added for GRE, if its specific subnet then X4B.net might be expecting you to forward all traffic to them (i.e. default route need to be added)

    With GRE, you can only add static routes and policy routing (specific service based routing - SMTP in your case) is not possible. alternatively you can opt for route based VPN and then create SD-WAN policy routes for your requirement.

    Hardik R 
    If a post solves your question use the 'Verify Answer' link.

  • Hi Hardik,

    Thank you for getting back to me. The route that I added for GRE was 10.16.0.124/255.255.255.252. I did this with the following command: system gre route add net 10.16.0.124/255.255.255.252 tunnelname gre.

    X4B.net supplied me with the following info for the tunnel:

    Internal IP Role
    10.16.0.124/30 Network
    10.16.0.125 Unified Gateway
    10.16.0.126 Bound via NAT to ***.**.***.**
    10.16.0.127 Broadcast


    I created the GRE tunnel with the following command:

    system gre tunnel add name gre local-gw PortB remote-gw ***.**.***.** local-ip 10.16.0.126 remote-ip 10.16.0.125.

    X4B.net also give a script to add the tunnel to a Windows / Linux environment, but doing this would (I think) stop me from being able to use the email protection feature on the Sophos Firewall, as everything would be done within the server hosting Exchange.

    Regards,
    Richard

  • Hello Richard,

    According to this config, firewall will only forward traffic destined for 10.16.0.124/255.255.255.252 to GRE tunnel and other traffic will still pass through regular WAN gateway.

    I assume you have followed the article from X4B.net related to mikrotik router in which they are adding the default route (0.0.0.0/0)


    So you have 2 option:

    1. Forward all traffic to GRE 
    2. Opt for route based VPN and then create SD-WAN policy routes for your requirement to route specific SMTP traffic to X4B.since With GRE, you can only add static routes and policy routing (specific service based routing - SMTP in your case) is not possible.

    Hardik R 
    If a post solves your question use the 'Verify Answer' link.

  • Hi Hardik,

    Thank you for getting back to me and with the suggestions, I really appreciate it. I am just trying to get my head around this but really struggling with the lack of support from X4B. They don't appear to want to help or answer my question if port 25 needs administrator approval or not from their end. I discovered one of their guides that stated that some ports below port 80, require approval at their end.

    I think what is making this process most confusing is that I still have a Sophos UTM in the middle of this. I only have one WAN connection and that is connected to the Sophos UTM. I then have the Sophos Firewall running as a VM with the WAN port on the DMZ network. I have tried creating a DNAT rule on the Sophos UTM, to direct all GRE traffic from the WAN port, to the IP of the WAN port of the Sophos Firewall. I can see when I try to ping the tunnel from the X4B side, that the ping hits the WAN port of the Sophos UTM and then the DNAT rule moves it over to the Sophos Firewall. I can see this in the connection list on the Sophos Firewall as well, but the ping from the X4B end shows as failed. I think I need a NAT rule on the Sophos Firewall to route it back through to the Sophos UTM?

    The Sophos Firewall is really confusing me a bit as Sophos UTM didn't have zones etc. and I am really struggling to get my head around this. It's also quite difficult not to have a live firewall log any more, I'll miss the live firewall log from the Sophos UTM... really useful when trying to diagnose something!

    I really think I'm not going to be able to achieve what I am trying to achieve as I have zero support from the X4B side. I can currently ping the tunnel from the Sophos Firewall, but can't ping the tunnel from the X4B side. I tried option 2 from your list and I can see from the log that SMTP traffic is being sent to the GRE tunnel, but the email gets bounced and I don't see anything on the Sophos UTM firewall log (it's as if it isn't leaving the Sophos Firewall? / Doesn't know how to?) Also, when I add the route with 0.0.0.0/0.0.0.0, I can then no longer ping the tunnel from the Sophos Firewall. If I delete that route, the ping is then successful again.

    I've nearly spent a month on this now trying to get this to work, I just wish there was a guide from start to finish on setting up a GRE tunnel through NAT and routing traffic through it on the Sophos Firewall.

    Cheers,
    Richard

  • Hi Hardik,

    After doing more testing, it turns out that what I have currently set on the Sophos firewall is correct. As a test (now disabled), I added an Any>Any rule on the Sophos UTM firewall and the test email sent successfully over the GRE tunnel. I just now need to work out what rule I need to create on the Sophos UTM firewall to allow this to function! The strange thing is that when looking at the Sophos UTM firewall log whilst sending a test email, nothing in relation to the Sophos Firewall or the GRE tunnel show as being blocked.

    Richard

  • Hello Richard,

    Good to see the progress.

    To identify what rule you need to create, you can check the Sophos UTM firewall log related to that test rule you have created and observer the source/destination IP/Port while sendinng test email and accordingly create specific rule.

    Since this will mostly be GRE packets, I assume all traffic will have the destination IP within the 10.16.0.124/30.

    Hardik R 
    If a post solves your question use the 'Verify Answer' link.

  • Hi Hardik,

    Thank you for your help again. I have created a rule on the Sophos UTM that will simply allow any source to go to and from the WAN IP of the Sophos Firewall. This has worked, maybe not the best approach but I plan on eliminating the Sophos UTM in a few months time if all goes well.

    I am just trying to get incoming mail to work through the tunnel. I can see incoming mail reaching the Sophos Firewall, but nothing is showing in the Mail Spool / Logs. I think it is because the GRE tunnel interface doesn't have SMTP Relay enabled, I wondered if there was a SSH command to do this as the tunnel interface doesn't show in the GUI?

    This is the log entry that's showing traffic for incoming SMTP from the tunnel:



    Cheers,
    Richard