Sophos Firewall Route traffic through GRE Tunnel

Hello Raphael Alganes 

What's the route you have added for GRE, if its specific subnet then X4B.net might be expecting you to forward all traffic to them (i.e. default route need to be added)

With GRE, you can only add static routes and policy routing (specific service based routing - SMTP in your case) is not possible. alternatively you can opt for route based VPN and then create SD-WAN policy routes for your requirement.

Hi Hardik,

Thank you for getting back to me. The route that I added for GRE was 10.16.0.124/255.255.255.252. I did this with the following command: system gre route add net 10.16.0.124/255.255.255.252 tunnelname gre.

X4B.net supplied me with the following info for the tunnel:

I created the GRE tunnel with the following command:

system gre tunnel add name gre local-gw PortB remote-gw ***.**.***.** local-ip 10.16.0.126 remote-ip 10.16.0.125.

X4B.net also give a script to add the tunnel to a Windows / Linux environment, but doing this would (I think) stop me from being able to use the email protection feature on the Sophos Firewall, as everything would be done within the server hosting Exchange.

Regards,
Richard

Hello Richard,

According to this config, firewall will only forward traffic destined for 10.16.0.124/255.255.255.252 to GRE tunnel and other traffic will still pass through regular WAN gateway.

I assume you have followed the article from X4B.net related to mikrotik router in which they are adding the default route (0.0.0.0/0)

So you have 2 option:

1. Forward all traffic to GRE 
2. Opt for route based VPN and then create SD-WAN policy routes for your requirement to route specific SMTP traffic to X4B.since With GRE, you can only add static routes and policy routing (specific service based routing - SMTP in your case) is not possible.

Hi Hardik,

Thank you for getting back to me and with the suggestions, I really appreciate it. I am just trying to get my head around this but really struggling with the lack of support from X4B. They don't appear to want to help or answer my question if port 25 needs administrator approval or not from their end. I discovered one of their guides that stated that some ports below port 80, require approval at their end.

I think what is making this process most confusing is that I still have a Sophos UTM in the middle of this. I only have one WAN connection and that is connected to the Sophos UTM. I then have the Sophos Firewall running as a VM with the WAN port on the DMZ network. I have tried creating a DNAT rule on the Sophos UTM, to direct all GRE traffic from the WAN port, to the IP of the WAN port of the Sophos Firewall. I can see when I try to ping the tunnel from the X4B side, that the ping hits the WAN port of the Sophos UTM and then the DNAT rule moves it over to the Sophos Firewall. I can see this in the connection list on the Sophos Firewall as well, but the ping from the X4B end shows as failed. I think I need a NAT rule on the Sophos Firewall to route it back through to the Sophos UTM?

The Sophos Firewall is really confusing me a bit as Sophos UTM didn't have zones etc. and I am really struggling to get my head around this. It's also quite difficult not to have a live firewall log any more, I'll miss the live firewall log from the Sophos UTM... really useful when trying to diagnose something!

I really think I'm not going to be able to achieve what I am trying to achieve as I have zero support from the X4B side. I can currently ping the tunnel from the Sophos Firewall, but can't ping the tunnel from the X4B side. I tried option 2 from your list and I can see from the log that SMTP traffic is being sent to the GRE tunnel, but the email gets bounced and I don't see anything on the Sophos UTM firewall log (it's as if it isn't leaving the Sophos Firewall? / Doesn't know how to?) Also, when I add the route with 0.0.0.0/0.0.0.0, I can then no longer ping the tunnel from the Sophos Firewall. If I delete that route, the ping is then successful again.

I've nearly spent a month on this now trying to get this to work, I just wish there was a guide from start to finish on setting up a GRE tunnel through NAT and routing traffic through it on the Sophos Firewall.

Cheers,
Richard

Hi Hardik,

Thank you for getting back to me and with the suggestions, I really appreciate it. I am just trying to get my head around this but really struggling with the lack of support from X4B. They don't appear to want to help or answer my question if port 25 needs administrator approval or not from their end. I discovered one of their guides that stated that some ports below port 80, require approval at their end.

I think what is making this process most confusing is that I still have a Sophos UTM in the middle of this. I only have one WAN connection and that is connected to the Sophos UTM. I then have the Sophos Firewall running as a VM with the WAN port on the DMZ network. I have tried creating a DNAT rule on the Sophos UTM, to direct all GRE traffic from the WAN port, to the IP of the WAN port of the Sophos Firewall. I can see when I try to ping the tunnel from the X4B side, that the ping hits the WAN port of the Sophos UTM and then the DNAT rule moves it over to the Sophos Firewall. I can see this in the connection list on the Sophos Firewall as well, but the ping from the X4B end shows as failed. I think I need a NAT rule on the Sophos Firewall to route it back through to the Sophos UTM?

The Sophos Firewall is really confusing me a bit as Sophos UTM didn't have zones etc. and I am really struggling to get my head around this. It's also quite difficult not to have a live firewall log any more, I'll miss the live firewall log from the Sophos UTM... really useful when trying to diagnose something!

I really think I'm not going to be able to achieve what I am trying to achieve as I have zero support from the X4B side. I can currently ping the tunnel from the Sophos Firewall, but can't ping the tunnel from the X4B side. I tried option 2 from your list and I can see from the log that SMTP traffic is being sent to the GRE tunnel, but the email gets bounced and I don't see anything on the Sophos UTM firewall log (it's as if it isn't leaving the Sophos Firewall? / Doesn't know how to?) Also, when I add the route with 0.0.0.0/0.0.0.0, I can then no longer ping the tunnel from the Sophos Firewall. If I delete that route, the ping is then successful again.

I've nearly spent a month on this now trying to get this to work, I just wish there was a guide from start to finish on setting up a GRE tunnel through NAT and routing traffic through it on the Sophos Firewall.

Cheers,
Richard