Sophos Firewall Route traffic through GRE Tunnel

Hello,

I am really struggling with this and would greatly appreciate any help that could be given. I have set up an X4B.net GRE tunnel using this guide: https://support.sophos.com/support/s/article/KB-000035813?language=en_US#GRE_route. This seems to be functioning and I can ping the remote gateway from the Sophos Firewall (as long as I do not select an interface under Diagnostics > Tools > Ping).

The difficulty that I am currently having is that I can't seem to find a way of routing SMTP traffic to the GRE tunnel. As this is a GRE tunnel, nothing for it shows in the control panel so I am not sure how to route this traffic as there is no visible interface for this tunnel.

GRE / IPIP is the only option that I have at the moment and routing SMTP through the X4B tunnel is supported, I just don't know how to configure this on the Sophos Firewall.

I have tried creating a NAT rule but every time I send an email to the Sophos Firewall, it's sent out via the WAN port instead of the GRE tunnel.

I'd really appreciate any help that could be given. I've spent days on this and I am really unfamiliar with the Sophos Firewall as I am still currently using the Sophos UTM and haven't yet moved over fully to the Sophos Firewall.

Cheers,
Richard



Added TAGs
[edited by: Raphael Alganes at 1:04 AM (GMT -8) on 19 Feb 2024]
Parents
  • Hello  

    What's the route you have added for GRE, if its specific subnet then X4B.net might be expecting you to forward all traffic to them (i.e. default route need to be added)

    With GRE, you can only add static routes and policy routing (specific service based routing - SMTP in your case) is not possible. alternatively you can opt for route based VPN and then create SD-WAN policy routes for your requirement.

    Hardik R 
    If a post solves your question use the 'Verify Answer' link.

  • Hi Hardik,

    Thank you for getting back to me. The route that I added for GRE was 10.16.0.124/255.255.255.252. I did this with the following command: system gre route add net 10.16.0.124/255.255.255.252 tunnelname gre.

    X4B.net supplied me with the following info for the tunnel:

    Internal IP Role
    10.16.0.124/30 Network
    10.16.0.125 Unified Gateway
    10.16.0.126 Bound via NAT to ***.**.***.**
    10.16.0.127 Broadcast


    I created the GRE tunnel with the following command:

    system gre tunnel add name gre local-gw PortB remote-gw ***.**.***.** local-ip 10.16.0.126 remote-ip 10.16.0.125.

    X4B.net also give a script to add the tunnel to a Windows / Linux environment, but doing this would (I think) stop me from being able to use the email protection feature on the Sophos Firewall, as everything would be done within the server hosting Exchange.

    Regards,
    Richard

  • Hello Richard,

    According to this config, firewall will only forward traffic destined for 10.16.0.124/255.255.255.252 to GRE tunnel and other traffic will still pass through regular WAN gateway.

    I assume you have followed the article from X4B.net related to mikrotik router in which they are adding the default route (0.0.0.0/0)


    So you have 2 option:

    1. Forward all traffic to GRE 
    2. Opt for route based VPN and then create SD-WAN policy routes for your requirement to route specific SMTP traffic to X4B.since With GRE, you can only add static routes and policy routing (specific service based routing - SMTP in your case) is not possible.

    Hardik R 
    If a post solves your question use the 'Verify Answer' link.

  • Hi Hardik,

    Thank you for getting back to me and with the suggestions, I really appreciate it. I am just trying to get my head around this but really struggling with the lack of support from X4B. They don't appear to want to help or answer my question if port 25 needs administrator approval or not from their end. I discovered one of their guides that stated that some ports below port 80, require approval at their end.

    I think what is making this process most confusing is that I still have a Sophos UTM in the middle of this. I only have one WAN connection and that is connected to the Sophos UTM. I then have the Sophos Firewall running as a VM with the WAN port on the DMZ network. I have tried creating a DNAT rule on the Sophos UTM, to direct all GRE traffic from the WAN port, to the IP of the WAN port of the Sophos Firewall. I can see when I try to ping the tunnel from the X4B side, that the ping hits the WAN port of the Sophos UTM and then the DNAT rule moves it over to the Sophos Firewall. I can see this in the connection list on the Sophos Firewall as well, but the ping from the X4B end shows as failed. I think I need a NAT rule on the Sophos Firewall to route it back through to the Sophos UTM?

    The Sophos Firewall is really confusing me a bit as Sophos UTM didn't have zones etc. and I am really struggling to get my head around this. It's also quite difficult not to have a live firewall log any more, I'll miss the live firewall log from the Sophos UTM... really useful when trying to diagnose something!

    I really think I'm not going to be able to achieve what I am trying to achieve as I have zero support from the X4B side. I can currently ping the tunnel from the Sophos Firewall, but can't ping the tunnel from the X4B side. I tried option 2 from your list and I can see from the log that SMTP traffic is being sent to the GRE tunnel, but the email gets bounced and I don't see anything on the Sophos UTM firewall log (it's as if it isn't leaving the Sophos Firewall? / Doesn't know how to?) Also, when I add the route with 0.0.0.0/0.0.0.0, I can then no longer ping the tunnel from the Sophos Firewall. If I delete that route, the ping is then successful again.

    I've nearly spent a month on this now trying to get this to work, I just wish there was a guide from start to finish on setting up a GRE tunnel through NAT and routing traffic through it on the Sophos Firewall.

    Cheers,
    Richard

Reply
  • Hi Hardik,

    Thank you for getting back to me and with the suggestions, I really appreciate it. I am just trying to get my head around this but really struggling with the lack of support from X4B. They don't appear to want to help or answer my question if port 25 needs administrator approval or not from their end. I discovered one of their guides that stated that some ports below port 80, require approval at their end.

    I think what is making this process most confusing is that I still have a Sophos UTM in the middle of this. I only have one WAN connection and that is connected to the Sophos UTM. I then have the Sophos Firewall running as a VM with the WAN port on the DMZ network. I have tried creating a DNAT rule on the Sophos UTM, to direct all GRE traffic from the WAN port, to the IP of the WAN port of the Sophos Firewall. I can see when I try to ping the tunnel from the X4B side, that the ping hits the WAN port of the Sophos UTM and then the DNAT rule moves it over to the Sophos Firewall. I can see this in the connection list on the Sophos Firewall as well, but the ping from the X4B end shows as failed. I think I need a NAT rule on the Sophos Firewall to route it back through to the Sophos UTM?

    The Sophos Firewall is really confusing me a bit as Sophos UTM didn't have zones etc. and I am really struggling to get my head around this. It's also quite difficult not to have a live firewall log any more, I'll miss the live firewall log from the Sophos UTM... really useful when trying to diagnose something!

    I really think I'm not going to be able to achieve what I am trying to achieve as I have zero support from the X4B side. I can currently ping the tunnel from the Sophos Firewall, but can't ping the tunnel from the X4B side. I tried option 2 from your list and I can see from the log that SMTP traffic is being sent to the GRE tunnel, but the email gets bounced and I don't see anything on the Sophos UTM firewall log (it's as if it isn't leaving the Sophos Firewall? / Doesn't know how to?) Also, when I add the route with 0.0.0.0/0.0.0.0, I can then no longer ping the tunnel from the Sophos Firewall. If I delete that route, the ping is then successful again.

    I've nearly spent a month on this now trying to get this to work, I just wish there was a guide from start to finish on setting up a GRE tunnel through NAT and routing traffic through it on the Sophos Firewall.

    Cheers,
    Richard

Children
No Data