Firewall Rule Doesn´t Work Сorrectly

Sorry, but it looks like you’re missing some basic network-knowledge.

Your VMs can communicate because they’re within the same Network/Subnet. Within the same Subnet alle devices will communicate directly and do not route traffic through gateway.

Due to this - traffic will never pass your Sophos Firewall / Gateway.
Only Traffic to WAN will be sent there - that’s why blocking google works.

You should create another network on another Port of your Sophos Firewall and connect one VM to that Network.
Then traffic between those multiple internal networks can pass gateway/firewall.

Hello FFin. The fact is that I want to install an Ubuntu server in the DMZ, and do it in Sophos. And also the Windows 10 client must send traffic through this firewall, and the firewall must block this traffic that goes to the DMZ. The Ubunut server should be running in the DMZ and the traffic should be blocked.

I tried to do this without the DMZ, but if you’re right, then there really won’t be any traffic flowing through.

What configurations do I need to fix? Let's change the IP or ports.

Ok, so I have IP for the Port3. 10.0.0.10/24 for which virtual machine should I installю

So what IP I need to assign for the ubuntu server 

And for the Windows 10 

Keep Windows 10 as it is and then connect Ubuntu to Port C and give IP 10.0.0.10/24 with DNS & Gateway 10.0.0.254 (Sophos)

This configuration is correct? Will there be connection failures, since Sofos has IP 172.16.16.16 and will the connection work?

Looking good.

When you connect with PortC everything should be fine as Sophos has 10.0.0.254 in that network. So both are within same subnet.

But you might need another firewall-rule from DMZ to WAN. And of course LAN to DMZ and DMZ to LAN to communicate between Windows 10 and Ubuntu.

For some reason the ping is not working, is there something missing in the configuration or am I doing something wrong?

PortC says “unplugged” so you haven’t connected Ubuntu VM to Sophos PortC yet.

Now is connected, but ping doesn't work. Also I don't have internet in Ubuntu Server. I'm trying to connect www.google.com

Hello,

Have you modified the Drop all rule you put on top of the Rules?

Regards,

This is my "Rules and policies". At the moment I don´t have any active rules. May I create one of them or first try to connect from Ubuntu Server to the Sophos IP 172.16.16.16?

Create one Rule: Source Zone: DMZ, Network: Any, Destination Zone: WAN, Network: Any.

You will not reach Sophos WebAdmin on 172.16.16.16 from Ubuntu. Just 10.0.0.254 because that’s Sophos IP in Ubuntu Network.
But you need to allow Sophos Access from DMZ Zone in System - Administration - Device Access.

Then run ”traceroute 8.8.8.8” from Ubuntu and see how far it goes…

Hopefully Ubuntu is connected to PortC correctly

Create one Rule: Source Zone: DMZ, Network: Any, Destination Zone: WAN, Network: Any.

You will not reach Sophos WebAdmin on 172.16.16.16 from Ubuntu. Just 10.0.0.254 because that’s Sophos IP in Ubuntu Network.
But you need to allow Sophos Access from DMZ Zone in System - Administration - Device Access.

Then run ”traceroute 8.8.8.8” from Ubuntu and see how far it goes…

Hopefully Ubuntu is connected to PortC correctly

So I have create one this rule, it is correct? Are there any other policies created that may not be displayed if they have the automatic group role? So If you now how to display this rules.

This is tracert result.

Great - Trace is fine, so you have internet!

Now create Rule from Source Zone LAN to Destination Zone DMZ and try to ping/access Ubuntu (10.0.0.10) from Windows 10.

To expand grouped rules just press ‘+’ on the left of these groups. Or just delete them.

But google.com doesnt work

Then go to System - Administration - Device Access and enable DNS on DMZ Zone. That’s probably a name resolution problem and no internet issue, as trace was successfull.

So ping from windowd 10 to ubuntu it doesn't work. What I need to do?

Did you create a rule allowing traffic from LAN zone to DMZ zone to allow traffic?

Thanks, it s working now