Enable Routing for public IP on the Lan Interface

Hello everybody!

Right now I have the situation where I want to have multiple public Servers behind a sophos virtual firewall.

For the Sophos i have a seperate public IP. I have a public IP Subnet for the servers that is routed via the public IP of the Sophos firewall.

I've directly assigned a public IP from the subnet to the Server on the Lan interface where the Subnet is configured. I tried to configure the routing so that I can access the Internet but I'm not sure how exactly i should configure it.

Does anyone have advice on how to solve this issue or should i take a different approach?

Thanks in advance!

Edited TAGs
[edited by: Erick Jan at 10:56 AM (GMT -7) on 12 Aug 2024]

Top Replies

apijnappels 1 month ago in reply to Luke Haase +2

When using the DNAT wizard you will also get the option to create a reflexive NAT rule to have the server use the specified IP when accessing the internet. Tick that option and make sure this NAT rule…

Parents

0 Erick Jan 1 month ago

Hi Luke,

Thank you for reaching out to Sophos Community.

Have you checked the packet to see if it’s being translated properly or routed?

You may also try to do a Port-forwarding

Erick Jan
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Reject Answer

Cancel
0 Luke Haase 1 month ago in reply to Erick Jan

Hello Erick,

Thanks for the reply. I want to have the packets routed to the internal Interface so that i can use the individual public IP address of the servers.

When I try to ping another server outside of the subnet no packet seems to arrive.

How should I correctly setup the routing sot that packets get sent?

Thank you for your help.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Erick Jan 1 month ago in reply to Luke Haase
Hi,

Have you created a Firewall Rule and a NAT rule to translate the IP?

You may check the following KB regarding NAT :

Create a source NAT rule

Port Forward

NAT

Also, Sophos Assistance might help you configure your NAT.

Also, do a packet capture/TCPdump to check packets and the log viewer for errors.

Sophos Firewall: How to TCPdump
Erick Jan
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Luke Haase 1 month ago in reply to Erick Jan

Hello Erick,

I've now created a Firewall Rule and a NAT for the public IP to an internal IP. I've assigned the public IP to an alias on the wan Interface.

Using the tcpdump i can see that the traffic arrives at the server with the internal IP and gets sent back. I can see in the tcpdump on the Firewall that the traffic from the internal IP to the Internet gets translated and the source changes to the public ip. Unfortunately no packet arrives on the client. I can also see on the NAT rule overview that the Reflexive NAT Rule doesn't report any usage.

Let me know if you have an idea.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Luke Haase 1 month ago in reply to Erick Jan

Hello Erick,

I've now created a Firewall Rule and a NAT for the public IP to an internal IP. I've assigned the public IP to an alias on the wan Interface.

Using the tcpdump i can see that the traffic arrives at the server with the internal IP and gets sent back. I can see in the tcpdump on the Firewall that the traffic from the internal IP to the Internet gets translated and the source changes to the public ip. Unfortunately no packet arrives on the client. I can also see on the NAT rule overview that the Reflexive NAT Rule doesn't report any usage.

Let me know if you have an idea.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 apijnappels 1 month ago in reply to Luke Haase

When using the DNAT wizard you will also get the option to create a reflexive NAT rule to have the server use the specified IP when accessing the internet. Tick that option and make sure this NAT rule comes before your general SNAT rule for all other clients.

Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.
Cancel
Vote Up +2 Vote Down

Sign in to reply

Verify Answer

Cancel
0 PhilippRusch 1 month ago in reply to Luke Haase

Do you want to use the server IPs form clients behind the firewall? And these are in a different zone / at a different interface?

Mit freundlichem Gruß, best regards from Germany,

Philipp Rusch

New Vision GmbH, Germany
Sophos Silver-Partner

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Luke Haase 1 month ago in reply to apijnappels

I already did that and for some reason it doesn't work...
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Luke Haase 1 month ago in reply to PhilippRusch

My original approach to this was to use NAT. But after that didn't work i switched to routing which still doesn't work aswell.

On my second approach I gave the Servers behind the firewall an IP from our public IP Subnet. Then I switched to routing which unfortunately didn't work aswell.

I may have a solution but I will have to try it first. I will keep you updated!
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel