Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Moving from UTM to SFOS Want to remove NAT

Hi Folks,

I'm moving from UTM to SFOS. Getting it setup with the basics was all fine but something I've been wanting to try for a while was to remove the masq rules as sophos is my back firewall in a back to back config. I ran into an issue though whereby I can't ping the front firewall I keep getting "ICMP packets with invalid ICMP type/code"

I can setup and ping the WAN interface just fine and this worked fine in UTM9 as well even with its masq rules disabled but not so in SFOS. I figure I've missed something obvious in the setup.

I found an example diagram which will work for the setup I want to try. Basically I don't want nat rules and I can't ping from 10.40.0.10 to 172.16.0.40. I get that message above with an any any rule on the firewall. The source of the error is 172.16.0.40.

All the traffic for the internet works it would seem because it hits the default SNAT rule that was created. I don't want these rules I'd like for the front firewall to be the only one doing NAT and the sophos to just route between.

Any ideas on what I'm missing here?



Added TAGs
[edited by: Raphael Alganes at 7:35 AM (GMT -7) on 17 Sep 2024]
Parents
  • Righto so some pebkac. If I disabled the NAT rules ping worked just fine for the main network in this case 10.40.0. In the switch routing though I'd given an IP to the switch for the 172.16 network so it was trying to use that path. Removed it an everything is flowing correctly as it should. Disabled all the test rules I'd been playing with and its all functioning just on routing with the default firewall rule also applying correctly.

    Cheers,

Reply
  • Righto so some pebkac. If I disabled the NAT rules ping worked just fine for the main network in this case 10.40.0. In the switch routing though I'd given an IP to the switch for the 172.16 network so it was trying to use that path. Removed it an everything is flowing correctly as it should. Disabled all the test rules I'd been playing with and its all functioning just on routing with the default firewall rule also applying correctly.

    Cheers,

Children
No Data