This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Loopback for Firewall in LAN (behind Home Router)

Hi Sophos Community

After a lot of trial and error I'm hoping you can help me finding a solution to my scenario:

 

In my home setup I have my wan-interface of the sophos in a transit network. My ISP router forwards any traffic to the sophos.
Now I would like to create a loopback rule to be able to access my services via my external (dynamic) IP.

The transit network makes this difficult as it seems. I can't get it right.
Here is my NAT-Rule after my last try:



Do you have any idea on how to solve this? is this even possible?

Best Regards



This thread was automatically locked due to age.
  • Mostly accessing the external IP from ISP-Router from internal network + forwarding traffic back to firewall didnt't work.

    my solution: create a internal DNS-Entry for the internal host ... or if you wish to use FW-WAF, DNS pointing to external FW-IP (10.255.255.253) 

    (FW-DNS entries are used before trying external DNS)


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

    • Hello Dirk

      Thanks for your answer on this. A pitty that you are telling me exactly what I was afraid of.

      I'm already resolving to internal DNS entries, but this comes with a few shortcomings. It seems that I will have to live with that or need to get a business contract with the ISP.

      • Hello,
        what shortcomings do you see that a business contract with the ISP could solve?
        Perhaps there is a solution or workaround?


        Dirk

        Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
        Sophos Solution Partner since 2003
        If a post solves your question, click the 'Verify Answer' link at this post.

        • With the provider I am at the moment I could get a business Router which is able to go in bridge mode and additionally brings the option of a static IP.
          Alternatively I could change to a provider which offers the use of "bridgeable" routers.
          With this I could eliminate the transit network.

          Kilian

      • I think, if your ISP Router is able to provide hairpin NAT it shouldn´t be the problem.

        On other hand you need a DNAT Rule and allow incomming traffic from WAN and Port A.

        But I think split DNS is the better solution as dirkotte wrote.

        BR Gerd