Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

force outgoing through the xfrm interface

Hello, everyone.

I created a DNAT rule. I receive the communication on the local interface at the SFW's IP address on the LAN and translate it to another destination that is remote on the VPN. I force a SNAT with the SFW's IP address that is assigned to the xfrm interface.

In short, it looks like this:

Source: Any host
Service: TCP 8080
Destination: Interface PortA (IP 192.168.101.1)

Source: IP 172.16.0.1 (IP on the XFRM interface)
Service: Original
Destination: 192.168.102.1

Inbound: Any interface
Outbound: Any interface

I have a firewall rule created to allow this communication.

I capture the packets and see that the NAT and FW rules are correct and the traffic passes through. However, the outgoing interface is not XFRM, it is PortB, which is on the Internet. It should not go out through this interface, but through XFRM.

I noticed that the problem only occurs when it points to the IP of PortA, which is directly connected to Sophos. If I change it to any other destination that is not a Sophos interface, for example 192.168.101.10, the SNAT rule works.

What am I missing here?

The Sophos version is 19.5.1

Thanks for your support and time reading.



Edited TAGs
[edited by: Erick Jan at 12:12 AM (GMT -8) on 13 Nov 2024]
Parents
  • You should consider to update your firewall.

    And please read this:  Sophos Firewall: Routing in Sophos Firewall with SD-WAN PBR 

    The main takeaway: SFOS NAT will not change the routing decision. You still need routing + NAT to get your setup running. 
     

    __________________________________________________________________________________________________________________

  • Thank you for your time, LuCar Toni.

    Yes, I'm considering updating it soon. I just got caught in the eye of the storm in the environment in question.

    I also appreciate your document. I've already used it and several other recommended reading articles that you created. You do a great job for the community.

    I only use SD-WAN and I reach the destination normally through it.

    The source configuration is set to any. The destination is at redfe 192.168.102.0/24. I only have one GW, which is the one linked to xfrm.

    I can't mentally draw this packet flow when it is addressed to the IP directly from Sophos on the LAN interface, but if it doesn't go to the SFW, when it passes through any IP on my LAN, DNAT and MASQ work.

    This is how it works:

    src: any -> dst: 192.168.101.10 (SERVER ON LAN) PORT: 8080
    translates to:
    src: 172.16.0.1 (XFRM IP\as object) -> dst: 192.168.102.10 (SERVER IP ON VPN) PORT: 8080

    This way when I look at the capture I see the correct communication, it enters and leaves through xfrm.

    When I do it for the IP that is in the SFW, it doesn't work:

    src: any -> dst: 192.168.101.1 (SophosFW IP - PortA \ LAN) PORT: 8080
    translates to:

    src: 172.16.0.1 (XFRM IP\as object) -> dst: 192.168.102.10 (SERVER IP IN THE VPN) PORT: 8080

    This way it doesn't work and when I look at the capture it is going out through the PortB internet interface or instead of going out through the xfrm interface.

    I know that this is traffic generated by the system itself and so I may need to use the settings to force SNAT. However, I understand that I don't need to. My SDWAN rule is very comprehensive and I am using an IP directly used in the IPsec VPN connection interface.

  • Any other selection criteria in your SD-WAN route configuration which is making traffic to 192.168.101.1 to bypass (a snapshot would help) ? Also what is the route precedence configured in your SFW?

  • Thank you for your time.

    My criteria is set to: Static route, SD-WAN route, VPN route.
    I do not have any static routes configured.

    The SD-WAN rule to be used is the first one:

    Lines 2 and 3 are other VPNs to other Networks and talk to other Sophos. And finally, only public Internet addresses go out to the Internet.
    Rule Details:



    NAT RULES:

Reply Children
  • Hi @Gib GoDesk

    Pls try below configs (with reference to this setup):  client1---LAN---SFOS1<Initiator>-----wan---<Responder>SFOS2---LAN----client2

    * Firewall rule on SFOS1: Source zone:LAN, source networks: Any, Destination zone: VPN, Destination networks: LAN port of SFOS1 (PortA)

    * Firewall rule on SFOS2: allow VPN to LAN zone

    * NAT rule on SFOS1: 

    Original source: LAN n/w of SFOS1; Original destination: LAN port of SFOS1 (PortA)

    Translated source(SNAT): MASQ, Translated destination(DNAT): ip address 192.168.102.1

    Inbound interface: Any, Outbound interface: Any

    Original service or Translated service: as per your need

    * Use static route on SFOS1 to reach far end LAN via xfrm1; similarly on SFOS2