This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to configure additional IP addresses?

Hi all,

I'd appreciate some help on this matter, basically we have purchased an extra range of IP addresses from our ISP which we want to apply to different webservers. 

Now the way I thought this was done on the UTM and the way that others have detailed in this forum is to add each static public IP in the 'additional addresses' section on the UTM for the correct interface. Then you would go and create a DNAT rule to forward traffic coming from a particular 'additional IP' to a certain server. 

Now I have tried and done the above with no success, I am just not able to access the webserver externally. I know its nothing to do with the webserver as if I flick the DNAT rule over to the single static IP we used to have then it works fine so it must be a configuration issue with the additional IPs

I've attached two screenshots of the config incase anyone can spot an error. I'd appreciate any suggestions

 

 



This thread was automatically locked due to age.
  • With additional interfaces:

    1. add as you have done making sure the additional interface ip is on the same as the parent interface eg if your ISP wan is on interface eth2, make sure the additonal IP is on the same interfece.
    2. Make sure it's turned on and double check the subnet mask etc.

    With the DNAT:

    traffic from: ANY
    Using service: HTTPS
    Going to: your additonal IP address

    Change to: your internal server private IP address
    And the service to: leave blank unless it's different from above

  • Thanks for the suggestion Louis.

    I've configured as you suggested and dont seem to be any further forward. I get a feeling this may be an issue with the router not presenting the additional IPs to the UTM rather than a UTM config.

     

    James

  • You have a router in front of the UTM? I notice that it's Zen (which I use for home)

    Is it the white modem that BT supply? That would just act as a bridge. If you have another router, you may have to configure it for passthrough so it acts as a bridge and allows the additional ip's through. Alternatively, you could double NAT and use the network between the two as a DMZ etc.

    What you are after can be done, just need to know what is in front of the UTM.

  • Hi James and welcome to the UTM Community!

    Always use /32 with Additional Addresses.

    Confirm that your Host object in 'Change the destination to' doesn't violate #3 in Rulz.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Louis-M said:

    You have a router in front of the UTM? I notice that it's Zen (which I use for home)

    Is it the white modem that BT supply? That would just act as a bridge. If you have another router, you may have to configure it for passthrough so it acts as a bridge and allows the additional ip's through. Alternatively, you could double NAT and use the network between the two as a DMZ etc.

    What you are after can be done, just need to know what is in front of the UTM.

     

    Yes we have Zen, but we are using the FritxBox that Zen supply for the router. After some further research it looks like i'll need to configure either a bridge passthrough or possibly allow the UTM to login directly using PPPoE?

     

    James

  • BAlfson said:

    Hi James and welcome to the UTM Community!

    Always use /32 with Additional Addresses.

    Confirm that your Host object in 'Change the destination to' doesn't violate #3 in Rulz.

    Cheers - Bob

     

    Thanks Bob,

    I've confirmed all addresses are using the /32 notation and I have confirmed I am not violating rule 3 :)

  • That's it. It's a good chance that the fritzbox is natting etc and blocking those IP's. I would put it in passthrough/bridge and configure your PPPoE on the UTM.

    Changes the fritzbox into a kind of dumb terminal so if you have anything else on there eg Ip phones etc plugged directly in directly, you may have to consider those as the fritzbox will probably lose all of it functionality.

    Alternatively, you could remove the fritzbox and put a VDSL modem in front eg Draytek Vigor 130 or simlar which is basically a PPPoE bridge.

  • I think i'll look at configuring the tunnel then as I am not using the FritzBox for anything else, everything is on the other side of the UTM. Preferebly I'd not fork out for a Draytek just to have it sit there and bridge a connection, hopefully the FritzBox can do what Is needed.