This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Struggling a bit with WAN to LAN access

I have just installed UTM 9 on my home network.

 

Interfaces configured as below

I have configured NAT Masq as below

From my "Internal" network I have no problems accessing machines on the internal network, or on the "Internet" interface ( even hosts on the internet as the G/W for my "Internet" interface is my cable modem).

 

From my "Internet" network I am unable to access any host on the "Internal" network.

I have created an open rule as below - but I still can't access by "Internal" hosts from the "Internet" network

 

Any ideas on why I might be missing?

 

David



This thread was automatically locked due to age.
Parents
  • You should declare victory and stop, because your problem configuration is secure and your intended configuration is not.

    The Masquerading rule only applies to outbound connections.   A DNAT rule will allow you to map incoming traffic on a specific port to a specific internal address and port.   Any-to-any is not possible by any method because you have one Internet address and multiple internal addresses, so there is ambiguity.

    If you enable any form of remote access, assume that the bad guys on the other side of the planet will find it and attempt to use your devices for themselves.   Consequently, you should use UTM features for any remote access, such as SSL VPN, WAF, or HTML5 VPN.  You should also use ONeTime Password for re mote access, to prevent password guessing attacks.

    If another device is is already providing perimeter security, then you need to clarify what UTM is supposed to accomplish.   Perhaps you should configure UTM in bridge mode behind that device.

    Read the Wiki articles to understand UTM architecture and design issues that are not in the manual or help system.

  • Hi Douglas,

    Thanks for your reply.

    What I'm thinking of implementing is the following;

    Sophos UTM primarily for protection for internal users accessing the internet via browsing etc, and also to do some traffic monitoring, shaping and QOS - primarily to make sure my and my wife's bandwidth is preserved! So Sophos UTM is really for outbound protection.

    The firewall and routing functions inbound I plan to do with pfSense, downstream from the UTM, mainly to segment my network further and support for VLANs and my VMware environment.

    David

  • David, I don't think you will be able to do what you think you want with the UTM and that you should just stick with the pfSense.  The systems' metaphors are significantly different and you have so much to learn with the UTM that you will decide to delete the pfSense once you learn how to harness the power of WebAdmin for the UTM.  In any case, good luck!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • David, I don't think you will be able to do what you think you want with the UTM and that you should just stick with the pfSense.  The systems' metaphors are significantly different and you have so much to learn with the UTM that you will decide to delete the pfSense once you learn how to harness the power of WebAdmin for the UTM.  In any case, good luck!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data