Sophos UTM Routing between 2 networks

Question

Hello.

I have in my esx demo lab the following settings:

DPortGroupDemo (192.168.200.0/24)

DPortGroupFreren (172.22.0.0/20)

DPortGroupFreren has

an AD Server with DHCP/DNS role with IP 172.22.0.2. That DNS Server forwards to 172.22.0.1 (Fritz! Router). Gateway is 172.22.0.1,too.

One Networkcard from the Sophos UTM with the IP 172.22.1.18

DPortGroupDemo

Has an AD Server with DHCP/DNS role with IP 192.168.200.1. DNS Forwarding to 192.168.200.2. Gateway is set to 192.168.200.2, too.

One Networkcard from the Sophos UTM with the IP 192.168.200.2.

I need the following.

Routing between both PortGroups must been granted. Except DHCP services. They must stick to their own Portgroups.

DNS must work from DPortGroupDemo -> DPortGroupFreren at least. Both sides would be ok.

Port 1688 must be forwarded from DPortGroupDemo -> DPortGroupFreren. //<<--- Do i just have to place a NAT roule for that?

I tried to add a Firewall Rule ANY - ANY - ANY and thought for test purposes i should be able to connect from the DPortGroupFreren to DPortGroupFreren with RDP. But ping doesnt get through. And RDP Session cant be established.

Here are my settings.

Maybe its easy to config for you.. i hope so at least... :) Any help is appreciated!

This thread was automatically locked due to age.

Jaydeep · Accepted Answer

Hi Andreas Schulte 
 You have configured your PortGroups on your ESX. How do you want to allow it in UTM though? It can be done using the firewall given that UTM Interfaces are configured properly and there's no scope of asymmetric routing. 
 Regarding DNS, you should configure the Eth1 network in Allowed Networks for DNS and configure the DNS server from DPortGroupFreren in DNS forwarders, which I see you've already done. 
 Regarding Port 1688, you should create a Firewall rule to allow that traffic from the Internal network to Outside. You should also configure the Masquerading rule for that.