Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

BGP Routing: local UTM services use BGP Router address instead of BGP IP range

In this post is have reported (and solved) issues with our BGP configuration. There has been one thing however that I still havent been able to solve, so I'll need some help/suggestions again.

Our eBGP configuration is as follows:

Interface definition (eth4 and eth8 are going to be part of the eBGP Configuration):


The adresses here are the IP ranges that need to be transported via eBGP to the outside world.

Additional addresses set on those interfaces are:

The 213.126.x.x additonal addresses are for creating the eBGP connection.

We have two neighbors:

Both neighbors are part of the same ASN. Our local ASN is 65000. 

As this is a connection between only two AS's, multiple AS is set off in the UTM. The eBGP Connection itself works succesfully:

The BGP1 and BGP2 networks have ranges and respectively.

As described in my other post, communication from any device behind the UTM is working succesfully, thanks to using masquerade and SNAT rules.

However, I am not able to communicate to the outside world from the UTM directly. For instance: If I set a DNS forwarder to, UTM is not able to connect to that DNS server and all requests outside our local domain cannot be resolved if UTM is used as a DNS server.

Same issue with proxy. 

I can solve the DNS issue by pointing the forwarder in UTM to an internal DNS server and have that server communicate with external DNS (cringe...). However, I cannot do the same for proxy requests.

Checking the proxy logs, I can see that request for external sites are dropped because of connection timeouts.

I tried a traceroute from CLI and got the following response:

To me, it looks like UTM is trying to use the BGP connection addresses instead of the BGP IP ranges to reach the outside world. TCPDUMP confirms this. That would explain, but how can I change this behaviour?
On the CLI I can use traceroute -S or ping -I to change the originator address and this works perfectly:

But I cannot find a way (either in CLI or GUI) to have UTM use that address as an originating address for traffic that originates from UTM itself.

As this is the final puzzle piece in our configuration I hope that someone can give me a hint to get this working :)




This thread was automatically locked due to age.
  • Hoi Karl-Heinz,

    What SNATs did you try?

    Cheers - Bob

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • O...  My.... God.... Am I  a n00b or what...

    I cannot believe it would be that simple.

    I did not try SNAT for those particular addresses because I reasoned that this would prevent BGP to work (as SNAT would alter the address that would connect to the destionation AS).

    I appears that is NOT the case. With SNAT in place, pointing to an address within the BGP destination range, BGP still connects to the routers of the other AS and all communication from UTM to the outside world now seems to be working.

    So now, some testing will be done to see if this all keeps working in case of failover and fallback. But it seems that we finally have everything working as planned.

    Once all tests are complete, I could post a complete HOWTO here if anyone is interested?

    Thanks Bob! This made my day :)