I have a weird routing problem and don't know how to configure routing probably to solve it.
First of all, I'm the administrator of a company which uses a Sophos SG 135 with Sophos UTM 9.707-5 firmware. The firmware is up to date.
To explain the problem, I've create a simplified schema of our current network setup:
For accessing the internet, we have two interfaces defined in the UTM. "Interface1" (Default GW enabled) which points to a transfer network between the firewall and the router which is placed before the firewall and nat/routes all traffic from the public ip via "Exposed Host" configuration to the UTM (destination 192.168.178.2).
For legacy purposes, there is a second interface "Interface2" which gets his public ip directly from the ISP. Default GW is also enabled. We have configured an Uplink Group to manage the outgoing traffic, but thats not relevant for the problem. This gateway gets his IP and network directly from the ISP (Dynamic IP).
We host some websites on the server "Webserver" behind the UTM and forward all the traffic from "Uplink Primary Addresses" to our webserver. The target IP of all hosted websites is always "126.96.36.199". (aka "Interface1").
If a packet recieves the public ip of the "FritzBox", the target address will be nat'ed to the ip of the UTM (192.168.178.2) and the packet will be forwarded. This works perfectly since a few years for all users expect some users which gets an ip from the network of interface2.
In some rare cases, a user from outside receives a public ip from the same ISP as "Interface2" within the same network as "Interface2", in this example "188.8.131.52"
I've debugged the issue with tcpdump and realised, that the incoming traffic from "184.108.40.206" will be forwarded from the "FritzBox" to the firewall and then forwarded again to the webserver. So far so good.
Then, the backwards traffic won't be routed back via Interface1 instead it will be routed via Interface2. This prevents the connection to be established correctly and the user won't get the website displayed.
The automatically created route for Interface2 looks like:
220.127.116.11/24 dev eth2 proto kernel scope link src 18.104.22.168
I've tried to add a policy route to prevent this issue: Route Type: interface Source Interface: Interface1 Source Network: Network of Interface2 Service: Any Destination Network: Any Target Interface: Interface1This should match exactly the described situation, but it won't work. The traffic will be still routed via Interface2 instead Interface1 which was the source of the packet. My intention is, that the local interface route for Interface2(eth2) is higher prioritized as the added policy route. Am I right?So now, hopefully somebody here can help me with this issue.If you need more information or screenshots, please let me know.Thanks a lot!
As I know, a "directly connected" subnet beats all other routes
I would ask the ISP to assign a small subnet instead of an IP in a large one.
This is not a good practice. But I've already seen that.
Sophos Solution Partner since 2003 If a post solves your question click the 'Verify Answer' link.