How connect to an internal sub net behind UTM9

Hello,

can you show us a screenshot from your interface setup of both interfaces "10.0.0.7/24" = internal and "10.0.10.2/24" = WAN, please?

Your setup uses the Fritzbox as a default gateway, which is doing NAT for you, too. So the interface on the UTM going to the Fritzbox has to have the attribute "default gateway".

The fritzbox on the other end needs to know about the network "behind" the UTM, you can define this network at the fritzbox itself.

Bes setup would be to define the Sophos UTM as "exposed host" on the fritzbox, which then sends everything coming in from external to the UTM.

Hallo Philipp, I hope these are the right screenshoots!

This is a screenshoot from trhe FritzBox.

What do you mean with, the FritzBox has to known about the netwerk behind the Sophos interface?

Currently I still a connection between the FritzBox and the internal network, to get everything working!

Thans for your help,

Hans-Georg

Hallo Hans-Georg,

Also ich mache dann mal in deutsch weiter: "Erweiterte Ansicht" bei der Fritzbox auswählen.

Unter dem Fritzbox-Menüpunkt "Heimnetz/Netzwerk/Netzwerkeinstellungen" ganz nach unten scrollen bis zum Punkt "Statische Routing-Tabelle".

Mit dem Button "neue IPv4 Route" eine neue Route für das interen Netzwerk hinter der UTM anlege.

Dort muss für deinen Anwendungsfall stehen:
Netzwerk: 10.0.0.0
Subnetzmaske: 255.255.255.0
Gateway: 10.0.10.2     (=Sophos externer Port)

Achtung: im Diagramm stehen /8 Netzwerkmasken, die dürfen nicht so bleiben.

Wenn du die Clients im internen Netz umsteckst, muss natürlich die Sophos Schnittstelle 10.0.0.7 deren Default-GW sein.

Hallo Phillip,

so I have to set the subnet mask to 255.255.255.0 add the static routing.

But what'sthe additional firewall rules under Network Protection?

Do I need them both?

Viele Grüße,

Hans-Georg

Which rules?

Hallo Phillipe,

HGA said:

When I define a new firewall rule under Network Protection, to connect the 10.0.0.x/24 network to the 10.0.10.x/24 network in both direction for any IP protocol, should it than possible to connect to the FritzBox from the internal Computers? Also the IP-Phones need the connection to the FitzBox!

Before I have installed Sophos, I had a working VPN connection to another Fritzbox. If I setup also an additional firewall rule under Network Protection for the 192.168.178.0/24 network, should than again work this VPN?

I am not sure, if I need them! I think, Sophos automatically send the trafic for 10.0.10.x and for 192.168.178.x to the Fritzbox and the Fritzbox understand that these are not external IPs and the Fitzbox automatically use the VPN?

So setup the static routing on the  Fritzbox is all I have to do?

Your Gateway definition tells the Sophos to send everything which is not destinated to 10.0.0.0 to the router (= Fritzbox) with the 10.0.10.1.There is no magic behind this.

You certainly have to allow traffic from internal LAN to "the internet" for you internal clients. That's one kind of rule.

The other part is your existing VPN.

I would recommend to use the Fritzbox function "exposed host" under the "Freigaben" (Portforwarding) menu and then terminate the VPN on the Sophos UTM.

Phillip thank you very much,

I have already use the function "exposed host".

But what you mean with terminate the VPN on the Sophos UTM?

On the UTM I don't have any VPN setup!
I will test it tonight!

Best regards from Germany,

Hans-Georg

To terminate the VPN means, the VPN-Tunnel is ending here.

But my recommendation has to be clarified: if you have a site-to site-Tunnel between two Fritzboxes, then leave this like it is.

If you want to add remote-VPN-Access für some Clients, you should definitely use the built-In VPN features of the UTM.

They are much simpler to configure and to install, than the Fritzbox IPsec VPN-Clients.

For VPN-Clients you better use the SSL-VPN of the UTM.

Good Morning Phillip,

ok, I can leave the existing VPN-Tunnel between the 3 GFritzboxes, it is exist andcontinue try to get it working!

But I have testet tonight your proposed settings about the 10.0.x.x networks but I didn't get it working.

First I setup the stativ IPv4-route under Heimnetz->Netzwerk->Netzwerkeinstellungen as you proposed.

This one is currently still enabled, but if I tried to change the subnet mask under IP-Adressen from 255.255.255.0 to 255.0.0.0 under IPv4-Einstellungen, I lost the connection. I had to change the network adapter settings for one machine to 10.0.10.10 with the network mask 255.255.255.0 to have again access to the Fritzbox (10.0.10.1) and reset this settings.

I think, 10.0.10.0/24 is in generell a part of 10.0.0.0/8, but the Fritzbox doesn't allow the access outside the 10.0.10.0/24 network!

What was my mistake?

Best regards,

Hans-Georg

Hello,

can you please read my post for the route again carefully?

The net is 10.0.0.0.

Hello Phillip,

stupid mistake from me! Was about 3:00 in the morning!

But what happend with the WLAN network, which is also on 10.0.0.0/8 ?

Danke and kind regards,

Hans-Georg

Hello Phillip,

stupid mistake from me! Was about 3:00 in the morning!

But what happend with the WLAN network, which is also on 10.0.0.0/8 ?

Danke and kind regards,

Hans-Georg

Hello,

better use 10.0.0.0/24, otherwise the 10.0.0.0 /8 network will include your other 10.0.10.0 network. This will confuse routing, then.

For the Wifi, you mean the internal Wifi of the Fritzbox?

Yes, from the Fritzbox.

Thanks,

Hans-Georg

The Wifi of a Fritzbox is bridged to the LAN. As long as there is a valid route the "new" internal LAN 10.0.0.0/24, the Wifi will work for the internal resources as well. You need to have a firewall rule for access to the 10.0.0.0/24 net from 10.0.10.0/24 net, of course. Be careful not to put "any to any" here.

Hallo Phillip,

now it gets complcated.

Do I need this firewall rule for both directions or only for 10.0.0.0/24 to 10.0.10.0/24, because Fritzbox sends the 10.0.0.0/24 already to internal network?

I also don't understood what you mean with careful with put "any to any"?

Because all trafic should be routed from the internel Network to the Fritzbox WLAN!

This is my currentl rule, but not enabled yet.

Thanks,

Hans-Georg

Hello,

the logic behind a firewall is quite simple: the UTM is a "Deny ALL" system, so everything you don't allow explicitely is not going though and dropped.

But you need to have a network with a functional routing BEFORE, so that the traffic would flow into the right direction.

THEN you can decide, what kind of traffic you would like to allow.

That said, I come to your questions: we cannot know, which ressources you need to access from where.

Based on your network-diagram, I can only guess here: IF a client  from the "Wifi-Zone" needs to access the server on the internal LAN, you need a rule to allow that access in this direction. You do NOT need to allow the server to access the Wifi-Clients to achieve that.

This is done implicitely: the firewall associates the incoming (allowed) request-packets with the outgoing packets going back to the source of this session. So you always define only "one direction" in firewall rules, when allowing access.

Hello Phillip,
thanks a lot!

1. So if you say,

PhilippRusch said:

Be careful not to put "any to any" here.

that means, I should not let any traffic comming through the firewall, right?

2. And you say, that I only have to define firewall rules for the incomming traffic and not for the outgoing traffic!

3. So my firewall rules: Internal (10.0.0.0/24) to Fritz (10.0.10.0/24 and Internal to any (0.0.0.0/0) are useless?

4: I have Nat rules from any for specific ports to an specific address for a specific Port. So this one works also automatically in the other direction. And I have a Mask rule for internal (10.0.0.0/24) to the externalSopjos  interface (10.0.10.2). Is this necessary?

5. From the Fritzbox there is comming Traffic from the Internet and also from the VPN and the WLAN. So if I have firewall rule from 10.0.10.0/24 to 10.0.0.0/24 I can use any, because only  the traffic from 10.0.10.0/24 can go trought the firewall but not the internet traffic, which uses the same way? Ofcourse it would better not to use any and only the necessary traffic!

6 Whit NAT I define specific traffic, for example a port which goes to an specific maschine and with a firewall rule defines the traffic between busses, right?

7. The static rule of the Fritzbox tells the Fritzbox to which port the Fritzbox has to send which traffic, I think.

I think I now understand the network of the firewall now much better.
Vielen Dank,

Hans-Georg

Hallo Phillip,

I was able to implement your recommended changes on the Fritzbox:

I am happy, that I have done during the night, because the Fritzbox has reseted the "Portfreigaben", so that first no internet was working anymore.

If I remove the direct physical connection from the Fritzbox to the internal network, I cannot connect the FRitzbox.

A network rule between the the 10.0.0.0/24 and 10.0.10.1/24 in both direction exists.

If I use the Sophos Tools Ping I got:

But if I use my PC for a Ping to 10.0.10.0 there is no connection.

What could be the problem?

You can't ping 10.0.10.0, this is the network as a whole, no host.

Sorry, this was just an typing error, I tried to Ping 10.0.10.1!