This is my network structure:
The Computers on the internal network are setup as 10.0.0.x/24 as well as the definition of the network on UTM9.
Behind the UTM9 firewall there is the Fritzbox, which is the gateway to the internet. For the FritBox I have assigned a 10.0.10.x/24 network.
When I define a new firewall rule under Network Protection, to connect the 10.0.0.x/24 network to the 10.0.10.x/24 network in both direction for any IP protocol, should it than possible to connect to the FritzBox from the internal Computers? Also the IP-Phones need the connection to the FitzBox!
Before I have installed Sophos, I had a working VPN connection to another Fritzbox. If I setup also an additional firewall rule under Network Protection for the 192.168.178.0/24 network, should than again work this VPN?
Of cource, the above rules must be placed before the internet connection, so that Sophos UTM will the handle first!
I ask these questions, because I am not able to test it with the risk, that the connection to the internet will be disconnected, because I am runing an private Web-Radio and I don't want to interrupt my listeners!
Thanks a lot for your support!
** Summary **
Due to the fact, that it is a lot to read, I try summary it.But first, many thanks to Phillipp for his help and patience.
It is important, that the internal network 10.0.0.0/24 and the Fritzbox network 10.0.10.0/24 are indepandant and also all clients in this networks have a 255.255.255.0 mask!
Therefore in the Fritzbox the DHCP-server has to be enabled, that clients on WLAN will get a IP. For that I have for the DHCP-Server set the gateway to the Fritzbox, but the DNS to an DNS-Server inside the internal Network.
In the Fritzbox under Home network->network properties->Static routing table you have to setup a entry for the internal network and the gateway has to be the external Sophos port on the Fritzbox network.
Finally in Sophos you need under network Protection->Firewall->Rules there is an entry necessary, which allows the traffic between the internal network and the FritzBox network.
Than everything should work, including WLAN.
For the VPN I have setup a new VPN connection between the external FritzBox and Sophos.
of course these need to be two separate networks, because this is on two different interfaces of your firewall! Otherwise it would be difficult for the linux kernel to decide the routing between…
can you show us a screenshot from your interface setup of both interfaces "10.0.0.7/24" = internal and "10.0.10.2/24" = WAN, please?
Your setup uses the Fritzbox as a default gateway, which is doing NAT for you, too. So the interface on the UTM going to the Fritzbox has to have the attribute "default gateway".
The fritzbox on the other end needs to know about the network "behind" the UTM, you can define this network at the fritzbox itself.
Bes setup would be to define the Sophos UTM as "exposed host" on the fritzbox, which then sends everything coming in from external to the UTM.
Mit freundlichem Gruß, best regards from Germany,
New Vision GmbH, GermanySophos Silver-Partner
If a post solves your question please use the 'Verify Answer' button.
Hallo Philipp, I hope these are the right screenshoots!
This is a screenshoot from trhe FritzBox.
What do you mean with, the FritzBox has to known about the netwerk behind the Sophos interface?
Currently I still a connection between the FritzBox and the internal network, to get everything working!
Thans for your help,
You can't ping 10.0.10.0, this is the network as a whole, no host.
Sorry, this was just an typing error, I tried to Ping 10.0.10.1!
Have a look here:
have implemented your propoasals for Global ICMP and Ping Settings, but I still cannot ping or access 10.0.10.1 from the internal 10.0.0.0 netzwork!
What could I do next?
Regards from Germany, too
I know we are both german, but let's keep this thread in english, maybe some other community users have a useful insight of our discussion.
Back to your topic: how is the client configuration you use for the test?
Can you output the ip configuration here?
or do you need /all?
Ja, da habe ich mir gedacht: bitte die Subnetzmaske auf 255.255.255.0 (=/24) korrigieren.
Außerdem würde ich IPv6 komplett abschalten.
Ups, jetzt habe ich ja selber auf deutsch umgeschaltet:
Please correct the subnet mask to 255.255.255.0 (=/24).
BTW: I would completely disable IPv6.
yes, now it works, but I have now some additial questions.
So I have now 2 independant networks. 10.0.0./24 for internal and 10.0.10.0/24 for the Fritzbox network!
I guess, I have to set all oter Computers in the internal network also to the mask 255.255.255.0, right?
So Computer, which connect via WLAN now on a separate network (10.0.10.0/24) .The next step should be to activate the DHCP-server on the Fritzbox, because the DHCP on the internel network is no longer availble?Can the Fritzbox DHCP-server provide an IP from the 10.0.0.0/24 network?If not, are then all computes on the WLAN still able to connect to the computer in the 10.0.0.0/24 netwerk?My IP-phones which need a connection to the Fritzbox, if I change there network mask also to 255.255.255.0, would they work again?
Best regards and thanks you very much,
of course these need to be two separate networks, because this is on two different interfaces of your firewall! Otherwise it would be difficult for the linux kernel to decide the routing between these nets...
Once again: all /8 masks are WRONG, you have to change these to /24 an ANY clients.The 10.0.0.0 /8 network is including the 10.0.10.0 /24 network, so this would not work.
Now to your second question: The Fritzbox is the Accesspoint for your wireless clients. It will handout DHCP-addresses from the 10.0.10.0 /24 network to the Wifi-Clients. You could start with 10.0.10.100 and end with 10.0.10.200 for example. Mask is /24.
Then normal routing is happening to these clients: if they want to reach ressources in the 10.0.0.0 network, the Fritzbox forwards these packets to the Sophos. Of course you need to allow that traffic with a firewall rule. That's it.
Third question: all mebers of the same IP network should use the same subnet mask. So, yes, your Phones will work again, if they use the same mask as the Fritzbox.
[Edit: typos and clarifications]
thank you very much. I have learned a lot about networks. Now my network is running well and I only have to setup the VPN.