This is my network structure:
The Computers on the internal network are setup as 10.0.0.x/24 as well as the definition of the network on UTM9.
Behind the UTM9 firewall there is the Fritzbox, which is the gateway to the internet. For the FritBox I have assigned a 10.0.10.x/24 network.
When I define a new firewall rule under Network Protection, to connect the 10.0.0.x/24 network to the 10.0.10.x/24 network in both direction for any IP protocol, should it than possible to connect to the FritzBox from the internal Computers? Also the IP-Phones need the connection to the FitzBox!
Before I have installed Sophos, I had a working VPN connection to another Fritzbox. If I setup also an additional firewall rule under Network Protection for the 192.168.178.0/24 network, should than again work this VPN?
Of cource, the above rules must be placed before the internet connection, so that Sophos UTM will the handle first!
I ask these questions, because I am not able to test it with the risk, that the connection to the internet will be disconnected, because I am runing an private Web-Radio and I don't want to interrupt my listeners!
Thanks a lot for your support!
** Summary **
Due to the fact, that it is a lot to read, I try summary it.But first, many thanks to Phillipp for his help and patience.
It is important, that the internal network 10.0.0.0/24 and the Fritzbox network 10.0.10.0/24 are indepandant and also all clients in this networks have a 255.255.255.0 mask!
Therefore in the Fritzbox the DHCP-server has to be enabled, that clients on WLAN will get a IP. For that I have for the DHCP-Server set the gateway to the Fritzbox, but the DNS to an DNS-Server inside the internal Network.
In the Fritzbox under Home network->network properties->Static routing table you have to setup a entry for the internal network and the gateway has to be the external Sophos port on the Fritzbox network.
Finally in Sophos you need under network Protection->Firewall->Rules there is an entry necessary, which allows the traffic between the internal network and the FritzBox network.
Than everything should work, including WLAN.
For the VPN I have setup a new VPN connection between the external FritzBox and Sophos.
of course these need to be two separate networks, because this is on two different interfaces of your firewall! Otherwise it would be difficult for the linux kernel to decide the routing between…
can you please read my post for the route again carefully?
The net is 10.0.0.0.
Mit freundlichem Gruß, best regards from Germany,
New Vision GmbH, GermanySophos Silver-Partner
If a post solves your question please use the 'Verify Answer' button.
stupid mistake from me! Was about 3:00 in the morning!
But what happend with the WLAN network, which is also on 10.0.0.0/8 ?
Danke and kind regards,
better use 10.0.0.0/24, otherwise the 10.0.0.0 /8 network will include your other 10.0.10.0 network. This will confuse routing, then.
For the Wifi, you mean the internal Wifi of the Fritzbox?
Yes, from the Fritzbox.
The Wifi of a Fritzbox is bridged to the LAN. As long as there is a valid route the "new" internal LAN 10.0.0.0/24, the Wifi will work for the internal resources as well. You need to have a firewall rule for access to the 10.0.0.0/24 net from 10.0.10.0/24 net, of course. Be careful not to put "any to any" here.
now it gets complcated.
Do I need this firewall rule for both directions or only for 10.0.0.0/24 to 10.0.10.0/24, because Fritzbox sends the 10.0.0.0/24 already to internal network?
I also don't understood what you mean with careful with put "any to any"?
Because all trafic should be routed from the internel Network to the Fritzbox WLAN!
This is my currentl rule, but not enabled yet.
the logic behind a firewall is quite simple: the UTM is a "Deny ALL" system, so everything you don't allow explicitely is not going though and dropped.
But you need to have a network with a functional routing BEFORE, so that the traffic would flow into the right direction.
THEN you can decide, what kind of traffic you would like to allow.
That said, I come to your questions: we cannot know, which ressources you need to access from where.
Based on your network-diagram, I can only guess here: IF a client from the "Wifi-Zone" needs to access the server on the internal LAN, you need a rule to allow that access in this direction. You do NOT need to allow the server to access the Wifi-Clients to achieve that.
This is done implicitely: the firewall associates the incoming (allowed) request-packets with the outgoing packets going back to the source of this session. So you always define only "one direction" in firewall rules, when allowing access.
Hello Phillip,thanks a lot!
1. So if you say,
jprusch said:Be careful not to put "any to any" here.
that means, I should not let any traffic comming through the firewall, right?
2. And you say, that I only have to define firewall rules for the incomming traffic and not for the outgoing traffic!
3. So my firewall rules: Internal (10.0.0.0/24) to Fritz (10.0.10.0/24 and Internal to any (0.0.0.0/0) are useless?
4: I have Nat rules from any for specific ports to an specific address for a specific Port. So this one works also automatically in the other direction. And I have a Mask rule for internal (10.0.0.0/24) to the externalSopjos interface (10.0.10.2). Is this necessary?
5. From the Fritzbox there is comming Traffic from the Internet and also from the VPN and the WLAN. So if I have firewall rule from 10.0.10.0/24 to 10.0.0.0/24 I can use any, because only the traffic from 10.0.10.0/24 can go trought the firewall but not the internet traffic, which uses the same way? Ofcourse it would better not to use any and only the necessary traffic!
6 Whit NAT I define specific traffic, for example a port which goes to an specific maschine and with a firewall rule defines the traffic between busses, right?
7. The static rule of the Fritzbox tells the Fritzbox to which port the Fritzbox has to send which traffic, I think.
I think I now understand the network of the firewall now much better.Vielen Dank,
I was able to implement your recommended changes on the Fritzbox:
I am happy, that I have done during the night, because the Fritzbox has reseted the "Portfreigaben", so that first no internet was working anymore.
If I remove the direct physical connection from the Fritzbox to the internal network, I cannot connect the FRitzbox.
A network rule between the the 10.0.0.0/24 and 10.0.10.1/24 in both direction exists.
If I use the Sophos Tools Ping I got:
But if I use my PC for a Ping to 10.0.10.0 there is no connection.
What could be the problem?