/29 Network - IP Addresses

Hi, and welcome to the User BB!

There are three possible solutions.  

[LIST=1]The "classic" solution when you have only a few IPs is to assign Additional Addresses to the External interface and then to DNAT the traffic to the appropriate internal device.

• Another possibility would be to set up a new DMZ with one of your public IPs as the address of the interface and then put the public IPs directly on your devices.
  
  
• Finally, the one I would choose since you can use Web Application Firewall would be to take advantage of the protection it offers.

[/LIST]
In fact, you can begin with #1, set up #3 and then disable the NAT rule in #1 to test whether you've configured correctly for #3.  See #2 in Rulz to understand why the DNAT captures traffic before it can reach the reverse proxy.

Cheers - Bob

Bob,

This makes great sense.

I just want to confirm however that if for example you have 4 web server VMs on the internal side and you add the additional public IPs of the /29 to the external adapter that one port 80 dnat rule to each server would work? At least until I setup up WAF.

What I mean by this is will each IPs port 80 go to the desired internal web server or will there be some kind of conflict with 4 port 80 open?

I ask because my SUM is an internal VM and when I set it up, though I used an additional IP and dnat, I had to move the SUM web admin to a different port because both the main IP port 4444 and the additional IP port 4444 went to the UTM.

Thanks,
HTG

4444 & 4443 are listened for on every IP on every interface, but only 'Allowed networks' traffic is not blocked.  25 and 587 are listened for on all interfaces with a default gateway and on the interfaces where devices are allowed on the 'Relaying' tab, or on all if 'Transparent' is selected for the SMTP Proxy (I never recommend that).  Depending on the selection the port for SSL Remote Access may be listened for on all interfaces or just one.

At the moment, I can't remember any other "special" services, so, yes, four DNATs on port 80 will work.

Cheers - Bob

Can't thank you enough Grandis Professorem Astaro!

Come to think of it I have one more followup question.

When adding the additional IPs, since they need to be added one at a time would a netmask of /32 or /29 be correct?

/32 is the correct CIDR for a single address, equivalent to a netmask of 255.255.255.255.

Hello, I have tried to follow the suggestion to create 'Additional Address' on my WAN interface (which is PPPOE on eth1) as per the 'classic' solution but this does not work for me.

If I run a tcpdump on eth1 I can see raw PPPOE frames (as expected).

If I run tcpdump on the ppp0 interface I can see the traffic arrive for all my additional IPs (regardless of having defined additional addresses), which makes sense as my ISP routes them to the WAN address.

So then I added an 'Additional Interface' on the WAN interface (eth1).... interestingly the IP address is assigned to the eth1 adapter but when I tcpdump eth1 it does not show any traffic, not even any PPPOE frames, yet the internet still works ?

I'm starting to think that it is not possible to use my extra /29 on a sophos UTM where my internet connection is PPPOE.

Anyone ?

Bad form to reply to one's own post but I have got this to work;

1. Create network host definitions for each individual external public IP that you want to NAT
2. Do *NOT* create additional addresses
3. Do *NOT* attempt to define/modify an interface that has anything to do with these public IP addresses
4. Add NAT and firewall rules as usual

So really just do steps 1 and 4 and you should be good to go. :)

Hope this helps someone else. Thanks for all your help and suggestions.