Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 16825 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

/29 Network - IP Addresses

Bards1888
Hi All,

First post so go easy please [:)]

Just about to cutover to a software UTM (free home edition) and was wondering if anyone knows how my IP addresses for ADSL connection will work. 

My ISP provides me a static WAN IP and also they route a /29 to me which the WAN IP is *not* part of.

Will I have to do anything special to NAT incoming services that were destined to any of the /29 addresses, like for example define them all individually as hosts and then choose them as the targets for the NAT rules ?

Any advice/help appreciated.

Cheers.


This thread was automatically locked due to age.
Parents
  • 0
    Hi, and welcome to the User BB!

    There are three possible solutions.  

    [LIST=1]The "classic" solution when you have only a few IPs is to assign Additional Addresses to the External interface and then to DNAT the traffic to the appropriate internal device.

    • Another possibility would be to set up a new DMZ with one of your public IPs as the address of the interface and then put the public IPs directly on your devices.

    • Finally, the one I would choose since you can use Web Application Firewall would be to take advantage of the protection it offers.
    [/LIST]
    In fact, you can begin with #1, set up #3 and then disable the NAT rule in #1 to test whether you've configured correctly for #3.  See #2 in Rulz to understand why the DNAT captures traffic before it can reach the reverse proxy.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0
    Hi, and welcome to the User BB!

    There are three possible solutions.  

    [LIST=1]The "classic" solution when you have only a few IPs is to assign Additional Addresses to the External interface and then to DNAT the traffic to the appropriate internal device.

    • Another possibility would be to set up a new DMZ with one of your public IPs as the address of the interface and then put the public IPs directly on your devices.

    • Finally, the one I would choose since you can use Web Application Firewall would be to take advantage of the protection it offers.
    [/LIST]
    In fact, you can begin with #1, set up #3 and then disable the NAT rule in #1 to test whether you've configured correctly for #3.  See #2 in Rulz to understand why the DNAT captures traffic before it can reach the reverse proxy.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson
    Hello, I have tried to follow the suggestion to create 'Additional Address' on my WAN interface (which is PPPOE on eth1) as per the 'classic' solution but this does not work for me.

    If I run a tcpdump on eth1 I can see raw PPPOE frames (as expected).

    If I run tcpdump on the ppp0 interface I can see the traffic arrive for all my additional IPs (regardless of having defined additional addresses), which makes sense as my ISP routes them to the WAN address.

    So then I added an 'Additional Interface' on the WAN interface (eth1).... interestingly the IP address is assigned to the eth1 adapter but when I tcpdump eth1 it does not show any traffic, not even any PPPOE frames, yet the internet still works ?

    I'm starting to think that it is not possible to use my extra /29 on a sophos UTM where my internet connection is PPPOE.

    Anyone ?
  • 0 in reply to BrianMcKerr
    Bad form to reply to one's own post but I have got this to work;

    1. Create network host definitions for each individual external public IP that you want to NAT
    2. Do *NOT* create additional addresses
    3. Do *NOT* attempt to define/modify an interface that has anything to do with these public IP addresses
    4. Add NAT and firewall rules as usual

    So really just do steps 1 and 4 and you should be good to go. :)

    Hope this helps someone else. Thanks for all your help and suggestions.
Unfiltered HTML