Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 4 subscribers
  • Views 4067 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

When is manual NAT masquerading needed?

PatrikJonsson

Dear experts and fellow happy amateurs!

I've just set up a Sophos UTM VM at home and it has been working extraordinary in most things so far. But I've had a problem with some things that has made me scratch my head more than once. Some traffic just did not seem to leave my network. Hopefully this post will help someone else as well.

An example of a device which I had problems with was my Chromecast. It connected to the Wireless network (getting an IP from the Sophos DHCP), but still claimed not to be able to access internet.

I also had some problems with VPN using UDP profiles.

Took me a day to realize (a bit embarrassing) that the Sohos does not seem to NAT UDP packets behind the extenrnal IP and sent them untranslated. This caused them to be dropped by the ISP's router and thus nothing worked.

So for anyone having the same problem I had, just go to Network Protection, NAT and then create a new Masquerading rule hiding your internal network behind your external interface.

Now to the question, is this a bug or by design? If by design, could you please explain why?

Thankful for any input.

Kind regards,

Patrik



This thread was automatically locked due to age.
  • 0

    Hi and welcome,

    I have device on my network that sends udp packets using IKE etc through my standard internal network - > MASQ external interface for IPv4. I assume you have firewall rule similar to this internal network -> any port -> any -> allow -> log.

    To get my VPN device working I did not need to add any rules.

    Now if you only had the http proxy enabled then yes you would need a MASQ rule.

    Fianlly, you have assumed incorrectly that the UTM has default rules. The default action of the  UTM is to block all traffic. So you need to build your own rules for everything.

    Ian,

    home UTM 9.x running in ESXi 6 e3-1275v2

    AP55c and AP10 (courtesy Astaro)

    Three other UTMs, SUM and SFM in hibernation

    XG 15.x MR3 in hibernation

  • 0 in reply to IanMorehouse

    Hi Ian!

    Thank your for your answer. You're right about the rule, but I use IPv4+6 Internet instead of any. Allow and log. :)

    When referring to the http proxy, do you mean web filter? In either case I would expect the masquerade rule to be needed for both tcp and udp traffic, or am wrong?

    There's a high likelyhood of your VPN device connecting over tcp. The one that was failing for me connected over UDP, port 443.

    Kind regards,
    Patrik

Unfiltered HTML