Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 5 subscribers
  • Views 13769 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Setup UTM with what Draytek would have called a Routed Subnet

Gordon Taylor

i currently have a small block of IP addresses from Zen 8ips (5 usable ones) and i use the Routed subnet option on the DrayTek router which works great i just assign a real ip to my linux VM and it gets traffic routed to it as expected.

I want to swap my Draytek for a Sophos UTM (Home Edition) its running on a board with 2 Ethernet ports so one to go into the openreach modem (PPoE) and one for the LAN and into the LAN switch.

Can i set Sophos UTM up in a similar mannerto the DrayTek Router with a routed subnet on the LAN side, or possibly over a Tagged VLAN on the lan side as the servers are VMs and can be tagged in Hyper-V no issue.

is this what is called ProxyARP? after having read around a bit on the subject?



This thread was automatically locked due to age.
  • 0

    Just if it helps.. this is an extract from the Zen Draytek setup guide found here: https://support.zen.co.uk/kb/Knowledgebase/Vigor-2900-Series-Routed-IP?Keywords=routed+subnet

     

    Vigor 2900 Series - Routed IP

    Aim of this article:

    This guide is for people who have a block of 8 IPs (or more) from Zen and wish to configure the router for Routed IP.

    The Vigor 2900 will run in dual NAT and Routed IP mode allowing you to have some machines on Private IP addresses and others with Public IPs.  For more information on NAT and Routed IP see Related Articles.

    It then Just goes on to explain how to do it which is rather simple on this router..

     

  • 0 in reply to Gordon Taylor

    Hi,

    you are comparing a simple nat/router with a complex security firewall.

    You cam setup your routes in the UTM and you will also need to create packet filter rules and MASQ/NAT rules.

    If the traffic is incoming then you will need extra rules and dnat/snat rules.

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Hi, Gordon, and welcome to the UTM Community!

    If some of these public IPs are for web servers, you might want to consider giving them private IPs and using Webserver Protection.  Also, you might consider adding a third NIC so that you can have your public IPs in a DMZ.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks, i would prefer to put them in a DMZ but the unit only has 2 intel NICs in it. its a small unit like a NUC but with 2 Nics... so i cant add a physical DMZ but VLAN is an option...

    i have 5 Public IPs using 3  that i would like to bring in to the DMZ but i just need some step by step guidance on how i do it. 

    i read about turning ProxyARP on both interfaces somewhere but i don't see that as an option on the wan PPoE NIC, then add the Aditional IPs to the WAN interface and make a firewall rule to allow traffic to flow but i tried that this afternoon (could only turn ProxyARP on the Lan NIC though) and didn't see to be able to get it to work.

  • 0 in reply to Gordon Taylor

    You don't want Proxy ARP, Gordon.  If you have a VLAN-capable switch, a DMZ would be a good idea.  To the extent that any of these servers are web servers, I would use Webserver Protection instead of NAT.  I would not bother with a DMZ with public IPs, just put them on the External Interface as Additional Addresses.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    You should reconfigure your VMs to use private ip addresses.  Then UTM is used to translate public IP+port to internal IP+port using NAT or WAF.   Proxy ARP is a poor alternative and I don't tbink it fits UTM's design

    .

    WAF provides specialized filtering for http(s) traffic hitting a web server.  User portal provides several options for secure remote access using one time passwords with VPN or RDP.   NAT and firewall are used to ensure that incoming traffic is only able to reach authorized ports on authorized IPs.

    Your router is probably not doing any content filtering, and may not be blocking unneeded ports.  So UTM is a big win.

  • 0 in reply to DouglasFoster

    OK thanks guys i will probably do this... though i may do it at the same time i migrate one of my servers..  i basically have a UNIX server that does Postfix (AMAVIS) Edge for Exchange and hosts about 4 very small Apache websites, mailman, BIND, SSH.  the other is a windows box with exchange on it but it only has on its firewall open the ports it needs 80,443 from the outside world (only using exchange for my families personal emails cause i always liked the web interface and active-sync for phones) the last server is the Hyper-V host again with firewall drops everything from the net pretty much and is only now public cause of the setup (the two VMs mentioned before have public ips)... this can go back to private.

    so i will do this at some point when i have a bit of time to reconfigure everything... so when i reconfigure i put all my usable ip addresses onto the WAN interface as Additional Addresses?

    if say i then basically have 2 servers the Windows box i really only need 80 and 443 pass through (for Exchange activesync) but from the specific ip that resolves to in so mail.mydomain.com on ip 88.96.xx.x1 do i use web protection? i don't need SMTP as i will still  use the UNIX box as the Edge Transport  do i use web protection or SNAT and if SNAT where is that?

    then my unix box im going to need a few more services coming through... it is the DNS server for a few of my Domains, i SSH to it and obviously SMTP and ESMTP,  HTTP (for letsencrypt) and HTTPS for Apache web sites.. here i guess i need both Webserver protection and some sort of SNAT on 88.96.xx.x2 ?  it currently uses iptables to drop everything else - oh i also use webmin on it...

     this is the hardware i got to install UTM on http://www.mini-itx.com/~JBC313

    thanks for the help guys :) 

Unfiltered HTML