This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multiple outgoing IP's with single WAN port

Hi,

I have several web servers running behind a single Sophos UTM, with two interface:

- eth0 > external (x.x.x.7/26) with default GW (x.x.x.1)

           > Additional addresses

            > x.x.x.8/26

            > x.x.x.9/26

            > x.x.x.10/26

            > etc

- eth1 > internal (10.0.0.2/24)

 

Using web server protection I was able to send each additional external address to the correct internal server. But when I access the internet from a web server, it always uses the default IP x.x.x.7. I manged the same with a DNAT rule from external to internal. Both work fine.

But how can I configure Sophos UTM to direct all outgoing traffic to the correct external ip?

EG:

10.0.0.8 >x.x.x.8

10.0.0.9 >x.x.x.9

10.0.0.10 >x.x.x.10

 

Regards,

Hugo



This thread was automatically locked due to age.
  • Hoi Hugo and welcome to the UTM Community!

    With NAT rules, e.g.,

    SNAT : {10.0.0.8) -> Any -> Internet : from {x.x.x.8}

    Cheers - Bob
    Note in #2 in Rulz that your DNAT makes your WAF setup ineffective.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thank you BAlfson,

    I only mentioned the DNAT rule as an alternative that was also working, I'm not using them together, but thank you for the rulez list. That's very nice.

    Unfortunately the SNAT didn't work.

    FROM: 10.0.0.8
    Service: any
    Going to: External WAN address (x.x.x.7)

    Change source: x.x.x.8

    But nothing happens.

  • WAF makes UTM the "owner" of the IP address.   Traffic reaches the web server by relaying from <internet client> to <WAF Address> to <internal webserver address>.   The WAF address is no longer available for internal devices to use for outgoing traffic.

    UTM WAF supports SNI, so you could stack some or all of your WAF sites onto one IP, so that you free up the other addresses for other purposes.   The transition may involve some downtime for some users because of DNS propagation delays.   By SNI, I mean the following:

    • DNS names:
      • server1.mycompany.com x.x.x.8
      • server2.mycompany.com x.x.x.8
      • server3.mycompany.com x.x.x.8
    • WAF virtual webservers to match the DNS entries
    • Users must use host names instead of IP addresses.

    You can even define a catchall site for *.mycompany.com.

    All of this may require https, I don't remember with certainty because all of my websites use https certificates (and so should yours).

  • Hello Douglas,

    All your changes involve incoming requests. I'm asking about outgoing requests. How can I make {internal ip} access the outside world on {additional external address} instead of {interface external address}. because now they are all using the interface address.

  • As I said, those WAF addresses are not available for outgoing traffic, so you need to buy more addresses or free up some of them.   Overloading the WAF sites onto one address is a way to free them up.

  • I already have more additional address (not used anywhere in Sophos, except created as "additional address"). How do I set it up then?

  • For outbound connections only, use SNAT, where the source is your internal server, as Bob Alfson indicated earlier.

    If you need inbound and outbound connections, you use full NAT, with firewall rules to block ports that should not be allowed in, especially the ports that are supposed to go through WAF.

  • You NAT rule is incorrect.

    Not

    Going to: External WAN address

    But

    Going to: Internet

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA