Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 6 subscribers
  • Views 2746 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

expose host to the Internet

Thomas Schachtner1

Hi there,

I have a UTM 230 and would like to have one host directly out in the Internet. With my internet connection I also have 8 IP addresses assigned from the provider.

Now, how to make one host from the (already existing) DMZ network appear directly in the Internet.

(Well, it would be acceptable if the server didn't know its external IP address...)

Here's what I am currently doing:

For incoming traffic, I added a DNAT rule: "Change the destination IP address to my server's if packets arrive on its public IP address.

I also added a SNAT rule saying: replace the sending IP address with the server's public IP address of traffic comes from my server's internal IP address.

Do I also need to configure any multipath rules?

Or should I use masquerading instead of SNAT?

Which IP address should I use for firewall rules protecting this host?

Is there a way to make the UTM transparent so that the server also sees the public IP address? (nice to have)

Is this setup correct?

Did I miss anything?

Can/should I use full NAT instead of SNAT and DNAT?

Is this setup also good in terms of performance?

There's also some web server protection.

But it seems that this is only for web servers. If using other services, I cannot use this feature, I guess.

It seems quite some work for a simple job.

I still keep thinking that there might be a simple option to use/reserve a specific "additional IP address" for a specific host, but there is none, right?

Best regards

Tom



This thread was automatically locked due to age.
Parents
  • 0

    Hi Thomas,

    ...appear directly in the Internet. (Well, it would be acceptable if the server didn't know its external IP address...)

    as stated by Alexander, DNAT or Webserver-protection are the options

    For incoming traffic, I added a DNAT rule: "Change the destination IP address to my server's if packets arrive on its public IP address.

    That's OK. Doesn't it was working?

    I also added a SNAT rule saying: replace the sending IP address with the server's public IP address of traffic comes from my server's internal IP address.

    You don#t need an additional SNAT-rule for incomming Traffic (or the answer-packets).

    Do I also need to configure any multipath rules?

    Multipath is for Traffic initiated from internally. Otherwise, the inbound Interface is used for outbound traffic too.

    Or should I use masquerading instead of SNAT?

    Only necessary for outbound initiated traffic.

    Which IP address should I use for firewall rules protecting this host?

    Because DNAT is configured granularly, i use the "automatic firewall rules for NAT here. 

    (if you don't wish this ... do it, copy the content from "automatic Firewall rule ... disable auto-FW-rule)

    Is there a way to make the UTM transparent so that the server also sees the public IP address? (nice to have)

    With DNAT the Source IP isn't altered

    Is this setup correct?

    Does shomething not working?

    Did I miss anything?

    possible ;-)

    Can/should I use full NAT instead of SNAT and DNAT?

    use SNAT / FullNAT only, if you wish to change the Source IP. (depend on environment)

    Is this setup also good in terms of performance?

    Theoretically DNAT is more performant than WAF ... and less secure.

    There's also some web server protection.

    Yes, and you should use it ... if possible

    But it seems that this is only for web servers. If using other services, I cannot use this feature, I guess.

    Correct

    It seems quite some work for a simple job.

    not really

    I still keep thinking that there might be a simple option to use/reserve a specific "additional IP address" for a specific host, but there is none, right?

    That's Possible ... create an additional/alternate IP (best practice: use 32 bit Network-definition y.x.z.w\32 )


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Reply
  • 0

    Hi Thomas,

    ...appear directly in the Internet. (Well, it would be acceptable if the server didn't know its external IP address...)

    as stated by Alexander, DNAT or Webserver-protection are the options

    For incoming traffic, I added a DNAT rule: "Change the destination IP address to my server's if packets arrive on its public IP address.

    That's OK. Doesn't it was working?

    I also added a SNAT rule saying: replace the sending IP address with the server's public IP address of traffic comes from my server's internal IP address.

    You don#t need an additional SNAT-rule for incomming Traffic (or the answer-packets).

    Do I also need to configure any multipath rules?

    Multipath is for Traffic initiated from internally. Otherwise, the inbound Interface is used for outbound traffic too.

    Or should I use masquerading instead of SNAT?

    Only necessary for outbound initiated traffic.

    Which IP address should I use for firewall rules protecting this host?

    Because DNAT is configured granularly, i use the "automatic firewall rules for NAT here. 

    (if you don't wish this ... do it, copy the content from "automatic Firewall rule ... disable auto-FW-rule)

    Is there a way to make the UTM transparent so that the server also sees the public IP address? (nice to have)

    With DNAT the Source IP isn't altered

    Is this setup correct?

    Does shomething not working?

    Did I miss anything?

    possible ;-)

    Can/should I use full NAT instead of SNAT and DNAT?

    use SNAT / FullNAT only, if you wish to change the Source IP. (depend on environment)

    Is this setup also good in terms of performance?

    Theoretically DNAT is more performant than WAF ... and less secure.

    There's also some web server protection.

    Yes, and you should use it ... if possible

    But it seems that this is only for web servers. If using other services, I cannot use this feature, I guess.

    Correct

    It seems quite some work for a simple job.

    not really

    I still keep thinking that there might be a simple option to use/reserve a specific "additional IP address" for a specific host, but there is none, right?

    That's Possible ... create an additional/alternate IP (best practice: use 32 bit Network-definition y.x.z.w\32 )


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Children
No Data
Unfiltered HTML