Hi, Tony here (sorry the temporary maintenance seems to have created me a new user and not offering me a login!)
I am trying to add an additional IP range to my Sophos UTM. 9.413-4 (Virtual appliance)
I have 6 physical interfaces. 2 of them are external, the other 4 are for local subnets and a phone system.
As part of a comms migration 1 of the external interfaces is with our original provider, the other is patched directly to our new provider. We plan to move services to the new IP addresses by (changing the A record) and interface address in the UTM.
Our current providers external interface allows many different IP addresses to be used in the Webserver protection -> web application firewall.
Our new provider have provided a range of IP Addresses:
SUBNET - X.X.X.16/28 GATEWAY - X.X.X.17/28 USABLE - X.X.X.20 - X.X.X.30
I have setup the new interface with IP address X.X.X.20/28 and gateway of X.X.X.17
I have also added the additional IP's using: Interfaces->Additional Addresses for X.X.X.20 - X.X.X.30 using /32 for each address setting the interface to match the new one. ( I have also tried using /28 with no change to the outcome)
On changing (the A Record to X.X.X.20) and changing the Webserver Protection -> Web Application Firewall -> Virtual Webserver -> (Intranet) Interface to "NEWIP X.X.X.20" I can access the site externally (it is using the new IP address I specified in the interface).
If I change the Virtual Webserver ->interface to "NEWIP X.X.X.24" ( One of the ADDITIONAL IP Addresses ) I cannot ping or access the site?
It appears none of the additional IP Addresses are responding.
(IF I edit the new interface IP address to X.X.X.24 I can use that IP. Whatever single IP I specify in the interface works - It doesnt seen to detect and of the additional IP's)
The current provider IP range appears to be setup in the same way and works. I cannot see what rule or setting I have missed? why does traffic flow for the interface specified IP but not the additional IP Addresses?
Can anyone offer any help?
Hi Aaron,using the /32 mask is a best practice, i got from from sophos engineers too.
Does someone know if it actually make a difference if additional interfaces are defined with the same mask as the main interface (in my case /27) or with mask /32 ?
I tried both masks (27 and 32) and DNAT rules seem to work in both cases but is there a best practice for that?
I always recommend /32, Chris. I can't remember now what combination of configurations caused anything else to fail.
Cheers - Bob
I certainly don't mean to contradict Bob, because I know he's the resident expert around here. That being said, wouldn't matching the mask to be appropriate to the network the IP address "lives in" be most appropriate? That's how I've done it on a couple UTMs, but I could be wrong. I've tried to avoid using Aliases on the Sophos because in some places it limits the things you can do on them, or have to get creative with SNATs.
But, perhaps the mask is irrelevant on additional addresses. You say you have two NICs which are used for external IPs, can you swap an additional address and physical NIC for one of the problem IPs to rule out or confirm an ISP routing issue?
Sophos Solution Partner since 2003 If a post solves your question click the 'Verify Answer' link.