Network Protection: Firewall, NAT, QoS, & IPS DNAT to load balancer VIP

UTM Firewall requires membership for participation - click to join

Thread Info

State Verified Answer
Locked Locked
Replies 4 replies
Subscribers 5 subscribers
Views 1914 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT to load balancer VIP

Harro Verton over 1 year ago

The same question was asked in Functional DNAT does not work when destination is server load balance object but never got a response.

So I gather that this is not possible, but are there any workarounds?

I my case it is a database connection, and I don't have a cluster for nothing.

In short:

external IP:3306 -> DNAT interal-IP:3306 works
external IP:3306 -> DNAT LB VIP:3306 doesn't work

This thread was automatically locked due to age.

Top Replies

PhilippRusch over 1 year ago in reply to Harro Verton +1 verified

Hello Harro, yes, with manual rules you could restrict access and source ips further.

Parents

0 Raphael Alganes over 1 year ago

Hello there,

Good day and thanks for reaching out to Sophos Community

Could you refer to this UTM doc guide: https://docs.sophos.com/nsg/sophos-utm/utm/9.708/help/en-us/Content/utm/utmAdminGuide/NetProtServerLoadBalancingRules.htm

In this guide example states: - Suppose that you have two HTTP/S servers in your DMZ with the IP addresses 192.168.66.10 and 192.168.66.20, respectively. Assumed further you want to distribute HTTP/S traffic arriving on the external interface of your gateway equally to both servers. To set up a load balancing rule, select or create a host definition for each server. You may call them http_server_1 and http_server_2. Then, in the Create New Load Balancing Rule dialog box, select HTTP as Service. In addition, select the external address of the gateway as Virtual server. Finally, put the host definitions into the Real servers box.

Kindly let us know how it goes. Many thanks for your time and patience and thank you for choosing Sophos

Cheers,

Raphael Alganes
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Raphael Alganes over 1 year ago

Hello there,

Good day and thanks for reaching out to Sophos Community

Could you refer to this UTM doc guide: https://docs.sophos.com/nsg/sophos-utm/utm/9.708/help/en-us/Content/utm/utmAdminGuide/NetProtServerLoadBalancingRules.htm

In this guide example states: - Suppose that you have two HTTP/S servers in your DMZ with the IP addresses 192.168.66.10 and 192.168.66.20, respectively. Assumed further you want to distribute HTTP/S traffic arriving on the external interface of your gateway equally to both servers. To set up a load balancing rule, select or create a host definition for each server. You may call them http_server_1 and http_server_2. Then, in the Create New Load Balancing Rule dialog box, select HTTP as Service. In addition, select the external address of the gateway as Virtual server. Finally, put the host definitions into the Real servers box.

Kindly let us know how it goes. Many thanks for your time and patience and thank you for choosing Sophos

Cheers,

Raphael Alganes
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Harro Verton over 1 year ago in reply to Raphael Alganes

Thanks for your response.

How do I secure that? I obviously don't want to explose my database cluster to the world.

Do not create the automatic firewall rule, but create a rule manually to allow only the source subnet access to port 3306?
Cancel
Vote Up 0 Vote Down

Cancel
+1 PhilippRusch over 1 year ago in reply to Harro Verton

Hello Harro,

yes, with manual rules you could restrict access and source ips further.

Mit freundlichem Gruß, best regards from Germany,

Philipp Rusch

New Vision GmbH, Germany
Sophos Silver-Partner

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +1 Vote Down

Cancel
0 Harro Verton over 1 year ago in reply to PhilippRusch

Sorry for the late response, I needed the client to be able to test it.

The configuration is a bit weird imho.

I needed to define an LB rule: public IP:3306 -> IP of the database nodes, but a firewall rule: client IP:3306 -> IP of the database nodes, instead of what I expected, client IP:3306 -> public IP.

But this works. Thanks for the reponses everyone.
Cancel
Vote Up 0 Vote Down

Cancel