I have always been a fan of Astaro since I first hear an ad for them on the Security Now podcast. So I was really excited to have the opportunity to finally get to use one! But now, 12 hrs in the excitement has subsided considerably.
We have two 'net connections, a T1 from AT&T with a /9 of addresses. We use it only for public access to a web server. Then we also have a cable internet connection with only 1 IP, and it's used for all other internet access from the office.
What I'm having trouble with is replicating this behavior with our brand new UTM 110 running v8.
Here's how I have it set up:
eth0: Cable internet, External (TWC), default gateway
eth1: Internal
eth2: DMZ, hooked directly to a WAP, not really important for this discussion
eth3: T1, External (ATT), plus an "additional address" for the public IP of the web server.
There's a masquerade set up for Internal to TWC, and a firewall rule for Internal -> Any allowed.
Following the "port forwarding" tutorial on the Sophos site, I set up a DNAT:
Traffic Source: Any
Traffic Service: Any
Traffic Destination: External (Public WWW address)
NAT Mode: DNAT (destination)
Destination: Web server
Destination Service: left blank
I then created firewall rules to allow HTTP and HTTPS to the Web Server (not the public IP).
After that didn't work I tried adding something from another tutorial I found online (Astaro Security Gateway – SNAT, DNAT, 1-to-1 NAT and Full NAT – HowTo » The time I've wasted on technology... | The time I've wasted on technology...) and added an SNAT:
Traffic Source: Web Server
Traffic Service: Any
Traffic Destination: Internet IPv4
NAT Mode: SNAT (Source)
Source: External (Public WWW IP)
Source Service: left blank
So, am I doing something wrong? The problem is that even though I can see the NATs triggering ing the fw log, the web server can't get traffic out, and traffic from the 'net doesn't make it in.
Would it just be easier to make the External (ATT) interface have the Public WWW Address instead of the one it does? I'm completely at a loss, and 12+ hrs of downtime trying to get this working doesn't look too great.
Thanks in advance for any help!
We have two 'net connections, a T1 from AT&T with a /9 of addresses. We use it only for public access to a web server. Then we also have a cable internet connection with only 1 IP, and it's used for all other internet access from the office.
What I'm having trouble with is replicating this behavior with our brand new UTM 110 running v8.
Here's how I have it set up:
eth0: Cable internet, External (TWC), default gateway
eth1: Internal
eth2: DMZ, hooked directly to a WAP, not really important for this discussion
eth3: T1, External (ATT), plus an "additional address" for the public IP of the web server.
There's a masquerade set up for Internal to TWC, and a firewall rule for Internal -> Any allowed.
Following the "port forwarding" tutorial on the Sophos site, I set up a DNAT:
Traffic Source: Any
Traffic Service: Any
Traffic Destination: External (Public WWW address)
NAT Mode: DNAT (destination)
Destination: Web server
Destination Service: left blank
I then created firewall rules to allow HTTP and HTTPS to the Web Server (not the public IP).
After that didn't work I tried adding something from another tutorial I found online (Astaro Security Gateway – SNAT, DNAT, 1-to-1 NAT and Full NAT – HowTo » The time I've wasted on technology... | The time I've wasted on technology...) and added an SNAT:
Traffic Source: Web Server
Traffic Service: Any
Traffic Destination: Internet IPv4
NAT Mode: SNAT (Source)
Source: External (Public WWW IP)
Source Service: left blank
So, am I doing something wrong? The problem is that even though I can see the NATs triggering ing the fw log, the web server can't get traffic out, and traffic from the 'net doesn't make it in.
Would it just be easier to make the External (ATT) interface have the Public WWW Address instead of the one it does? I'm completely at a loss, and 12+ hrs of downtime trying to get this working doesn't look too great.
Thanks in advance for any help!