Thursday, February 13, 2020

Routing issues between Internal Network and DMZ

I have the following network:

  • Internet connected to Sophos Firewall on WAN interface
  • LAN interface with address 10.0.0.1/24 connected to DMZ Switch
  • On DMZ Switch I have a server, with address 10.0.0.111/24 gw 10.0.0.1
  • Additionally, on DMZ Switch I have the WAN interface of a second Unifi Firewall with address 10.0.0.2/24 gw 10.0.0.1
  • From the second Firewall LAN interface with address 10.0.1.1/24 I go to a switch
  • On this switch I have a host with address 10.0.1.222/24 gw 10.0.1.1

10.0.1.222 cannot talk to to 10.0.0.111. After further investigation, I saw the response traffic from 10.0.0.111 trying to go out the Interent on the WAN interface after being NATed, so I added a static route on the Sophos router that points traffic to 10.0.0.0/16 to gw 10.0.0.2

Now traffic does not go out the WAN interface, but traffic is being captured by rule 0 on the Sophos, stating that the response from 10.0.0.111 to 10.0.1.222 was invalid as it was not part of a pre-established connection.

It is obvious what is happening: Traffic from the internal host exiting the internal firewall goes directly to the server as it is directly connected to the network. But the return traffic does not know how to get to the original source (the internal host) so it goes to its gateway, the sophos firewall. But the Sophos firewall detects that returning traffic as spurious and discards it...

I used to have this configuration working with OpenBSD as both firewalls, but I cannot seem to make the Sophos work...

How is this issue called so I can look for it on the internet? How can I research a fix for my problem? I've tried adding rules on the Sophos firewall to no avail. I would rather not change the Server default gateway to the internal firewall because most traffic will be redirected to the Internet...

So how can I make this work? It is almost as if I had to add a static route to the Server to point to 10.0.0.2 for any 10.0.0.0/16 traffic... But in reality "Server" are many different devices, from Servers running in Linux to IoT devices where I cannot configure them directly...

Any help is greatly appreciated,



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)