Firebox-Static Routes

Hey All, I am setting up a new firebox from scratch and I am having an issue with the routing on the firebox. I have 1 External interface AKA XXX.XXX.XXX.150/30, Internal interface of XXX.XXX.XXX.10/23 and a third private interface that i have put on Optional type with IP of XXX.XXX.XXX.140/25. I then need to some website I have that need to go direct to the Optional interface from the trusted interface. The route I have is XXX.XXX.XXX.155(site IP address) XXX.XXX.XXXX.130 (Gateway for IP) Metric of 1. I then added a rule allowing 443 from Trusted to Optional interface but from some reason when I tracert the route it going to my external interface? Which the site then does not allow as it needs to be coming from the optional interface.

Comments

  • edited March 2020
    The firewall knows how to route between firewall interfaces.
    Please remove these added routes.

    To access an internal server using its public IP addr you need to use NAT Loopback

    FYI, you don’t need to xxx out private IP addrs - there is no security risk in posting them.
    Without seeing the private addrs that you are using we can’t tell if there is an overlap or not between trusted and optional.
  • @Bruce_Briggs This is my first time configuring this and I just looked over the the setting and realizing that the External and Optional interface are both public outside IP address. I need to route all the traffic from my Trusted to the External interface unless it is trying to go to my Optional Interface and in that case i need it to be allowed only though the optional interface only.

    For some reason when I add those routes and rules it is still going though the external interface when I need it to go though the Optional interface.

  • XXX.XXX.XXX.150/30 is part of XXX.XXX.XXX.140/25
    XXX.XXX.XXX.140/25 - valid IP addrs are .129 through .254
    This setup will not work. You need to change things here.
    Options:
    1) assign the /25 to external, assign a private subnet to Optional, and use NAT to allow external access to internal servers which will end up with private IP addrs
    2) split the /25 subnet into 2 @ /26 parts and assign internal servers with IP addr from 1 of the /26 parts and assign external from the other /26 part

  • How many IP addrs do you need on your optional connected devices?

  • @Bruce_Briggs Got it working thanks for you help.

Sign In to comment.