Description:

Unified Firewalls always use the IP address of the first active interface (usually eth0) as the sender address when using an internal service to communicate with a device connected via IKEv2. If the IP address assigned to the first active interface is not included in the VPN rules (e.g. the Internet connection is often set up on eth0), data cannot be sent over the VPN connection and communication is not possible.

In order to enable communications with the external device, the Unified Firewall must mask the packets intended for the external device with an IP address that is included in the VPN rules.

This article describes how to set up masking to the external device and so enable communications again.


Requirements:

  • LANCOM R&S®Unified Firewallas of LCOS FX 10.12
  • A configured and functional Internet connection on each Unified Firewall
  • Functional IKEv2 connection
  • Web browser for configuring the Unified Firewall.

    The following browsers are supported:
    • Google Chrome
    • Chromium
    • Mozilla Firefox

Scenario:

Two Unified Firewalls are interconnected via an IKEv2 connection:

  • The local network at the headquarters has the IP address range 192.168.100.0/24.
  • The local network at the branch office has the IP address range 192.168.200.0/24 including the IP address 192.168.200.254.
  • At the Headquarters, there is a syslog server with the IP address 192.168.100.100.
  • The Unified Firewall at the branch office should send its syslog data to the syslog server at the headquarters.
  • To enable communications between the Unified Firewall at the branch office and the syslog server, the packets sent to the syslog server must be masked behind the local IP address of the Unified Firewall at the branch office (192.168.200.254).


Diagram displaying a Unified Firewall configuration with headquarters VPN connection, local IP addresses, internet connection, and syslog server settings.


Procedure:

1) In the menu bar for the desktop objects, click on the icon to create a new network.

Screenshot showing a configuration menu with the label OvAVakiate teDoaklea Firewall indicating firewall settings.

2) Modify the following parameters and then click Create:

  • Name : Enter a descriptive name for the network object (in this example Unified-Firewall).
  • Interface : From the drop-down menu, select the option any. This makes sense because the actual first active interface may be different.
  • Network IP : Enter the address 0.0.0/0. This makes sense because the IP address of the first active interface may be assigned dynamically (DHCP or PPPoE).

A screenshot of a network firewall configuration interface showing options for preserving changes, allowing logins, interface and network IP settings, and exemptions from IOS IPS and antivirus scanning.

3) In the menu bar for the desktop objects, click on the icon to create a new host.

Image displaying a user interface with the partial label 'oss selavije Firewall' indicating a firewall setting or status.

4) Modify the following parameters and then click Create:

  • Name : Enter a descriptive name for the host object (in this example Syslog-Server).
  • Interface : From the drop-down menu, select the option any. This makes sense because the interface that the local network is assigned to (for which VPN rules also exist) can differ between scenarios.
  • Network IP : Enter the IP address of the device that the Unified Firewall should communicate with via the VPN tunnel(in this example 192.168.100.100).

Image displaying a configuration dialog box with settings for a Syslog Server Host, login permissions, and security exemptions, including options for antivirus and IP scanning.

5) Change to the menu Desktop → Services → User-defined Services and click on the “+” icon to create a user-defined service.

Screenshot of a technical configuration menu displaying various network and desktop settings, including Desktop Connections, User-defined Services, and Monitoring Statistics.

6) Assign a descriptive name for the service and click on the "+” icon to assign ports and protocols to the service.

Screenshot of a Syslog user-defined service configuration menu displaying options for ports and protocols, with a message indicating that changes will be preserved until the user cancels the dialog or logs out.

7) Use Port From and To to set the port or range of ports, and use Protocols to set the protocol. Then click OK.

For this example we are using UDP port 514 (syslog). You can assign multiple ports and various protocols to a service.

An image displaying a configuration menu for editing user-defined services, including options to set service port from and to, with protocols TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).

8) Click on Create.

Screenshot of a syslog configuration dialog box displaying options for name, ports, and protocols with a message that changes will be preserved unless cancelled or logged out.

9) On the desktop, click the network object created in step 2, select the “connection tool”, and click the host object created in step 4.

Image displaying a portion of a technical user interface with configuration options possibly related to a Syslog Server setup.

10) Use the “+” icon to add the user-defined service created in step 7.

Image of a detailed network firewall management interface showing various configuration options such as Unified Firewall Syslog Server settings, connection types, network interface, and rules including NAT, URL Content Filter, Application Filter, Application-Based Routing, and Traffic Shaping. Screenshot of a technical configuration interface with various service and command menu options listed.

11) Under the Options for the service, click None to access the advanced settings.

Screenshot of a Unified Firewall Syslog Server interface displaying settings for Network Type, Host, Rules, NAT, URL Content Filter, Application Filter, Application Based Routing, Traffic Shaping, and other configuration options.

12) Modify the following parameters and then click OK:

  • For NAT, select the option Use Service Specific Settings.
  • Set the NAT / Masquerading to the option left-to-right.
  • In the NAT Source IP field, enter the IP address of the Unified Firewall in the local network (in this example 192.168.200.254). This IP address must be included in the VPN rules. The Unified Firewall will then use this IP address to mask communication to the device connected via VPN.

Screenshot of a network configuration interface showing options for Syslog, Ports, Protocols, Traffic Shaping, Proxy, NAT settings, and advanced features like DMZ Port Forwarding.

13) Click on Create.

Screenshot of a Unified Firewall Syslog Server interface displaying various network configuration settings including Network Type, Host, IPS, NAT, URL Content Filter, and Traffic Shaping options.

14) Finally, implement the changes by clicking Activate.

Image displaying a technical interface with options to activate a firewall feature, containing complex abbreviations and terms.

 

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2025 LANCOM Systems GmbH