Configuring a Routing Firewall
A routing firewall operates at Layer 3, forwarding traffic between networks. This guide documents the configuration of a routing firewall with separate management and WAN interfaces using Ubuntu 24.04.
The critical challenge is configuring the firewall remotely without losing access. Changes must be staged carefully, with a reboot after each step. Rebooting ensures changes are truly applied—netplan configurations can remain active in memory even after the files are deleted.
Prerequisites
Hardware:
- Multi-port network appliance (this guide uses Sophos XG 210 Rev. 3)
- Minimum 2 Ethernet ports: 1 management, 1 WAN
- Console access recommended for recovery
Software:
- Ubuntu 24.04 Server (minimal installation)
- systemd-networkd for network configuration
Network:
- Management network with DHCP and gateway
- Static public IP allocation from ISP
Network Topology
┌─────────────────┐
┌───────────┐ │ Firewall │
│ ISP │ │ │
│ Router │───────────────────────│ enp3s0 (WAN) │
│ │ 203.0.113.0/29 │ 203.0.113.1 │
└───────────┘ │ │
│ │
┌───────────┐ │ │
│ Management│ │ enp2s0 (mgmt) │
│ Switch │───────────────────────│ DHCP │
│192.0.2.0/24│ │ │
└───────────┘ └─────────────────┘
Port assignments:
| Interface | Role | Description |
|---|---|---|
| enp2s0 | Management | DHCP on management network (192.0.2.0/24) |
| enp3s0 | WAN | Static public IP from ISP |
Step 1: Migrate from Netplan to systemd-networkd
Ubuntu 24.04 uses netplan by default. Migrate to systemd-networkd for direct control over network configuration.
Create the management interface configuration on your workstation. Include the static route for the management network range immediately—this prevents losing SSH access if something goes wrong in later steps.
20-enp2s0-management.network:
[Match]
Name=enp2s0
[Network]
DHCP=yes
[Route]
Destination=192.168.0.0/16
Gateway=192.0.2.1
Upload and enable systemd-networkd:
cat 20-enp2s0-management.network | ssh sysadmin@192.0.2.10 \
"sudo tee /etc/systemd/network/20-enp2s0-management.network"
ssh sysadmin@192.0.2.10 "sudo systemctl enable systemd-networkd"
ssh sysadmin@192.0.2.10 "sudo systemctl start systemd-networkd"
Verify the management interface has an IP address:
ssh sysadmin@192.0.2.10 "ip addr show enp2s0"
Remove netplan:
ssh sysadmin@192.0.2.10 "sudo rm /etc/netplan/*.yaml"
ssh sysadmin@192.0.2.10 "sudo apt remove --purge netplan.io -y"
Reboot to ensure netplan is fully removed (it can remain active in memory):
ssh sysadmin@192.0.2.10 "sudo reboot"
Wait for the system to come back up, then verify SSH access still works.
Step 2: Configure WAN Interface
Create the WAN interface configuration on your workstation.
30-enp3s0-wan.network:
[Match]
Name=enp3s0
[Network]
Address=203.0.113.1/29
Gateway=203.0.113.6
DNS=9.9.9.9
DNS=149.112.112.112
Upload and reboot:
cat 30-enp3s0-wan.network | ssh sysadmin@192.0.2.10 \
"sudo tee /etc/systemd/network/30-enp3s0-wan.network"
ssh sysadmin@192.0.2.10 "sudo reboot"
Wait for the system to come back up, then verify SSH access still works.
At this point, traffic still exits via the management interface because DHCP provides the default gateway. The WAN interface is configured but not yet used for outbound traffic.
Step 3: Verify WAN Interface
Confirm the WAN interface is up and has the correct IP address:
ssh sysadmin@192.0.2.10 "networkctl status enp3s0"
Expected output shows the interface as “routable” with the configured address:
● 3: enp3s0
Link File: /usr/lib/systemd/network/99-default.link
Network File: /etc/systemd/network/30-enp3s0-wan.network
Type: ether
State: routable (configured)
Path: pci-0000:03:00.0
Driver: igb
Vendor: Intel Corporation
Model: I210 Gigabit Network Connection
HW Address: 02:00:00:00:00:02
MTU: 1500 (min: 68, max: 9216)
Address: 203.0.113.1
fe80::1/64
Gateway: 203.0.113.6
Verify the WAN gateway is reachable:
ssh sysadmin@192.0.2.10 "ping -c 3 203.0.113.6"
Step 4: Disable DHCP Gateway on Management Interface
Now that the WAN interface is verified, update the management interface to disable DHCP-provided gateway, routes, and DNS. This switches the default route to the WAN gateway.
The static route for 192.168.0.0/16 was already added in Step 1, so SSH access will continue to work after this change.
20-enp2s0-management.network (updated):
[Match]
Name=enp2s0
[DHCPv4]
UseGateway=no
UseRoutes=no
UseDNS=no
[Network]
DHCP=yes
[Route]
Destination=192.168.0.0/16
Gateway=192.0.2.1
Upload and reboot:
cat 20-enp2s0-management.network | ssh sysadmin@192.0.2.10 \
"sudo tee /etc/systemd/network/20-enp2s0-management.network"
ssh sysadmin@192.0.2.10 "sudo reboot"
Wait for the system to come back up, then verify SSH access still works.
Step 5: Verify WAN Routing
Verify the routing table shows the WAN gateway as the default route:
ssh sysadmin@192.0.2.10 "ip route show"
Expected output:
default via 203.0.113.6 dev enp3s0 proto static
192.168.0.0/16 via 192.0.2.1 dev enp2s0 proto static onlink
192.0.2.0/24 dev enp2s0 proto kernel scope link src 192.0.2.10
203.0.113.0/29 dev enp3s0 proto kernel scope link src 203.0.113.1
Confirm outbound traffic uses the WAN interface by checking the public IP:
ssh sysadmin@192.0.2.10 "curl -s https://checkip.amazonaws.com"
The output should show the WAN IP address (203.0.113.1), not the management network’s public IP. If it shows the management network’s IP, the DHCP gateway was not disabled correctly—see Troubleshooting.
Configuration Summary
Management interface (20-enp2s0-management.network) evolves in two stages:
| Stage | Settings | Purpose |
|---|---|---|
| Step 1 | DHCP=yes, Route for 192.168.0.0/16 | Safe migration, keep access |
| Step 4 | Add UseGateway=no, UseRoutes=no | Switch default to WAN |
Final management interface settings:
| Setting | Value | Purpose |
|---|---|---|
| DHCP | yes | Obtain IP from management network |
| UseGateway | no | Don’t use DHCP gateway |
| UseRoutes | no | Don’t use DHCP routes |
| UseDNS | no | Don’t use DHCP DNS |
| Route | 192.168.0.0/16 | Management access via mgmt gateway |
WAN interface (30-enp3s0-wan.network):
| Setting | Value | Purpose |
|---|---|---|
| Address | 203.0.113.1/29 | Static public IP |
| Gateway | 203.0.113.6 | Default route (ISP router) |
| DNS | 9.9.9.9 | Primary DNS (Quad9) |
| DNS | 149.112.112.112 | Secondary DNS (Quad9) |
Troubleshooting
Changes not taking effect
Symptom: Configuration changes appear correct but network behavior hasn’t changed.
Cause: Netplan or previous configurations remain active in memory even after files are deleted or modified.
Solution: Reboot after each configuration change. A simple
systemctl restart systemd-networkd is not always sufficient—the kernel
may retain old routing table entries or interface configurations.
ssh sysadmin@192.0.2.10 "sudo reboot"
Lost SSH access after reboot
Symptom: Cannot SSH to firewall after reboot.
Cause: The static route for the management network range is missing or incorrect. Without this route, return traffic to your workstation goes out the WAN interface instead of the management interface.
Solution: Access via console and verify the management interface configuration includes the correct route:
cat /etc/systemd/network/20-enp2s0-management.network
ip route show
Ensure the route for your management network (e.g., 192.168.0.0/16) points to the management gateway.
WAN not used for outbound traffic
Symptom: curl https://checkip.amazonaws.com shows the management
network’s public IP, not the WAN IP.
Cause: DHCP is still providing the default gateway on the management interface.
Solution: Verify the management interface configuration disables DHCP gateway:
cat /etc/systemd/network/20-enp2s0-management.network
Ensure these lines are present:
[DHCPv4]
UseGateway=no
UseRoutes=no
Restart systemd-networkd and verify the routing table:
sudo systemctl restart systemd-networkd
ip route show
The default route should point to the WAN gateway, not the management gateway.
WAN interface shows as “degraded”
Symptom: networkctl status enp3s0 shows state as “degraded” instead of
“routable”.
Cause: The interface is up but the gateway is unreachable, or the cable is disconnected.
Solution: Check physical connectivity and verify the gateway is reachable:
ip link show enp3s0
ping -c 3 203.0.113.6
If the gateway is unreachable, verify the IP address and subnet are correct for your ISP allocation.