Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 17863 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM Webfilter

Sally

Hello,

I have yet the configuration, that all my Internet Traffic is routed through VPN Router in DMZ. I have the following configuration:

 

Interfaces

LAN (Internal Network): 192.168.0.0 /24

DMZ (VPN Service) : 10.0.0..0 /8

WAN: 84.x.x.x

 

 Static Routing - Policy Route

Gateway Route

Internal

Internal (Network)

Any

Internet IPv4

GW: VPN Router DMZ

 

Network Protection - Firewall - Rules

DMZ (VPN Network) -> DNS, FTP, HTTPS, NTP, SSH -> Internet IPv4

 

 NAT - Masquerading:

Internal (Network) -> External (WAN)

Internal (Network) -> DMZ VPN

DMZ VPN -> External (WAN)

 

 

Webprotection - Filtering Options - MIsc - Transparent Mode Skiplist

Skip Transparent Mode Source Hosts / Nets

Internal (Network)

 

Marked - Allow HTTP/S traffic for listed hosts/nets

 

With this configuration all traffic from Internal LAN is routed through the VPN Service , works.

 

When i deactivate the Policy Route all Internet traffic is routed over the normal WAN Connection, not over the VPN Service.

 

When i disable the Internal Network under Misc - Skip Transparent Mode Source Hosts / Nets, i can connect to Internet, but with my normal WAN Connection, not over the VPN Service.

 

What im doing wrong, what setting i have to adapt to go over the VPN Service but not to Skip the Internal Network in Web protection setting, what im missing?

 

Thanks



This thread was automatically locked due to age.
  • 0

    Try checking the box for "Full Transparent Proxy" on the Filter Profile

    By default, UTM replaces the source iP with its own exit address.   By the time the exit address is chosen, your route statement does not apply.   In Full Transparent mode, the source ip is left unchanged, which will hopefully allow your intended behavior.

    If you intend to put web traffic through another web filter at the other end of the VPN tunnel, configuring a parent proxy might be preferable.   If you don't intend to do another layer of web filtering, then there is really no benefit from routing the outbound traffic through the VPN tunnel.

  • 0 in reply to DouglasFoster

    Hi Douglas,

     

    thanks for the reply. I can just choose Standard / Transparent Mode.The Filed Full Transparent Mode is greyed out, so I cannt mark it. I dont no why is geyed out??

     

    Thx

    Sally

  • 0

    The NICs must be bridged if you want to use Full Transparent.  I admit that I'm having trouble following your description - a simple diagram would be helpful.

    I wouldn't use 10.0.0.0/8 as that's likely to bring you into conflict with an ISP or other large organization.  I wouldn't use subnets in 192.168.0.0/24 as that's likely to cause conflicts if you want to VPN into your UTM from a public hotspot or a friends home.  Better to use subnets in 172.16.0.0/12.

    You could bridge the two NICs and assign a subnet of 172.16.0.0/23 with a default gateway of the IP of the VPN router.  Assign fixed IPs in 172.16.0.0/24 to the devices in the DMZ and use DHCP to assign dynamic IPs in 172.16.1.0/24 to the devices in the LAN.  A single firewall rule like '{172.16.1.0/24} -> Any -> Any : Allow' lets your LAN communicate with the DMZ and the world, but devices in the DMZ are blocked by default from the LAN unless you make a firewall rule allowing some access.  No masquerading rule should be used in the UTM for traffic that doesn't leave through the WAN interface.  You will need a Static Route for the traffic you want to pass through the VPN router, but I'm not sure exactly what traffic that is.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    When you disable the skip transparent source for Internal, then the proxy will intercept all web traffic if you have configured transparent web filtering, hence the web filter itself is the one handling the traffic and sending it to the default gateway.

    If I understand correctly you want to use web-filtering on your web requests and still route them over the VPN connection in the DMZ?

    If you want ALL traffic to go out over the VPN connection in DMZ and you don't wan't anything to go out locally then I'm a bit confused in why you have the 3 subnets you have now (Internal, DMZ and WAN). You might be better off in just selecting full transparent mode like explained above and connect 1 end of the connection to the DMZ VPN-gateway and connect the "internal" clients to the other interface using a switch.
    This way all connected clients will physically be inside the current DMZ and use this to connect out.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to BAlfson

    Hello Bob,

     

    Thanks for your Reply.

     

    When bridging the 2 Nics for LAN / DMZ, how secure is this configuration, do i understand this correct, the bridging is the same like for example in VM Ware to bridge Interfaces?

     

    Regarding the Interface / Subnet Configuration i was thinking i can use for the DMZ 172.16-31.x., 192.168.x.x, or 10.x.x.x as privat ranges. Yes, i was thinking to setup VPN into my UTM, and the Subnet 192.168.0.0/24 needs to be free for Remote Access to not cause conflicts, can i use for LAN Subnet for Example 192.168.8.0 /24 instead of 192.168.0.0/24?

  • 0 in reply to apijnappels

    Hello Apijnappels,

     

    Yes, i would like to have web-filtering and route all traffic over the VPN Tunnel.

     

    I use 3 Interfaces while with this configuration I’m able yet to activate gateway route, so all traffic go over the DMZ through the VPN Tunnel (VPN for Privacy), and when deactivating the Gateway Policy Route, the Internet Traffic go out directly via my ISPs Internet Connection.

  • 0 in reply to Sally

    There is no /24 subnet in 192.168.0.0/16 that's "safe" to use in your UTM.  The default VPN Pools in the UTM are in 10.242.0.0/21, and that would cause conflicts with your 10.0.0.0/8 definition.  You're better off following the "culture" as I recommended above.

    When bridging DMZ and LAN, you can maintain security by assigning IPs in different subnets as I described above.  Using my suggestion above, put only 172.16.1.0/24 in 'Allowed Networks' for Web Filtering - leave 172.16.0.0/24 out of there.  See #2 in Rulz to understand the reason for this.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    Thanks a Lot for the Information.

     

    Best Regards

    Sally

Unfiltered HTML