Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 17865 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM Webfilter

Sally

Hello,

I have yet the configuration, that all my Internet Traffic is routed through VPN Router in DMZ. I have the following configuration:

 

Interfaces

LAN (Internal Network): 192.168.0.0 /24

DMZ (VPN Service) : 10.0.0..0 /8

WAN: 84.x.x.x

 

 Static Routing - Policy Route

Gateway Route

Internal

Internal (Network)

Any

Internet IPv4

GW: VPN Router DMZ

 

Network Protection - Firewall - Rules

DMZ (VPN Network) -> DNS, FTP, HTTPS, NTP, SSH -> Internet IPv4

 

 NAT - Masquerading:

Internal (Network) -> External (WAN)

Internal (Network) -> DMZ VPN

DMZ VPN -> External (WAN)

 

 

Webprotection - Filtering Options - MIsc - Transparent Mode Skiplist

Skip Transparent Mode Source Hosts / Nets

Internal (Network)

 

Marked - Allow HTTP/S traffic for listed hosts/nets

 

With this configuration all traffic from Internal LAN is routed through the VPN Service , works.

 

When i deactivate the Policy Route all Internet traffic is routed over the normal WAN Connection, not over the VPN Service.

 

When i disable the Internal Network under Misc - Skip Transparent Mode Source Hosts / Nets, i can connect to Internet, but with my normal WAN Connection, not over the VPN Service.

 

What im doing wrong, what setting i have to adapt to go over the VPN Service but not to Skip the Internal Network in Web protection setting, what im missing?

 

Thanks



This thread was automatically locked due to age.
Parents
  • 0

    The NICs must be bridged if you want to use Full Transparent.  I admit that I'm having trouble following your description - a simple diagram would be helpful.

    I wouldn't use 10.0.0.0/8 as that's likely to bring you into conflict with an ISP or other large organization.  I wouldn't use subnets in 192.168.0.0/24 as that's likely to cause conflicts if you want to VPN into your UTM from a public hotspot or a friends home.  Better to use subnets in 172.16.0.0/12.

    You could bridge the two NICs and assign a subnet of 172.16.0.0/23 with a default gateway of the IP of the VPN router.  Assign fixed IPs in 172.16.0.0/24 to the devices in the DMZ and use DHCP to assign dynamic IPs in 172.16.1.0/24 to the devices in the LAN.  A single firewall rule like '{172.16.1.0/24} -> Any -> Any : Allow' lets your LAN communicate with the DMZ and the world, but devices in the DMZ are blocked by default from the LAN unless you make a firewall rule allowing some access.  No masquerading rule should be used in the UTM for traffic that doesn't leave through the WAN interface.  You will need a Static Route for the traffic you want to pass through the VPN router, but I'm not sure exactly what traffic that is.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hello Bob,

     

    Thanks for your Reply.

     

    When bridging the 2 Nics for LAN / DMZ, how secure is this configuration, do i understand this correct, the bridging is the same like for example in VM Ware to bridge Interfaces?

     

    Regarding the Interface / Subnet Configuration i was thinking i can use for the DMZ 172.16-31.x., 192.168.x.x, or 10.x.x.x as privat ranges. Yes, i was thinking to setup VPN into my UTM, and the Subnet 192.168.0.0/24 needs to be free for Remote Access to not cause conflicts, can i use for LAN Subnet for Example 192.168.8.0 /24 instead of 192.168.0.0/24?

  • 0 in reply to Sally

    There is no /24 subnet in 192.168.0.0/16 that's "safe" to use in your UTM.  The default VPN Pools in the UTM are in 10.242.0.0/21, and that would cause conflicts with your 10.0.0.0/8 definition.  You're better off following the "culture" as I recommended above.

    When bridging DMZ and LAN, you can maintain security by assigning IPs in different subnets as I described above.  Using my suggestion above, put only 172.16.1.0/24 in 'Allowed Networks' for Web Filtering - leave 172.16.0.0/24 out of there.  See #2 in Rulz to understand the reason for this.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    Thanks a Lot for the Information.

     

    Best Regards

    Sally

Reply Children
No Data
Unfiltered HTML