This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't access websites in Transparent Mode. SophosUTM 9.4

OK, this is the first time I have ever used a hardware firewall so I'm feeling my way round. I have some network knowledge but I'm not an expert. The other posts don't quite answer my problems so I will try and list them here.

The hardware is running in transparent mode (I believe), as in, my existing router functions normally and the Sophos box sits in between the router and the LAN. DHCP comes from my router. 2 of the LAN ports n the Sophos box are bridged for WAN.

After installing and setting up the software I managed to get most of it working OK except for the Web Protection part. I have followed instructions on Youtube and various other sources to try and understand the complexities. Certificates have been installed where necessary.

Here are the issues I have in transparent mode:

1. Only Youtube seems to work; all the others time out.

2. 2 of my NASes, which worked previously, are no longer detected. They seem to be having a DHCP problem. 2 other computers work normally.

3. Can't update Endpoint clients with Web Filtering on or in Transparent Mode.

4. When I first try to open the interface page to login it tells me javascript is off. It isn't off. I do use NoScript in my browser but have whitelisted the web interface IP address/Port. I just refresh the page it it clears the error and gives me the login screen.

5. If I use Transparent Mode, whitelisting blocked URLs in Policies makes no difference.

I am currently running it in Standard Mode with "do not proxy HTTPS traffic" unchecked and it all works normally but I would like to be able to get Transparent Mode working as it seems to be a more secure method, from what I read.

Please remember I am a novice at this but am learning along the way. I've tried to explain things as best I can. Update log attached.

Thanks in advance.SophosUpdate.log



This thread was automatically locked due to age.
Parents
  • Part of your troubles may be the way you have things set up.  It sounds like you have double natting going on which may be causing the issues.

    The utm device really should be in between your modem and lan.  Let UTM handle the routing tasks.  If you need wifi, configure your old router/ap to be in ap mode - no dhcp, no dns, just a dumb ap only. 

  • Hi Jay Jay and thanks for the quick response.

    The UTM is between the modem/router and the LAN; perhaps I wasn't clear. It uses 3 NICs. I left the router to handle DHCP as my ISP thought it would cause problems with my fibre connection. I'm not convinced but it was easier to leave it as is. DHCP is not activated on the UTM (but I'll double-check). I looked at running the modem/router in bridge mode at first but it was easier just to slot it in the way I have it so I could try it without mucking up my existing system, which of course it seems to be doing but not too bad. I spent over a year trying to get various hardware firewalls to work unsuccessfully but doing it this way worked for me and Sophos was the first one that worked at all. As I said, it seems to be fully functional but for Transparent mode in Web Protection.

  • I didn't realize you were using one of those all in one gateways (modem/router combo unit).  In that case, I'd say make sure you disable any firewall or packet inspection options on the router.  Ideally, you should be passing all traffic through to the utm.

    If at all possible, bridge mode is the best way to go. 

    What subnet is getting passed on to the utm wan port? What subnet is the rest of the lan on ?

  • I am yet to see any Internet user who doesn't have the all-in-one unit; Certainly my experience is nobody uses dedicated modems. Maybe big organisations do but not home users, which is me.

    I can fairly easily drop the firewall from the router but as I said earlier putting it into bridge mode is quite a hassle so I'd rather leave well alone, at least until I understand everything a bit better. Last time I tried it (with a different firewall) I got in a real mess.  I do agree though it is probably the best option but everything I have read relating to the way I am using it says it should work.

    Both UTM & LAN are on the same subnet. I think I read somewhere this should not be the case and if so probably would not help. It may fix some of the problems but the javascript thing looks more like a bug, certainly nothing to do with my setup. I currently use 255.255.0.0 on everything.

  • I own my own modem, know many others that do as well.  Mostly to save money, but also to not deal with bridging headaches.

    If I'm understanding correctly then, it sounds like is both network ports on your firewall pc/device are on the same subnet.  So from the modem to the utm is 192.168.1.x, and similar on the output, 192.168.1.x+1 (or something similar).  I suppose it's possible to set up filtering that way using subnet masks, but that seems more complicated than need be.  I believe both ports should be on varying subnets.

    You can leave the in port as dhcp so it can get an ip from the modem/router, then set the out port to something else.

Reply
  • I own my own modem, know many others that do as well.  Mostly to save money, but also to not deal with bridging headaches.

    If I'm understanding correctly then, it sounds like is both network ports on your firewall pc/device are on the same subnet.  So from the modem to the utm is 192.168.1.x, and similar on the output, 192.168.1.x+1 (or something similar).  I suppose it's possible to set up filtering that way using subnet masks, but that seems more complicated than need be.  I believe both ports should be on varying subnets.

    You can leave the in port as dhcp so it can get an ip from the modem/router, then set the out port to something else.

Children
  • Hi and welcome to the UTM Community!

    Like Jay said, the "culture" here prefers to have the modem in bridge mode so that the UTM can get a public IP.  If someone has a wireless router, the usual recommendation here is to turn it into a wireless AP/switch and let the UTM do DHCP.  This is also true for the great majority of home users here.  Most ISPs won't have anyone knowledgeable that you, as a home user, can reach.

    If you have the UTM in between your LAN bridged instead, then you should use 'Full Transparent' mode.  If the UTM is also doing DHCP, you will have problems.  Make sure it's either one or the other.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi and thanks for your response. I do agree the bridge mode suggestion is the way to go but the experience I had trying to do this previously was a disaster so this time I want to get this working as well as I can as it is and it will teach me some new things and give me a better understanding. I did try Full Transparent Mode but it didn't seem to make a difference but it makes sense so I'll put it back when I figure out what the problem is. I only went off the instructions that I read and they are not always as thorough as they could be, particularly for novices. I'm not new to computing but this particular aspect is new. I am only used to software firewalls. The UTM is not doing DHCP - I understand this part. I think I had a look at putting my modem/router into bridge mode a while back but it didn't look straightforward. I did manage it successfully in the past on a Draytek Vigor unit I had but I now have a FritzBox which doesn't seem to be quite as easy. I'm sure it can be done but I need to research it more.

    Strangely, only my Windows machines show up in Network Neighbourhood. The linux-based NASes aren't appearing. I don't know if it is anything to do with certificates or not. I have the required certificate installed on the Windows machines and my Android devices but not on OpenMediaVault, Seagate PersonalCloud or a Buffalo NAS and these are not showing in Windows on the LAN. Can't figure them out yet. All the articles I have read says the way I have it should work but at some point I will try the bridge mode thing.

     

    Thanks Bob

  • For your purposes, you could do the double natting method.  Assign the wan port of the utm to use dhcp.  Change the subnet for the lan.  If ip's coming out of the modem/router are 192.168.1.x, change the utm lan to be on the 192.168.2.x subnet.  It won't be like getting a real public ip on the utm's wan port, but close enough.

    I was in the same boat as you a few weeks ago.  Eventually I realized it was going to be awfully painful to set this thing up properly until it's getting a true public ip.  I have 3 routers on hand so it was just a matter of unplugging the primary one. 

  • I'll look into that Jay. I am getting my WAN IP OK, at least on Windows using Standard Mode but I need to try what Bob said and use Full Transparent Mode. I dual-boot my main PC also to Linux and it will not connect at all. So the same PC connects on Windows but not on Linux (same adapter of course). This means basically none of my Linux-based devices can get through the UTM in standard mode.

     

    Thanks again

  • You should have a separate Web Filtering Profile in Standard mode for the Windows machines.  Make the primary, default Profile in Transparent for the Linux-based devices.  If you make them both cover "Internal (Network)," the Linux devices won't send to the Proxy on port 8080, so they won't qualify for the Profile in Standard mode.  Voila - easy, peasy.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks for your reply Bob.

    Things have gone from bad to worse in the course of trying to make all the suggested changes. My computer dual boots to Linux/Windows. With the UTM in place I could log into Linux and get on the Internet. With Windows on the same NIC the Internet was completely blocked. Eventually the computer threw out the network card totally (only in Windows) and I ended up reinstalling as none of the usual fixes worked (thanks Microsoft).

    The first thing I decided to do once it was working again was change the subnet on the UTM box. I never quite understood the philosophy behind this but it seems to be something that is required. I changed the LAN fixed address to something completely different and now I can't access the configuration page at all. I can ping it and I can log in but I'm only seeing a very limited interface which pretty much only allows me to change the password. I wanted to change the fixed IP to something else but can't do it. So now I need advice as to how to get my interface back so I can make the changes. I'm assuming I need to do this through the console? Traditionally when I end up locking myself out I have just reinstalled Sophos but there has to be a better way. I want to get it working so I can try everything that has been suggested but I'm not off to a good start.

    I contacted my ISP and told them I wanted to put their router/modem into bridge mode and they told me they wouldn't be able to support it. This is the stand most ISPs take as they only train their "technical staff" specifics relating to their device, suggesting the "technical staff" don't have a broad knowledge. I guess it's slightly trickier on my Fritzbox as it uses VOIP. So I am happy to try everything suggested so far but probably need to leave it in transparent mode as it is, certainly till I learn a lot more. I would like to do it but I'm not ready yet although I do believe it should work as it is and it's just internal configurations that are the issue. First I have to get back into the UTM.

  • "The first thing I decided to do once it was working again was change the subnet on the UTM box. I never quite understood the philosophy behind this but it seems to be something that is required. I changed the LAN fixed address to something completely different and now I can't access the configuration page at all."

    Please be specific about this change - did you change from 192.168.0.1/24 to 192.168.0.129/25 or ???  Is the UTM providing DHCP and did you also change that?  I'm not familiar with "a very limited interface which pretty much only allows me to change the password."  Please show a picture of that.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob.

    I changed the UTM from 10.9.8.2/255.255.0.0 to 192.168.1.1/255/255/255/0. I then fixed the IP address on my computer to 192.168.1.2 to allow access which it did and the following clip is the result:

    It is also tricky accessing the support website as it always tells me to allow cookies. Cookies are allowed on: https://secure2.sophos.com. I used to get the same thing with JavaScript when accessing the interface when it did work. I use NoScript but have whitelisted the UTM. It always complains but a page refresh fixes it until the next time. The UTM is not providing DHCP.

    Thanks

  • You have reached the User Portal on https://192.168.1.1/

    To reach WebAdmin, you want https://192.168.1.1:4444/

    Is the mystery solved?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thank you Bob. Silly me.... Now on with the rest of the issues. I will now be able to see what the difference is with the UTM on a different subnet. I'll be back.

    Cheers

    Lyn