This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web filtering: SK126892 not working, outgoing IP is unchanged

Hello together,

 

I have the following Scenario:

- Guests are confined to a DMZ on my UTM 9.503 and can access the Internet through Transparent Proxy.

 

What have I done:

- I would like to have Guests use a outbound IP different from my other traffic. In order to do this, I followed SK126892 (How to change the outgoing interface for Web Filtering).

- In addition, I have created an additional address object for the outbound IP I would like to have them use. This object is now used in the Web Filter Profile for Guests.

- I also created a SNAT Rule, so that non web traffic from Guest network will also be behind this additional IP.

 

Result:

- For non web traffic (SSH for example), I can confirm that the additional address is used.

- For Web Traffic I see no change. When I disable the Web Filter Profile for Guests, I see the traffic goung out with my configured additional address, as soon as I enable the filter again I again see the public IP of my WAN Interface.

 

Could it be that it is not possible to use an additional address (only a different Interface)?  I guess I could do a SNAT like "WAN -> Web -> Additional Address", but then ALL of my web traffic will be behind this IP (I want only Guests there).

 

Thanks for your help and many greetings ;)

 

Thomas



This thread was automatically locked due to age.
Parents
  • Hallo, Thomas, and welcome to the UTM Community!

    Please show us a picture of the Edit of the Web Filtering Profile for Guests.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob,

     

    yes, of course:

     

    Please note:

    - The physical WAN Interface has an IP of x.x.192.180/28 whereas the Interface you see in the screenshot is an additional address which was created with an IP of x.x.222.200 (the complete x.x.222.192/26 Network is routed to the x.x.192.180/28).

    - Regardless of the setting of "interface fpr outgoing traffic", I always see transparent proxy traffic leaving the UTM with x.x.192.180.

     

    Thanks and many greetings,

    Thomas

  • "the complete x.x.222.192/26 Network is routed to the x.x.192.180/28"

    I don't understand, Thomas.  Please show a picture of this configuration.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    Sorry, for the late answer and maybe I did not write this clear enough.... I have a public Network between ISP Router and Firewall and the ISP is routing an additional network to the public IP of the Firewall. The additional IP I would like to use is inside this additional range.

     

    Thanks,

    Thomas

Reply
  • Hi Bob,

    Sorry, for the late answer and maybe I did not write this clear enough.... I have a public Network between ISP Router and Firewall and the ISP is routing an additional network to the public IP of the Firewall. The additional IP I would like to use is inside this additional range.

     

    Thanks,

    Thomas

Children
  • Show a line from the Web Filtering log file demonstrating that the traffic from the Guest LANs is captured by the "DMZ_Gaeste" Profile.  If it is going through the Profile and tcpdump shows that the Additional Address is not applied, it would be interesting to know what Sophos Support has to say. 

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

     

    I don´t have the logs with me at this time, but I did create a special Web Filter Profile and I checked in the http.log that my requests were captured by my modified profile. I also did a tcpdump and then verified that the packet is leaving the WAN with the interface address instead of the additional one.

     

    On top of that I checked iptables... I would have thought that this new feature works with a "tag", but I could not find any special rule in PRE (nor in any other chain)....

     

    I opened a Ticket with the support and I will definately update this thread as soon as I know more.

     

    Thanks,

    Thomas