Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Filtering based on Network with Double NAT

Hi Guys,

 

Sorry in advance if this is dumb question but i could not find anything on this and just want to know if it is possible. I have a Sophos XG Firewall in gateway mode connected directly to the internet and on port 1 a network of 10.1.1.1/24 is created which is connected to another router 10.1.1.2 (NAT). Behind the router this is 2 more networks 192.168.1.1/24 and 192.168.2.1/24. So basically it becomes double NAT.

One of them is a normal network the other one is a guest network just as an example. I want to apply web filtering policies based on the networks. I have created the appropriate firewall rules.

Rule 1 --> Any traffic for WAN from any LAN zone and host network is 192.168.1.1/24 all traffic is to pass. (no web filtering/allow all)

Rule 2 --> Any traffic for WAN from  LAN zone and host network is 192.168.2.1/24 , a default web filtering policy is to apply. 

Since the traffic is natted and shows the network as 10.1.1.2 , none of these rules work. So in order for internet traffic to pass, i have add another network zone 10.1.1.1/24 for any web traffic to flow. So rule 1 becomes 

Rule 1 --> any traffic for WAN from any LAN zone and host network is 192.168.1.1/24 or host network is 10.1.1.1/24 all traffic is to pass.

But this means that i am not able to do web filtering based on the network behind the router. I know i can bridge the interface but this router does not support bridging (and i dont want to due to some other reasons). And i also cannot remove the router (This is needed for other stuff).

Is there any way i can fix this. I have attached the screenshot from the log.

 



This thread was automatically locked due to age.
  • Hi  

    Unfortunately as the upstream router is also NAT'ting the connections this will not be possible.  Changes will be required on the upstream router.

    You will have create routes on upstream router pointing to the XG for networks behind the XG.

    You will have to create routes on XG for routes behind upstream router.

    Ensure your WAN interface is configured NOT to do MASQ or NAT'ting on the XG.

    You will also need to ensure the upstream router does NOT MASQ or NAT the traffic destined to the XG.

    Alternatively you can put the XG into bridge mode and configure accordingly but will still need static routes on upstream and changes on the upstream router done.

    Thanks!

    KingChris
    Community Support | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Thanks, but i think you may have it confused as the router is behind the xg not in front what what you say still applies. And due to my constrains i do see what you mean :)

  • My apologies for mixing the 2 up.

    But yes you are correct in the same changes are still required.

    However, you will not need to put the XG into bridge mode.  Hang the secondary router off a port of the XG.  

    Static routes are still required and upstream router changes will also still be required so that it knows where those networks are.  

    For the filtering portion, remove MASQ/NAT on downstream router and things should filter correctly.

    Good luck!

    KingChris
    Community Support | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link