Question about moving server from DNAT to WAF and source address of incoming packets.

Hi there.

When i moved my web server from standard dnat to waf rule all incoming packets in server have scr address = wan interface.

Is it possible to set up WAF without changing source addresses of incoming packets?

I need to see on the web server original source ip's from the internet.



Added TAGs
[edited by: emmosophos at 3:59 PM (GMT -8) on 3 Dec 2021]
  • Hello.

    Perhaps the setting "Pass host header"  under advanced within the firewall rule does the trick for you.

    This will add an extra header "X-Forwarded-For" tho the request which contains the client IP that you may analyze.


    Sophos Gold Partner
    4TISO GmbH, Germany
    If a post solves your question click the 'Verify Answer' link.
  • Thanks but it doesn't resolve the problem.

    When i'm behind DNAT roule connections to web server (in layer 3) have their original source addresses, wireshark shows something like this:
    IP 80.20.20.20.5475 > 172.16.16.17.https: Flags [F.], seq 2104, ack 5140, win 1022.................

    but when i switch to WAF rule the source ip address is changing to local lan ip address of the sophos firewall: and looks like this:
    IP 172.16.16.16.5460 > 172.16.16.17.https: Flags [P.], seq 8982:9006, ack 13..........

    So web server doesn't know who is connecting when it is behind WAF. I've got on web server many rules to log and to serve specific content depends on source ip addresses.

    Is it possible to WAF doesn't change source ip address on layer 3 packets?

  • Well. The source address will change. This is the WAF job.

    But within web applications and web servers it is common to check for X-Forwarder-For headers. You may also enable it in apache web server logging behind. X-Forwarded-For is the feature that is the standard fo this.

    What do mean "rules in the web server". Apache / nginx? Or is it your web application.


    Sophos Gold Partner
    4TISO GmbH, Germany
    If a post solves your question click the 'Verify Answer' link.
  • OK, so here is a simple example:

    I host nextcloud as mydomain.com/nextcloud with access from all the world.

    The same server hosts zabbix instance at mydomain.com/zabbix but in zabbix.conf (/etc/apache2/conf-enabled/zabbix.conf) are entries like: "Require ip 192.168" etc. so zabbix is avaiable only from "Required" addresses (local intranet).

    Can't do this when i move mydomain.com behind waf, enabling "pass host header" change nothing, zabbix is accessible from lan and internet.

  • Ok. I understand.

    I think, you are talking about differnt things.

    If you just have everything open on the internal webserver but want to secure one path (here /zabbix ) you may do this within the WAF by using an addition site path route to the Sophos WAF with access control enabled.

    One thing you would loose behind the WAF is, that your logs would see the firewall.

    If you want to add an additional layer of security to your backend apache, you may have a look ad mod_remoteip.

    For nextcloud:

    If you want to use IP-filters there (which is implemented at the nextcloud application level) you have to look at the nextcloud configuration (config/config.php). For that have a look here:  Reverse proxy — Nextcloud latest Administration Manual latest documentation


    Sophos Gold Partner
    4TISO GmbH, Germany
    If a post solves your question click the 'Verify Answer' link.
  • Ok, I thought the web server could be secured transparently without making changes to the packets.

    So now, can you explain "....using an addition site path route to the Sophos WAF with access control enabled." ?
    I found "Path-specific routing" settings, I can add path /zabbix, set "allowed clients network" to my lan addresses but i still miss something and zabbix is accessible form any ip.