How to change Packets TTL (Time to Live) value in firewall?

Sophos Firewall does not support changing TTL value of Packets to limit internet access to 1 or 2 networks ahead of Firewall. This feature enables the control over packet life so the user cannot share the internet access to any other user which can access internet through WiFi Hotspot of mobile phones or laptops. Sophos should provide this feature in it's firewall as it is available in Mikrotik Firewall rule in mangle settings through postrouting feature as I am already using it through mikrotik router behind my Sophos firewall to block users of network to create Hotspot in their devices and share internet access and bandwidth to unauthorized users.

Please to something for this requirement.

Thanks.

Hi,

In the meantime while waiting for a fix let us suggest a method to overcome your issue. Please post a copy of your firewall rule that is being used by the AP connections?

Ian

Hi,

Thank you for reaching out to Sophos Community.

In addition to Ian, for a Feature request, you would need to reach out to Support or your Account Manager to add this to your account as a Feature Request. 

I am not quite sure, i understand what you mean. So you are saying, a client is opening a hotspot to your network and tunnel other clients to the network with a MASQ?

How would a TTL feature prevent this ? You are saying if the TTL exceed something, then the firewall drops this, as it indicates a tunneling ?

TTL feature drops the packet life to live and prevents it from reaching next devices. Like if I am creating a hotspot wifi from my mobile device then the packet coming from firewall will have only 1 TTL so I can use it to access internet, but when a device connected to my hotspot the packet TTL cannot reach that device as it only had 1 TTL to my device only. So the 3rd device will not have access to internet via my mobiel wifi hostspot.

This feature is available in Mikrotik>IP>Firewall>Mangle> New rule> Chain(Postrouting)>Action(Change TTL)>

The TTL feature limits the life of a packet to live between networks and to travel from 1 network to other. For example I am connected to Firewall LAN through my Mobile device and if I turn ON my WIFI Hotspot sharing then the 3rd device connected to my Hotspot will have access to internet via my personal Hotspot. But if we limit the TTL to 1 in firewall then the internet access will be limited to my mobile device only and any other 3rd device connected to my personal hotspot cannot access the internet through it as the packet life was already TTL=1 and it drops in my mobile device and cannot pass through my phone to next hotspot network.

Kindly help me with this requirement in SOPHOS Firewall. It is very important feature for network administrator to implement it and limit Internet access to allowed users only.

I understand this use case (it is quite rare to be honest), but i never saw in the last 7 days this requirement. Not sure if there is a great need for such a feature. 

You can rise your feature request with your local sales, if needed.

This feature is available in Mikrotik>IP>Firewall>Mangle> New rule> Chain(Postrouting)>Action(Change TTL)> TTL=2

TTL 1 is for my Firewall and other is for my endpoint devices.

I am using Mikrotik Router to avail this feature between my Firewall and ISP.

If Sophos Firewall provides this feature update then I can remove Mikrotik router from my network and it will increase my network performance and decrease the cost and delay in traffic as well.

Please do something and help me with this scenario.

Please provide th information requested so we can help you.

Ian