Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to change Packets TTL (Time to Live) value in firewall?

Is there a feature in Sophos Firewall to change TTL value of packets so that the authorized users in my network cannot share internet access by creating their personal WiFi Hotspot to connect unauthorized users to access the internet through my network?

Please let me know and help me on this matter. If there is no such feature in Sophos Firewall then how can we recommend the Sophos to add this feature in their firewall as soon as possible.

Thank you so much 



This thread was automatically locked due to age.
Parents
  • Sophos Firewall does not support changing TTL value of Packets to limit internet access to 1 or 2 networks ahead of Firewall. This feature enables the control over packet life so the user cannot share the internet access to any other user which can access internet through WiFi Hotspot of mobile phones or laptops. Sophos should provide this feature in it's firewall as it is available in Mikrotik Firewall rule in mangle settings through postrouting feature as I am already using it through mikrotik router behind my Sophos firewall to block users of network to create Hotspot in their devices and share internet access and bandwidth to unauthorized users.

    Please to something for this requirement.

    Thanks.

Reply
  • Sophos Firewall does not support changing TTL value of Packets to limit internet access to 1 or 2 networks ahead of Firewall. This feature enables the control over packet life so the user cannot share the internet access to any other user which can access internet through WiFi Hotspot of mobile phones or laptops. Sophos should provide this feature in it's firewall as it is available in Mikrotik Firewall rule in mangle settings through postrouting feature as I am already using it through mikrotik router behind my Sophos firewall to block users of network to create Hotspot in their devices and share internet access and bandwidth to unauthorized users.

    Please to something for this requirement.

    Thanks.

Children
  • I am not quite sure, i understand what you mean. So you are saying, a client is opening a hotspot to your network and tunnel other clients to the network with a MASQ?

    How would a TTL feature prevent this ? You are saying if the TTL exceed something, then the firewall drops this, as it indicates a tunneling ?

    __________________________________________________________________________________________________________________

  • TTL feature drops the packet life to live and prevents it from reaching next devices. Like if I am creating a hotspot wifi from my mobile device then the packet coming from firewall will have only 1 TTL so I can use it to access internet, but when a device connected to my hotspot the packet TTL cannot reach that device as it only had 1 TTL to my device only. So the 3rd device will not have access to internet via my mobiel wifi hostspot.

    This feature is available in Mikrotik>IP>Firewall>Mangle> New rule> Chain(Postrouting)>Action(Change TTL)>

  • The TTL feature limits the life of a packet to live between networks and to travel from 1 network to other. For example I am connected to Firewall LAN through my Mobile device and if I turn ON my WIFI Hotspot sharing then the 3rd device connected to my Hotspot will have access to internet via my personal Hotspot. But if we limit the TTL to 1 in firewall then the internet access will be limited to my mobile device only and any other 3rd device connected to my personal hotspot cannot access the internet through it as the packet life was already TTL=1 and it drops in my mobile device and cannot pass through my phone to next hotspot network.

    Kindly help me with this requirement in SOPHOS Firewall. It is very important feature for network administrator to implement it and limit Internet access to allowed users only.

  • I understand this use case (it is quite rare to be honest), but i never saw in the last 7 days this requirement. Not sure if there is a great need for such a feature. 

    You can rise your feature request with your local sales, if needed.

    __________________________________________________________________________________________________________________