This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Policy Routes vs Web Filtering

Hello,

I found similar topics on the forum but none on them clearly explained what the problem is. It seems Web filtering is taking priority over Policy Routes.

I have the following routing problem : 

Network 10.10.10.0/24, which is a production network, is allowed to browse the web (HTTP & HTTPS) via the Web Filtering "Allowed Network" Field.

A policy route is configured for host 10.10.10.253. All traffic originated from 10.10.10.253 should be routed to another gateway. Obviously is the 10.10.10.253 host part of 10.10.10.0/24 subnet.

All ICMP-UDP traffic is correctly routed. HTTP and HTTPS (TCP 80 + TCP 443) is routed via the Sophos UTM.

Because the Web filter "Allowed Network" field only allows networks to be added, I cannot add the IP address I want to exclude.

The only solution I imagined is to add the following subnets to the Web Filter config.

CIDR Start IP End IP Subnet mask Addresses Hosts Wildcard mask
10.10.10.1/32 10.10.10.1 10.10.10.1 255.255.255.255 1 1 0.0.0.0
10.10.10.2/31 10.10.10.2 10.10.10.3 255.255.255.254 2 2 0.0.0.1
10.10.10.4/30 10.10.10.4 10.10.10.7 255.255.255.252 4 2 0.0.0.3
10.10.10.8/29 10.10.10.8 10.10.10.15 255.255.255.248 8 6 0.0.0.7
10.10.10.16/28 10.10.10.16 10.10.10.31 255.255.255.240 16 14 0.0.0.15
10.10.10.32/27 10.10.10.32 10.10.10.63 255.255.255.224 32 30 0.0.0.31
10.10.10.64/26 10.10.10.64 10.10.10.127 255.255.255.192 64 62 0.0.0.63
10.10.10.128/26 10.10.10.128 10.10.10.191 255.255.255.192 64 62 0.0.0.63
10.10.10.192/27 10.10.10.192 10.10.10.223 255.255.255.224 32 30 0.0.0.31
10.10.10.224/28 10.10.10.224 10.10.10.239 255.255.255.240 16 14 0.0.0.15
10.10.10.240/29 10.10.10.240 10.10.10.247 255.255.255.248 8 6 0.0.0.7
10.10.10.248/30 10.10.10.248 10.10.10.251 255.255.255.252 4 2 0.0.0.3
10.10.10.252/32 10.10.10.252 10.10.10.252 255.255.255.255 1 1 0.0.0.0

Not sure if the Sophos will accept the /32 masks though.

Does anyone have a solution for this?



This thread was automatically locked due to age.
Parents
  • Hallo and welcome to the UTM Community!

    Dirk's suggestion is a great solution simple and elegant.

    There is a way to create a separate Web Filtering Profile for 10.10.10.253.  Web Filtering Profiles are in an ordered list, so the additional Profile would take precedence over the default profile.  Then, you need to run the following command to be able to specify in WebAdmin the outgoing interface for each Profile:

    cc set http enable_out_interface 1

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hallo and welcome to the UTM Community!

    Dirk's suggestion is a great solution simple and elegant.

    There is a way to create a separate Web Filtering Profile for 10.10.10.253.  Web Filtering Profiles are in an ordered list, so the additional Profile would take precedence over the default profile.  Then, you need to run the following command to be able to specify in WebAdmin the outgoing interface for each Profile:

    cc set http enable_out_interface 1

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • There is no way use Policy Route for 10.10.10.0/24 + Using the webfilter profile right?

    I'll explain it simply :

    • I have a static route to internet over eth1.
    • My policy route is over eth5.
    • Webfilter profile takes the eth1 path over the internet, instead of eth5

    Would "cc set http enable_out_interface 1" change this behavior? Does this setting survive a firmware upgrade ?

  • No, WebAdmin won't make a Static Route that takes precedence over the Web Filtering settings, so neither of those routes is working as you thought.

    I think you can use Multipath rules to accomplish what you want.  See Rule #2.1 in Rulz (last updated 2020-11-12).

    Yes, the cc setting does survive reboots and upgrades.  This setting doesn't change the behavior relative to Static Routes.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thank you for the reply.

    Interesting. I just found out that there is a multipath rule for HTTP/HTTPS which is already active. This multipath rule seems to be routing the traffic via the uplinks.

    The production network 10.10.10.0/24 is probably using this route since the beginning in order to browse the web.

    This whole topic was about routing a host through another gateway. I guess I will then just add a rule before, specifying the correct gateway.