This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blackhole DNAT not working

Hello,

I want to be able to block a clients complete traffic to the internet on the UTM.

To not create seperate firewall and web protection rules, I found out that you can create a blackhole DNAT rule so that all traffic for this clients goes to nirvana. I tried the following:

1. Created new group "BAD_CLIENTS". There I can put the clients to block with their IP or DNS name, e.g. "192.168.1.222" or "CLIENT-122.DOMAIN.LOCAL".

2. Created new DNAT rule with automatically created firewall rule:

Position: 1

Type: DNAT

Source: Group "BAD_CLIENTS"

Service: Any

Destination: Internet IPv4

---

Change Destination: 1.2.3.4

 

The clients in the BAD_CLIENTS group are not longer able to ping any internet adress, e.g. google.com. But they can still access all internet via browser??

Is my configuration wrong or am I thinking wrong?

 

What is the fastest, easiest and effective way to block all internet traffic of clients?



This thread was automatically locked due to age.
Parents Reply Children
  • Alexander Busch said:

    Thank you, I already postet the Rulz link above but thought DNAT is before Webfilter (proxy) so wondering why web surfing works for the client how is in the blackhole dnat rule.

  • Hallo Horsting,

    Herzlich willkommen hier in der Community !

    (Sorry, my German-speaking brain isn't creating thoughts at the moment.  )

    It sounds like your BAD_CLIENT is using the Proxy in Standard mode, so you will want to add "Internal (Address)" to the 'Going to' section of your DNAT.

    Also, 1.2.3.4 is reserved for Sophos APs to contact the UTM.  The Rulz post suggests using an IPv4 address in 240.0.0.0/4.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hallo Bob, gerne auch auf Deutsch :)

     

    BAlfson said:
    Also, 1.2.3.4 is reserved for Sophos APs to contact the UTM.  The Rulz post suggests using an IPv4 address in 240.0.0.0/4.

    Das mit 1.2.3.4 habe ich auch schon gesehen, habe schon eine andere nicht erreichbare IP eingetragen. Aber trotzdem Danke für die Info.

     

    BAlfson said:
    It sounds like your BAD_CLIENT is using the Proxy in Standard mode, so you will want to add "Internal (Address)" to the 'Going to' section of your DNAT.

    Proxy = Web Protection -> Webfilter? Wenn ja: Der Webfilter läuft im Betriebsmodus Transparenzmodus. Ich habe wie von dirkkotte vorgeschlagen die Gruppe BAD_CLIENTS unter Web Protection -> Filteroptionen -> Sonstiges bei Transparenzmodus-Ausnahmen als Quellen hinzugefügt. Scheint auszureichen. Oder gibt es einen besseren/eleganteren/sichereren Weg?

     

    Besten Dank und schöne Grüße

  • Hallo Horsting,

    If you're in Transparent, then the solution suggested by Dirk is the most elegant one.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA