Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 7730 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM Bridge Mode

MarcoTeixeira

Hi, 

 

I have a UTM SG 125 with firmware 9.601-5. I want to set up this device in bridge mode (full transparent), and place it bettween the internal network and the Router. I've created bridged interfaces (eth6 and eth7), but I can´t even get DHCP from the router. If  a put a static IP adress on a computer after the firewall I'm only capable of pinging an Internet address.

Sandstorm and IPS must work since it is the main pupose of the firewall. 

 

Please anyone has a datasheet of the configuration for this firmware versions ? Thos ones I found aren´t working. 

 

Best regards



This thread was automatically locked due to age.
Parents
  • 0

    You have to go into Advanced Bridge settings for the interface, and specify the Ethertypes that you want to pass.   A web search should take you to the master list of registered EtherTypes.

    By default, only IPv4 packets are passed.   I use this list.  DHCP may not be included, because I do not need it.

    0806
    814c
    8035
    876b
    86dd
    880b

     

  • 0 in reply to DouglasFoster

    Thank you Douglas. 

     

    I've done what you said, adding those ethertypes but still not working. 

    eth0: 192.168.1.1/24

    eth1: WAN (not connected) 

    eth6: connected to router that has IP 192.168.1.254 and DHCP. 

    eth7: Connectd to LAN

     

    I can ping 4.2.2.2 or a web address, but when I open the browser I can´t. I've configured it as full transparent mode. 

    The ideia is to allow all traffic in out, and allow VPN traffic, H323 and SIP from outside to the bridged network. The LAN/WAN confgiuration is only for management purposes. 

    Do you have any suggestion about the configuration (see images, please)

     

    Thank your for you help and concern, 

     

     

     

     

     

     

     

     

  • 0 in reply to MarcoTeixeira

    You forced me to check my facts.  DHCP uses UDP 67 and UDP 68, so it is passed automatically as part of the default EtherType.   Adding EtherTypes may be important, but not for this situation.    

    I was surprised to see that the bridge has no IP Address.   That MAY be part of your problem if you are trying to pass DHCP between device on ETH6 and server on ETH7.

    It is certainly the problem if you are trying to do DHCP relay between the devices on the Bridge and devices on the Internal network, because there will be no route between the two LANs.

  • 0 in reply to DouglasFoster

    Hi Doulglas. 

     

    Thank you for your concern. 

     

    The main ideia is to have the UTM as a layer 2 device. COMPANY router --> UTM --> LAN.  The UTM must allow all the traffic coming from the Internet. 

    I put an IP adress in the bridged interface. Web access started working, but only if I put web filter in Standard Mode or disabled . If I put it transparent or Full Transparent, it blocks: 

    2019:05:29-12:55:02 utm httpproxy[26589]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="192.168.0.120" dstip="161.69.169.22" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2499" request="0xda40e00" url="https://161.69.169.22/" referer="" error="Network is unreachable" authtime="0" dnstime="1" aptptime="180" cattime="217" avscantime="0" fullreqtime="312737" device="0" auth="0" ua="" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized"

    I tested to block some categoty sites but stragely it allows the sites. 

     

    Do you have any ideia what it can be? 

     

    Thank you once more 

  • 0 in reply to MarcoTeixeira

    Olá Marco,

    There are several things I would change:

    1. In DNS 'Allowed Networks', put only "Bridge01 (Network)" and "Internal (Network)" so that you aren't offering DNS to the outside world.
    2. Your "Bridge01" interface shouldn't need to have an IP.
    3. You shouldn't need to have the DHCP relay configured unless "DHCPSERVER" is in "Internal (Network)' - in which case, you also need "Internal" in 'Interfaces'.
    4. Rather than an 'Any -> Any -> Any' firewall rule, make one like 'Bridge01 (Network) & Internal (Network) -> Any -> Bridge01 (Network) & Internal (Network)'.  Then make a rule for each network like 'Bridge01 (Network) -> DNS & Web Surfing -> Internet'.
    5. You also need a Masq rule like 'Bridge01 (Network) -> External'.
    6. In Web Filtering, instead of "Any" in 'Allowed Networks', follow the recommendation in 1 above.

    I'm confused that your External interface doesn't show that it's getting an Internet connection.

    Once al those things are addressed, does Full Transparent work for you?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to MarcoTeixeira

    Olá Marco,

    There are several things I would change:

    1. In DNS 'Allowed Networks', put only "Bridge01 (Network)" and "Internal (Network)" so that you aren't offering DNS to the outside world.
    2. Your "Bridge01" interface shouldn't need to have an IP.
    3. You shouldn't need to have the DHCP relay configured unless "DHCPSERVER" is in "Internal (Network)' - in which case, you also need "Internal" in 'Interfaces'.
    4. Rather than an 'Any -> Any -> Any' firewall rule, make one like 'Bridge01 (Network) & Internal (Network) -> Any -> Bridge01 (Network) & Internal (Network)'.  Then make a rule for each network like 'Bridge01 (Network) -> DNS & Web Surfing -> Internet'.
    5. You also need a Masq rule like 'Bridge01 (Network) -> External'.
    6. In Web Filtering, instead of "Any" in 'Allowed Networks', follow the recommendation in 1 above.

    I'm confused that your External interface doesn't show that it's getting an Internet connection.

    Once al those things are addressed, does Full Transparent work for you?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML