This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routing specific traffic out through an additional address on an interface

Hi, I need to set up a way to route specific traffic from one server out through or to show as an additional public address that we have set up but cannot seem to figure out where to set it.

It always seems to show as the main IP address of the interface and not the additional.  I have set up a SNAt with the traffic from set as the server, service as ANY, going to set as the specific IP destination we need, then have put the action as change the source to the address of the additional public IP address but doesn't seem to work.

 

Any advice on this would be appreciated.

 

Lee



This thread was automatically locked due to age.
  • As oldeda says, masquerading can do this.  Masq rules are an ordered list.  In all ordered lists in WebAdmin, once a rule applies, none of the others are considered.  That means that one for a single server must be above the rule for the subnet the server is in.

    That your SNAT didn't work indicates that replacing it with a Masq rule won't solve your problem.

    There's something else going on that you haven't considered... Is this port 80 or port 443 traffic that's being captured by Web Filtering in Transparent mode?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I'm not sure when they made the masq rule list an ordered one, Olsi - maybe in V8.3 or early V9?  It was probably like that for two years before I learned about it!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    basically the MASQ is behind SNAT.

    So you can create a MASQ for LAN using WAN1 and create a SNAT for a certain IP and it will take the SNAT for the IP and "fallback" to the MASQ for the other traffic.

    You should be careful with MASQ and IPv6.

    OR(like you mentioned before), it is more likely, something in the UTM is intercepting the traffic and the SNAT rule does not match at all. Like SMTP EXIM for Mail.

    Cheers

    __________________________________________________________________________________________________________________

  • Hi MBP,

    My interpretation is that SNAT is applied before masquerading gets a look at the packet.  The means that the SNAT'd packet's no longer qualifies for the masq rule because its source IP is no longer in a LAN.  I don't know that for a fact.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA