Masquerading & Web protection

Hi,

Cause of your topology you dont need to masq or nat. Your router do that for you. Its not needed on the utm and has no effect in your topology.

Hi Zaphod & Vladimir,

For this config, if the UTM is on a private network to connect to your router then your home network is behind it, you should require either a static router from the router to the UTM so it knows about the home network or a masquerade. Interesting that it works for you without a masquerade unless all of a sudden Transparent mode auto masquerades connections which it technically shouldn't.

Vladimir, is your router in bridge mode?

Emile

Hi Emile.

"is your router in bridge mode?"

No...

Hi Vladimir,

Could you share a screenshot of your interfaces from Interfaces & Routing > Interfaces?

Emile

with these settings, Internet work...

If i disable the web protection, without a masquerade internet not working

Hi Vladimir, 

Wow, transparent mode web filtering is masquerading as the primary interface address of the first default gateway it hits, that's a first for me. I've just tested it in my lab and yep, transparent mode webfiltering with no Masq rule set, it was doing masquerading, checked it in the TCPDump and there were two outgoing packets, one for the local to public, then masqed to public to public.

To answer your question Vladimir, no you won't need a specified Masquerade rule, but it's best to have one for all the other services which transparent mode web filtering will not cover :)

BAlfson or sachingurung, is this behaviour new or have I never noticed it?

Emile

I understand you correctly,  network is specified in the Web Filtering, do not need rules masquerading ?

Hi Vladimir,

I would advise having one, yes.

This makes sure that there are no broken routes between your UTM and your Router :)

Emile

Emile, Thank you!

It's been like this since I can remember, Emile, for all proxies.  For example, if you want outbound SMTP to come from an IP other than the primary one on the External interface and your mail server is relaying off the UTM's SMTP Proxy, the SNAT must have a Source of "External (Address)" instead of the internal IP of the mail server.

The help for Multipath rules includes:

Note – Basically, persistence by source cannot work when using a proxy because the original source information is lost. The HTTP proxy however is an exception: Traffic generated by the HTTP proxy will match against the original client source IP address and thus complies with interface persistence rules By source, too.

Cheers - Bob

It's been like this since I can remember, Emile, for all proxies.  For example, if you want outbound SMTP to come from an IP other than the primary one on the External interface and your mail server is relaying off the UTM's SMTP Proxy, the SNAT must have a Source of "External (Address)" instead of the internal IP of the mail server.

The help for Multipath rules includes:

Note – Basically, persistence by source cannot work when using a proxy because the original source information is lost. The HTTP proxy however is an exception: Traffic generated by the HTTP proxy will match against the original client source IP address and thus complies with interface persistence rules By source, too.

Cheers - Bob