Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 17891 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM Webfilter

Sally

Hello,

I have yet the configuration, that all my Internet Traffic is routed through VPN Router in DMZ. I have the following configuration:

 

Interfaces

LAN (Internal Network): 192.168.0.0 /24

DMZ (VPN Service) : 10.0.0..0 /8

WAN: 84.x.x.x

 

 Static Routing - Policy Route

Gateway Route

Internal

Internal (Network)

Any

Internet IPv4

GW: VPN Router DMZ

 

Network Protection - Firewall - Rules

DMZ (VPN Network) -> DNS, FTP, HTTPS, NTP, SSH -> Internet IPv4

 

 NAT - Masquerading:

Internal (Network) -> External (WAN)

Internal (Network) -> DMZ VPN

DMZ VPN -> External (WAN)

 

 

Webprotection - Filtering Options - MIsc - Transparent Mode Skiplist

Skip Transparent Mode Source Hosts / Nets

Internal (Network)

 

Marked - Allow HTTP/S traffic for listed hosts/nets

 

With this configuration all traffic from Internal LAN is routed through the VPN Service , works.

 

When i deactivate the Policy Route all Internet traffic is routed over the normal WAN Connection, not over the VPN Service.

 

When i disable the Internal Network under Misc - Skip Transparent Mode Source Hosts / Nets, i can connect to Internet, but with my normal WAN Connection, not over the VPN Service.

 

What im doing wrong, what setting i have to adapt to go over the VPN Service but not to Skip the Internal Network in Web protection setting, what im missing?

 

Thanks



This thread was automatically locked due to age.
Parents
  • 0

    When you disable the skip transparent source for Internal, then the proxy will intercept all web traffic if you have configured transparent web filtering, hence the web filter itself is the one handling the traffic and sending it to the default gateway.

    If I understand correctly you want to use web-filtering on your web requests and still route them over the VPN connection in the DMZ?

    If you want ALL traffic to go out over the VPN connection in DMZ and you don't wan't anything to go out locally then I'm a bit confused in why you have the 3 subnets you have now (Internal, DMZ and WAN). You might be better off in just selecting full transparent mode like explained above and connect 1 end of the connection to the DMZ VPN-gateway and connect the "internal" clients to the other interface using a switch.
    This way all connected clients will physically be inside the current DMZ and use this to connect out.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply
  • 0

    When you disable the skip transparent source for Internal, then the proxy will intercept all web traffic if you have configured transparent web filtering, hence the web filter itself is the one handling the traffic and sending it to the default gateway.

    If I understand correctly you want to use web-filtering on your web requests and still route them over the VPN connection in the DMZ?

    If you want ALL traffic to go out over the VPN connection in DMZ and you don't wan't anything to go out locally then I'm a bit confused in why you have the 3 subnets you have now (Internal, DMZ and WAN). You might be better off in just selecting full transparent mode like explained above and connect 1 end of the connection to the DMZ VPN-gateway and connect the "internal" clients to the other interface using a switch.
    This way all connected clients will physically be inside the current DMZ and use this to connect out.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Children
  • 0 in reply to apijnappels

    Hello Apijnappels,

     

    Yes, i would like to have web-filtering and route all traffic over the VPN Tunnel.

     

    I use 3 Interfaces while with this configuration I’m able yet to activate gateway route, so all traffic go over the DMZ through the VPN Tunnel (VPN for Privacy), and when deactivating the Gateway Policy Route, the Internet Traffic go out directly via my ISPs Internet Connection.

Unfiltered HTML