Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 16 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 31106 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Changing the IP used on outbound proxy traffic

andrew.matthews
Hi,
I've just moved over to BT Infinity for Business as my ISP.

To use BT Infinity, you have to use their VDSL modem.  They supply a router, but you can use other routers if you choose to.  To get Astaro to work, you have to connect to the BT network using PPPOE and you get allocated a DHCP address which is fine.

You can also have static IP addresses allocated and this is where my question starts.

I've added the additional IP addresses as additional addresses on the ethernet adaptor that connects to BT.  So my external interface has a DHCP address and my additional six static IP addresses.  These IP addresses are visible to the internet as e-mail flows in and out, and VPN works as expected.

However, when I use the Web Filtering, all web traffic goes out onto the internet using the DHCP allocated IP address.  How can I change this so that is uses one of the static IP addresses?


This thread was automatically locked due to age.
Parents
  • 0
    Scott's right.  In a situation where you want specific traffic to leave via an Additiona Address, a SNAT is the right "trick" to use:

    External (Address) -> Web Surfing -> Internet : SNAT from External [Other Address] (Address)


    Note that the service stays blank and that the address objects are those created by WebAdmin.

    Cheers - bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Scott's right.  In a situation where you want specific traffic to leave via an Additiona Address, a SNAT is the right "trick" to use:

    External (Address) -> Web Surfing -> Internet : SNAT from External [Other Address] (Address)


    Note that the service stays blank and that the address objects are those created by WebAdmin.

    Cheers - bob



    Thanks for the feedback Bob.  I made the change Scott suggested using your additional information and it works.

    Many thanks to you both and sorry for doubting you Scott [:D]
Reply
  • 0 in reply to BAlfson
    Scott's right.  In a situation where you want specific traffic to leave via an Additiona Address, a SNAT is the right "trick" to use:

    External (Address) -> Web Surfing -> Internet : SNAT from External [Other Address] (Address)


    Note that the service stays blank and that the address objects are those created by WebAdmin.

    Cheers - bob



    Thanks for the feedback Bob.  I made the change Scott suggested using your additional information and it works.

    Many thanks to you both and sorry for doubting you Scott [:D]
Children
  • 0 in reply to andrew.matthews
    Hi all.

    i realise this is a very old thread but I'm trying through sheer desperation!

    I am in the exact same boat - BT Business, DHCP IP on interface with 5 additional Stactic IPs.

    This solution is not working for me! I have created an SNAT rule and also a Masquerading rule to send traffic via one of the additional IPs, but they only work when the proxies are turned off!

    If Web Filtering is on, then all HTTP traffic leaves on the default IP assigned by DHCP. If I relay mail through the UTM, then that also leaves on the default IP, which is no good because the mail gets bounced back from most servers!

    As soon as I turn off Web Filtering and tell Exchange to route mail directly rather than relay through the UTM, then they follow the masquerading/SNAT rules and leave on the correct IPs!

    How do I stop this! This is baffling as these should be simple features that aren't implemented for some reason! I would appreciate any advice if someone can give any!!

    Using Sophos UTM 9.309-3

    Thanks in advance
  • 0 in reply to axis-frank

    It is still a problem!

    We have the same issue here and no solution yet - we can only decide, wether we'd like to use Web filtering or sending the traffic out via the correct interface.

     

    The thing with SNAT is, we can NOT differentiate between any user groups - only send the whole Web traffic out on another interface.

    Hasn't anyone found a solution yet?

  • 0 in reply to Daniel Karas

    Hi, Daniel, and welcome to the UTM Community!

    This has long been a feature requested by UTM users.  You may want to vote for and comment on Proxies and Profiles Mapping to Additional Addresses.  My comment there suggests a workaround that can be done with a second proxy.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Can you setup a second proxy inside the sophos? or would that be a seperate proxy on a seperate network that does not have web filtering turned on?

  • 0 in reply to Joseph Jozwik

    No, you cannot do that. You can only create multiple Proxy Profiles for different Hosts/Networks. 

    The only solution we found, is installing a second Box, route the traffic on the first one using Multipathing or static routing and filter web traffic on the second one..

  • 0 in reply to Daniel Karas

    To have this thread completed, let me mention this should be possible by now.

     

    See following KB: https://community.sophos.com/kb/en-us/126892

    Please send me Spam gueselkuebel@sg-utm.also-solutions.ch

  • 0 in reply to HuberChristian

    I Know this thread a old, but I had this very same issue, and tried this fix, and it doesn't work.

    what else is there?

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

  • 0 in reply to Argo

    Transparent doesn't work, it is only when it is in Standard mode does this fix seem to work.

    I have tried to use an SNAT rule without success.

    Are there any other options?

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

  • 0 in reply to Argo

    Jason, what do you mean by "Transparent doesn't work" - what do you see?  Also, show a picture of the Profile configuration.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML