This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Changing the IP used on outbound proxy traffic

Hi,
I've just moved over to BT Infinity for Business as my ISP.

To use BT Infinity, you have to use their VDSL modem.  They supply a router, but you can use other routers if you choose to.  To get Astaro to work, you have to connect to the BT network using PPPOE and you get allocated a DHCP address which is fine.

You can also have static IP addresses allocated and this is where my question starts.

I've added the additional IP addresses as additional addresses on the ethernet adaptor that connects to BT.  So my external interface has a DHCP address and my additional six static IP addresses.  These IP addresses are visible to the internet as e-mail flows in and out, and VPN works as expected.

However, when I use the Web Filtering, all web traffic goes out onto the internet using the DHCP allocated IP address.  How can I change this so that is uses one of the static IP addresses?

This thread was automatically locked due to age.

Parents

0 BAlfson over 12 years ago

Scott's right. In a situation where you want specific traffic to leave via an Additiona Address, a SNAT is the right "trick" to use:
External (Address) -> Web Surfing -> Internet : SNAT from External [Other Address] (Address)

Note that the service stays blank and that the address objects are those created by WebAdmin.

Cheers - bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 andrew.matthews over 12 years ago in reply to BAlfson

Scott's right. In a situation where you want specific traffic to leave via an Additiona Address, a SNAT is the right "trick" to use:
External (Address) -> Web Surfing -> Internet : SNAT from External [Other Address] (Address)

Note that the service stays blank and that the address objects are those created by WebAdmin.

Cheers - bob

Thanks for the feedback Bob. I made the change Scott suggested using your additional information and it works.

Many thanks to you both and sorry for doubting you Scott [:D]
Cancel
Vote Up 0 Vote Down

Cancel
0 axis-frank over 9 years ago in reply to andrew.matthews

Hi all.

i realise this is a very old thread but I'm trying through sheer desperation!

I am in the exact same boat - BT Business, DHCP IP on interface with 5 additional Stactic IPs.

This solution is not working for me! I have created an SNAT rule and also a Masquerading rule to send traffic via one of the additional IPs, but they only work when the proxies are turned off!

If Web Filtering is on, then all HTTP traffic leaves on the default IP assigned by DHCP. If I relay mail through the UTM, then that also leaves on the default IP, which is no good because the mail gets bounced back from most servers!

As soon as I turn off Web Filtering and tell Exchange to route mail directly rather than relay through the UTM, then they follow the masquerading/SNAT rules and leave on the correct IPs!

How do I stop this! This is baffling as these should be simple features that aren't implemented for some reason! I would appreciate any advice if someone can give any!!

Using Sophos UTM 9.309-3

Thanks in advance
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 axis-frank over 9 years ago in reply to andrew.matthews

Hi all.

i realise this is a very old thread but I'm trying through sheer desperation!

I am in the exact same boat - BT Business, DHCP IP on interface with 5 additional Stactic IPs.

This solution is not working for me! I have created an SNAT rule and also a Masquerading rule to send traffic via one of the additional IPs, but they only work when the proxies are turned off!

If Web Filtering is on, then all HTTP traffic leaves on the default IP assigned by DHCP. If I relay mail through the UTM, then that also leaves on the default IP, which is no good because the mail gets bounced back from most servers!

As soon as I turn off Web Filtering and tell Exchange to route mail directly rather than relay through the UTM, then they follow the masquerading/SNAT rules and leave on the correct IPs!

How do I stop this! This is baffling as these should be simple features that aren't implemented for some reason! I would appreciate any advice if someone can give any!!

Using Sophos UTM 9.309-3

Thanks in advance
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Daniel Karas over 7 years ago in reply to axis-frank

It is still a problem!

We have the same issue here and no solution yet - we can only decide, wether we'd like to use Web filtering or sending the traffic out via the correct interface.

The thing with SNAT is, we can NOT differentiate between any user groups - only send the whole Web traffic out on another interface.

Hasn't anyone found a solution yet?
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 7 years ago in reply to Daniel Karas

Hi, Daniel, and welcome to the UTM Community!

This has long been a feature requested by UTM users. You may want to vote for and comment on Proxies and Profiles Mapping to Additional Addresses. My comment there suggests a workaround that can be done with a second proxy.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Joseph Jozwik over 7 years ago in reply to BAlfson

Can you setup a second proxy inside the sophos? or would that be a seperate proxy on a seperate network that does not have web filtering turned on?
Cancel
Vote Up 0 Vote Down

Cancel
0 Daniel Karas over 7 years ago in reply to Joseph Jozwik

No, you cannot do that. You can only create multiple Proxy Profiles for different Hosts/Networks.

The only solution we found, is installing a second Box, route the traffic on the first one using Multipathing or static routing and filter web traffic on the second one..
Cancel
Vote Up 0 Vote Down

Cancel
0 HuberChristian over 6 years ago in reply to Daniel Karas

To have this thread completed, let me mention this should be possible by now.

See following KB: https://community.sophos.com/kb/en-us/126892

Please send me Spam gueselkuebel@sg-utm.also-solutions.ch
Cancel
Vote Up 0 Vote Down

Cancel
0 Argo over 6 years ago in reply to HuberChristian

I Know this thread a old, but I had this very same issue, and tried this fix, and it doesn't work.

what else is there?

XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!
Cancel
Vote Up 0 Vote Down

Cancel
0 Argo over 6 years ago in reply to Argo

Transparent doesn't work, it is only when it is in Standard mode does this fix seem to work.

I have tried to use an SNAT rule without success.

Are there any other options?

XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 6 years ago in reply to Argo

Jason, what do you mean by "Transparent doesn't work" - what do you see? Also, show a picture of the Profile configuration.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel