Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 3 subscribers
  • Views 16461 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Full transparent proxy fails when on--all other traffic traverses. Works fine when off.

RobertCooper

This was from a different thread ( community.sophos.com/.../73266 that was abandoned:

I run a core/full transparent utm/border configuration. This works entirely until I turn on the web filter, at which point HTTP and HTTPS traffic fails to traverse. So, the routing is correct--I'm using that link presently to post this.
However, when I toggle on the web filter, I don't even see any entries hitting it. All other protocols traverse.

This is an ESXi environment--a trunk comes in from my internal network to the core router. The core and UTM both share a vswitch, and the border and the UTM both share a vswitch. Promiscuous mode is on those vswitches.

These were the last steps I undertook:
 I rebuilt Sophos from the ground up. Fresh install, assign interfaces, create bridge and management, assign proper gateway to bridge, create any/any/any firewall rule, toggle on firewall rule, assign DNS, get Sophos up-to-date, test the bridge successfully (full normal connectivity), turn on Web Filter and immediately lose web browsing by HTTP or HTTPS. All other protocols still work. Turn web filter off and all connectivity resumes.

Everything tests fine--DNS test from Sophos and my internal nets and core are great, routing is all fine, the bridge works and passes traffic from core to border. It just refuses to transparently proxy when I toggle it on.

Does anyone have any ideas? I'm going to throw a VM on that core-UTM vswitch to see if I can find anything amiss and will report back. But I'm pretty puzzled at this point.



This thread was automatically locked due to age.
  • 0 in reply to RobertCooper

    Are you sure that all of the traffic between your PC at 192.168.10.128 and the rest of the world is passing through the bridge?  I would think you would do packet captures on the UTM's bridge and the PC, but I can't tell where you sniffed the packets.

    I'm a visual-tactile learner, so I'm having a hard time following your description without a network diagram showing IPs and MACs.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Bob,

    Thank you for the reply. I don't have access to my network plans right now, but I'll MSPaint up a quick diagram.

    To answer your question: the packet captures were issued from the root user of the Sophos UTM using tcpdump on the bridge interface as in this article: https://sophserv.sophos.com/repo_kb/115343/file/308674.pdf

    The Sophos bridge is composed of the two Core/Border vSwitch interfaces. As I've said, (repeatedly at this point, I do realise this is a weird problem but seriously!) the bridge interface is the only configured topology that can get packets from my core to the border. I can easily work around it in the VM configuration, but that isn't the case. The bridge actively is forwarding packets, all the time. It just stops for 80/443 traffic when I turn the web filter on. When that happens, the bridge *still* works for any other protocols. I just can't wrap my head around what in virtual-land could be screwing with it when the web filtering proxy is on.

  • 0 in reply to RobertCooper

    Thanks for the diagram, Robert,  That makes it much easier to visualize what might be happening.  In the Core and Border VMs, what MAC do they have in their ARP tables for 10.10.10.3?  What MACs are in  the ARP table in the UTM for 10.10.10.1 and 10.10.10.2?  What do all three have for 192.168.10.128?  If that all seems correct, what do you see when you do simultaneous packet captures on their10.10.10.x interfaces?  Raw data, please.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML