This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multipath rules: Block specific traffic for an interface

Hello to all!

I have an ADSL connection and I also have a 3G modem connected to my UTM

I wanted to use the 3G modem as a failover, but due to the fact that the 3G subscription is a prepaid one with a limit of 1GB/month I want to allow only HTTP/HTTPS and SMTP connections when the 3G is used (I mean no torrenting, no media streaming allowed)

I found some help from the following thread : https://community.sophos.com/products/unified-threat-management/f/55/p/79077/302143#302143

After unplugging the phone cable, though, I noticed that by using Web Surfing as the service, youtube was still working

So I modified the rule by unchecking the skip rule on interface error option :

With this change I have no internet at all, though..

To my understanding, by unchecking this and the interface is down, it won't allow any traffic, so no internet is the normal behavior. But since the previous rule dictates web surfing allowed, shouldn't I have available internet???

So, to sum up, if "skip rule on interface error" is checked I have youtube working which I don't want.

If I have the setting unchecked I have no internet at all

What I want is to be able to browse the internet when the 3G interface takes over, but no torrenting and no media streaming aloowed to save prepaid mobile data

Any ideas please?



This thread was automatically locked due to age.
Parents
  • Hi,

    By default, allowing web services will also allow YouTube streaming, we cannot explicitly define the block through multipath rule.

    Configure an application control policy to block YouTube Streaming and turn it on when the internet does a failover.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Reply
  • Hi,

    By default, allowing web services will also allow YouTube streaming, we cannot explicitly define the block through multipath rule.

    Configure an application control policy to block YouTube Streaming and turn it on when the internet does a failover.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Children
  • Hello and thanks for replying!

    Also apologies for my late reply (was on family vacation)

    So, following your advice, I created a new rule with the following:

    I wanted to block torrents and media streaming while on 3g

    Does it look sufficient for my purpose?

    Specifically for the source networks, I added all entries regarding my 3G interface. Would entering only 3G Network (and ommiting 3G address and broadcast) suffice?

    Thanks again for your help!

     
    Sophos XG Home Licence.

    Machine: Checkpoint 3100 appliance (Intel Atom C2558 CPU, 6GB Ram, 250GB sata SSD)

  • Hi,

    I hope you enjoyed the vacation :)

    As I mentioned in my previous post, gateway based application blocking is not possible. But, I wonder if that configuration shall do the job! Please update us if it works.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Hello again!

    Vacation was really nice, thanks for asking!

    I thought that's what you meant on your previous post - unless you meant a global application rule to block streaming and torrenting that I will manually turn on when on 3G.

    But manual switching is not an option, as I may be out of the house the moment this happens and/or may not see the warning emails on time. (And even if I do, accessing the webui, turning on the rule, and then back off when the ADSL line is up again, is not a very neat solution [:P] )

    I can't test it right now, but crossing fingers that it will work.

    Once I am able to test it I will update the topic

    OK, later update: Not working...[:(]

    The applications are being blocked only if I put any in the source networks.. I even tried to trick it by creating a rule to block youtube using any as the source networks and then adding the external interface in the exception list, but that didn't work either....[:S]

    Any more ideas?

     
    Sophos XG Home Licence.

    Machine: Checkpoint 3100 appliance (Intel Atom C2558 CPU, 6GB Ram, 250GB sata SSD)

  • Please show also the other active Multipath rules above the Any-Any-Any rule you inserted in the post above.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello, Bob! Thanks a lot for trying to help!

    Actually that rule is number 4 now (had something else that is deleted now)

    So all rules in order are:

    1. Allow web surfing to all interfaces

    2. Allow torrenting on External (ADSL) interface

    3. Allow streaming media on External (ADSL) interface

    4. And finally the any rule

    The interfaces are set up as follows:

    Thanks again!

     
    Sophos XG Home Licence.

    Machine: Checkpoint 3100 appliance (Intel Atom C2558 CPU, 6GB Ram, 250GB sata SSD)

  • I would put these in a different order: Torrenting, Streaming Media, Web Surfing & Anything else.

    Any better luck with that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello again, Bob!

    I actually thought about this myself, too, after watching my previous post (lol), but haven't got the chance to try it out, yet.

    I will update the thread when I manage to test that.

    Thanks again!

     
    Sophos XG Home Licence.

    Machine: Checkpoint 3100 appliance (Intel Atom C2558 CPU, 6GB Ram, 250GB sata SSD)

  • Hello again!

    Update on the subject:

    I finally managed to test by having the multipath rules this way, Bob..

    So I now have Torrenting, Streaming Media, Web Surfing and then Anything else

    Unplugged the ADSL line, the 3G Interface came on from standby, but Youtube videos were still accessible (rather slow, though, because as an ultimate resort to conserve data I have set the 3G to 1Mbit max up/down)

    Also dropping a torrent started to download immediately

    So, unfortunately, this solution does not work, either....

    Any other ideas you may have are very welcome!

    Cheers!

     
    Sophos XG Home Licence.

    Machine: Checkpoint 3100 appliance (Intel Atom C2558 CPU, 6GB Ram, 250GB sata SSD)

  • Hi,

    As I can see the alignment of the multipath rule doesn't work. I was curious when you came up with the work around like this.

    I would suggest you to raise this as a feature request at http://feature.astaro.com .

    Out of the box, this feature is available in Sophos's latest SF-OS devices called XG and interestingly SG devices are compatible with the new OS.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Hello again, and thanks for the suggestion..

    However there are a lot of feature requests with much higher interest for many which are not fulfilled yet. So I doubt this will ever make it to a sophos release.

    I am using a home licence and have sophos installed on a PC.

    If the XG has that feature this is interesting. However, TBH, I already gave it a try in a virtual machine and I don't like it. I found it all over the place. [:S]

    I read there are also stuff included in the UTM that are not yet available on XG.

    So I am sticking with the UTM until XG matures enough, or at least when a migration tool is created...

     
    Sophos XG Home Licence.

    Machine: Checkpoint 3100 appliance (Intel Atom C2558 CPU, 6GB Ram, 250GB sata SSD)