Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 2 answers
  • Subscribers 2 subscribers
  • Views 7622 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't access router webpage from another network

emanueleanni

Goodmorning everyone,

after a little study i realize that the packet filter rule let me pass to the modem 192.168.0.1 from the network 192.168.1.0/24

now the scenario is: one interface of my sophos doing pppoe while the modem is in bridge mode; in the pppoe interface i add an extra ip that is 192.168.0.2 as i see in this guide, but i can't reach my modem webpage. Last day i realize that the web filter put in standard mode blocks the webpage and if i put it in transparent mode i can reach my modem again.

my question is (after reading the manual) what are the priorities in sophos utm? which rule (packet filter, web filter, ips) comes first? i'm asking this because i set a policy that is deny from lan2 to lan1 but the policy partially work because if i smb from lan2 to lan1 i'm blocked and that's right but, if i try to log in a web server of the lan1 from lan2 i can log without problems and that's wrong (the policies described are enabled while the web filter is in transparent mode).

i have noticed that if i want to navigate with web filter standard i have to set a masquerating rule for my lans while in transparent mode isn't necessary.

another thing is that i can't ping my modem ip address while i can ping the addictional interface of the sophos utm that i made. i realize that now i can't see anything in the webfilter log regarding 192.168.0.1 even in firewall logs! what's going on? i add another masquerating rule for lan1 to the addictional address of my wan but i see anything on logs.

can you help face these problems?

Thanks in advice



This thread was automatically locked due to age.
  • 0

    Hi and Welcome to Sophos Community,

    In general, a packet arriving at an interface is handled only by one of the following, in order: the connection tracker (conntrack) first, then Country Blocking, then DNATs, then VPNs, then Proxies (except the SMTP Proxy in Transparent mode which captures traffic forwarded by a DNAT), then manual Routes and manual Firewall rules, which are considered only if the automatic Routes and rules coming before hadn't already handled the traffic and, finally, Applications Control.

    Check if ICMP is allowed through gateway by navigating through Network Protection> Firewall > ICMP. Also, take a tcpdump and ping the modem's IP address. Check if the UTM forwards the packet or not.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Thanks for the help, i managed to enable all my lans to the web filter in transparent mode and exclude them from the same transparent mode, in this way my firewall rules works. regarding the ping question i managed to disable all except the gateway is ping/traceroute visible and try to add a firewall policy with ping service from my lan to another and it works. now the only thing that i couldn't solve is the access to my modem 192.168.0.1 from my lan 192.168.1.1. i made firewall rules exclude the lan 192.168.0.x from transparent mode web filtering, add static routes, masquerade from lan 192.168.1.x to addictional wan interface 192.168.0.1 but it doesn't work. what i'm missing? web access to my modem worked when i had standard mode web filter and i can see that the firewall rule let me pass (as the live log says) but i can't ping the modem and i can't see the web interface. any advice?

    Thanks

  • 0

    Hi,

    Remove the static route, simply create a firewall rule for two way communication.

    1. Lan 1.0 > Modem 0.1

    2. Modem > Lan

    Post a screenshot of the masquerading rule. Also, take a tcpdump capture and verify whether the packet is forwarded towards modem via UTM and if the modem responds to it.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    i'm late sorry...

    i have all the requested info's:

    here's the tcpdump:

    sophos:/home/login # tcpdump host 192.168.0.1
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    20:13:01.672362 IP 192.168.1.10 > 192.168.0.1: ICMP echo request, id 1, seq 168, length 40
    20:13:06.215284 IP 192.168.1.10 > 192.168.0.1: ICMP echo request, id 1, seq 169, length 40
    20:13:11.568305 IP 192.168.1.10 > 192.168.0.1: ICMP echo request, id 1, seq 171, length 40
    20:13:16.224576 IP 192.168.1.10 > 192.168.0.1: ICMP echo request, id 1, seq 172, length 40
    20:13:21.218217 IP 192.168.1.10 > 192.168.0.1: ICMP echo request, id 1, seq 173, length 40
    20:13:33.694955 IP 192.168.1.10.phonex-port > 192.168.0.1.http: Flags [S], seq 744988344, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    20:13:33.945563 IP 192.168.1.10.h2gf-w-2m > 192.168.0.1.http: Flags [S], seq 1957812283, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    20:13:36.706038 IP 192.168.1.10.phonex-port > 192.168.0.1.http: Flags [S], seq 744988344, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    20:13:36.953402 IP 192.168.1.10.h2gf-w-2m > 192.168.0.1.http: Flags [S], seq 1957812283, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    20:13:42.721119 IP 192.168.1.10.phonex-port > 192.168.0.1.http: Flags [S], seq 744988344, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    20:13:42.968652 IP 192.168.1.10.h2gf-w-2m > 192.168.0.1.http: Flags [S], seq 1957812283, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    20:13:54.859339 IP 192.168.1.10.bmcpatrolrnvu > 192.168.0.1.http: Flags [S], seq 769053352, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    20:13:57.865902 IP 192.168.1.10.bmcpatrolrnvu > 192.168.0.1.http: Flags [S], seq 769053352, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    20:13:59.981031 IP 192.168.1.10.cops-tls > 192.168.0.1.http: Flags [S], seq 2331851406, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    20:14:02.984682 IP 192.168.1.10.cops-tls > 192.168.0.1.http: Flags [S], seq 2331851406, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    20:14:03.871064 IP 192.168.1.10.bmcpatrolrnvu > 192.168.0.1.http: Flags [S], seq 769053352, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    20:14:08.999703 IP 192.168.1.10.cops-tls > 192.168.0.1.http: Flags [S], seq 2331851406, win 8192, options [mss 1460,nop,nop,sackOK], length 0

    and the other things that you requested:

    http://i63.tinypic.com/34o946c.png

    http://i67.tinypic.com/2i1jk8g.png

    http://i67.tinypic.com/2z908r7.png

    of course i tried to remove the static route, add the firewall rules but nothing i don't understand.

    thank you 

Unfiltered HTML