Hello, I am trying to reconfigure our UTM for a scenario that accomplishes some goals that we do not have today:
- I would like to convert our masquerade rules to all SNAT rules if possible, because they use less processing power and they are easier to read in my opinion;
- I would like to separate web proxy traffic so that it will egress on different assigned PAT addressing, based on the source network if possible;
- In one of the PAT groups, I would like to configure port load balancing for the associated web proxy traffic per this technote from Sophos;
I have done a fair amount of research on how to accomplish all these objectives, or where the limitations of the UTM may be. I am getting conflicting information between the forum and Sophos support.
Sophos support published How to change the outgoing interface for Web Filtering almost immediately after I submitted questions about this. That's nifty, but I've also found other solutions to change the web proxy egress address here, here and here. After speaking with them today, I believe they have also confirmed that it may be impossible to have web proxy traffic exit on different external addresses based on the source (also confirmed for SNAT here and here).
So I guess my questions for the experts here are:
- please confirm whether or not web proxy must egress on a single external IP (or group) and cannot change based on the traffic source;
- please confirm HOW you make this port load balancing feature work - is there more than one way to accomplish this?
- is there some reason that I should use masquerade rules? why not use SNAT for all my PAT needs?
One other thing I should mention: I have multiple additional addresses linked to my external interface. These are mostly used for specific-case DNATs. I do not wish to use this addressing as part of the PAT port load balancing scheme. I would like to designate 3 specific external IP addresses for the PAT port load balancing group if possible.
Thank you
This thread was automatically locked due to age.
