Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 2 subscribers
  • Views 7251 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Transparent proxy multiple downstream subnets

Cory Candia

Community,

 

I tried and failed to setup a UTM 9 between two routers in fully transparent mode.  I'd like to know if this is a supported configuration

 

I have an existing firewall, connected to another internal router, with the internal router having a couple of internal client and server subnets.

I the web filtering in transparent mode works when the client device is in the subnet directly behind the UTM, but when I put the UTM between the two routers so it will filter traffic from all the internal subnets, it doesn't work.

I have changed settings to allow additional subnets, set the firewall to any/any, etc.

Is this a supported configuration or is anyone else doing this currently?  What settings did you modify?

 

In the logs, I was getting web traffic blocked do to 'error=connection to server timed out" and "passthrough.fw-notify.net" which are very frequently posted in the forum, but I saw no solution that fixed the problem.

 

 

Anyone know anything about this?



This thread was automatically locked due to age.
  • 0

    Hi, Cory, and welcome to the UTM Community!

    This should be possible, but "between two routers" doesn't paint a very clear picture.  How about a simple diagram with representative IPs?

    See #2 in Rulz to understand why firewall rules don't affect proxied traffic.

    Cheers - Bob
    PS I've moved this to the Web Protection forum.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    For your configuration, I would think putting the UTM immediately behind the firewall on a bridged connection would be necvessary to avhieve the desired results..

    For transparent mode to work, the traffic has to naturally flow through UTM based on your routing configuration.   If UTM is between two internal routers, traffic on the firewall side of UTM will have no reason to go through UTM.

    With standard mode, UTM can be anywhere in your network.  I recommend using both.  Standard mode provides better accountability and handles mon-standard ports, while transparent mode catches traffic that does not, or cannot, honor the proxy configuration settings.

  • 0 in reply to BAlfson

    This is the network design.  As it turns out, I finally got this fully functioning by doing two things (I think):

    1. Added public DNS servers to to the forwarders list instead of using internal DNS servers

    2. Added a static route statement on the bridged interface for the internal subnets pointing to the interface of the VoIP router seen in the picture.

     

    Much of the weirdness stopped after that.  I also had to set proxy arp on the bridged interface for EIGRP to start being passed correctly.

  • 0 in reply to Cory Candia

    Glad you got it going, Cory.  Many problems can be avoided by following DNS best practice, which your Forwarders change does.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML