Webfilter Fehler. Webfilter with wrong Gateway IP

Go to Administration > Admin and User Settings >  When redirecting users to the captive portal or other interactive pages

You can put in the hostname or ip you want to use.

Hello, i know this Option, But i want different ip adresses. It should be the Gateway Sophos on each lan.

XG Will always use the hostname IP to redirect. Use a FQDN to resolve the Cert issues. 

Witch Port is it for the Block Site?

Blockpage will be loaded by the hostname of the XG. So the hostname is used by XG to redirect the client to this blockpage. Its 8090

Ok, so i have to add a Firewall rule from the lan to xg Hostname with only Port 8090 für the blockpage?

No you dont have to do this. The XG will simply replay from this address. This system can intercept the request on all interfaces without the need to have a firewall rule. Except this traffic to this IP is blocked by some other device or routed differently. 

Try to setup a FQDN for the XG anyways. It will resolve a lot of your frustration. 

Hi, i dont understand

https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/learningContent/HostsServicesFQDNHost.html

how it will work with the xg block site. please help

I mean, change the hostname of the XG to a DNS/FQDN of your domain. Instead of having your 192.168.12.254 you can setup xg.domain.local. 

This DNS can be registered in the DNS of your AD. 

Then register a certificate for this DNS record (internal or external) and push it to the clients. 

I assume, the issue of your block page is not showing, is caused by the browser in the first place, as the website is not secure etc. 

there is a hostname in our configuration

but the users on the 

192.168.20.0/24 do not have contact to the local dns. they are separated. they only have traffic to the sofos xg port / gateway 192.168.20.254 an than to the lan port

LuCar Toni said:

I assume, the issue of your block page is not showing, is caused by the browser in the first place, as the website is not secure etc. 

I can't push it to the client, because some clients are customers. these customers can go the internet, but they should se block site if they won't to use a blocked page

LuCar Toni said:

I assume, the issue of your block page is not showing, is caused by the browser in the first place, as the website is not secure etc. 

No, because it is a different ip Adress wich is not possible to connect from this lan. There must be a blockpage on every gateway of the xg

LuCar Toni said:

I assume, the issue of your block page is not showing, is caused by the browser in the first place, as the website is not secure etc. 

I can't push it to the client, because some clients are customers. these customers can go the internet, but they should se block site if they won't to use a blocked page

LuCar Toni said:

I assume, the issue of your block page is not showing, is caused by the browser in the first place, as the website is not secure etc. 

No, because it is a different ip Adress wich is not possible to connect from this lan. There must be a blockpage on every gateway of the xg

First of all: Guest proxy is a easy to avoid setup. As you cannot intercept the HTTPS traffic, you are likely to be blind and cannot block everything in the first place. So to think, there is a "good way to block" unwanted websites for Guest (external) users, is not possible. 

For those pages, you can actually block, you need to have a certificate, which is publicly known. LetsEncrypt or you purchase a certificate. 

This can be pointed to an IP of XG. So for example, you can still use your first IP of your network, but it should be a DNS. (proxy.domain.com). Then register a cert with your public CA. 

Another point you need to activate is the captive portal under Device Access: