Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 1100 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't select bridge member interface in NAT rule

core_memory

For example, in the following configuration.

PortC and PortD can't be selected as the inbound interface of the SNAT rule.
br0 can be selected, but that rule does not apply.
If select Any, that rule will be applied.



This thread was automatically locked due to age.
Parents
  • 0

    Is PortC and D your LAN? Because you should not do SNAT based on Incoming interface. The better approach is outbound interface. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    That's not always the case.
    Besides, this issue is only with the bridge interface.

  • 0 in reply to core_memory

    There seems to be a technical limitation, which i never discovered in the past months. Basically because i never did a SNAT based on the filter of the interface. I cannot come up with a scenario, why you would do this in a bridge scenario. 

    So what is the use case of doing this? Why should a SNAT be applied on only one port and not the other port, if traffic is generated by both ports? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Why does selecting PortA or PortB work fine, but selecting br0, PortC or PortD causes problems?
    What is the reason for such behavior?

  • 0 in reply to core_memory

    Properly a technical limitation. As nobody has discovered this limitation yet, it is likely to be some rare condition. Likely it is because of the way a bridge works. The interfaces will always have the same subnet range. Therefore to separate PortC and D does not make much room of a valid use case. 

    I can still not think of any kind of use case of doing this. Why should i do this? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I think the behavior is inconsistent.

    "Create a source NAT rule" in the Administrator help also sets the inbound interface.

    docs.sophos.com/.../index.html

    For example,
    1.
    No NAT required between PortA and PortB.
    NAT is required for PortC or PortD.
    It is necessary to select "Any" for the inbound interface in the NAT rule, but that also applies between PortA and PortB.

    2.
    Another router is connected to PortC, and NAT is required only for access from the network through that router.
    I want to select only the required PortC as the inbound interface in the NAT rule.

    I want to limit the conditions to the minimum necessary.

  • 0 in reply to core_memory

    The picture is actually very misleading. Can you show us your Network interfaces? 
    And what do you want to do with the SNAT (assuming MASQ?)

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I don't want you to tell me how to do something.
    I just want Sophos to fix the NAT behavior so that the inbound interface settings work.

  • 0 in reply to core_memory

    Then please create a support case so this can be looked and prioritized by support. 

    __________________________________________________________________________________________________________________

Reply Children
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?