This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bridge mode doubts NAT

Gib GoDesk over 3 years ago

Hello guys.

First of all I would like to thank you for taking the time to read my question.

I'm trying to understand the need for a NAT (MASQ) in bridge operating mode.

And one scenario, I have the need to leave Sophos Firewall (SF) in this mode and do only Web filtering.

So the environment is: ROUTER <-> SOPHOS <-> LAN

Sophos configured as bridge mode, with the routing flag unchecked.

Computers have internet access. When you enabled App control, everything works fine. When you enabled the web filter, some sites give conn_rst.

So I decided to create a nat rule, when creating the nat rule doing the translation of the source ip, the accesses work.

That way the router is only seeing a connection IP, but it wouldn't want to be like that.

Could someone tell me why the need for this MASQ and if there is a possibility to get around it?

This thread was automatically locked due to age.

0 Vivek Jagad over 3 years ago

Hello Gib GoDesk,

Thank you for reaching out to the community, With the routing enabled on the bridge pair interface will participate in routing decisions and it will route traffic to other network interface which is directly connected to your device. If routing is disabled then the traffic will be sent to upstream device.

MASQ is IP address of the applicable outbound interface
Concept of Linked NAT in the firewall rule: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/NATRules/RulesPoliciesCreateFirewalRuleWithLinkedNATRule/index.html#objectives

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Gib GoDesk over 3 years ago in reply to Vivek Jagad

Hi Vivek Jagad.

Routing is disabled on my bridge interface. This is the question of my doubt. I understand that I don't need to do the MASQ.

Traffic is sent to the upstream device. We have internet. The problem is when I activate the Web Filter. I notice that I have a lot of dropped packages (Invalid Traffic) for the website. I can resolve this situation when I apply MASQ. My bridge interface continues with the routing option disabled:

So I want to understand, why do I need MASQ to solve my problem when I'm using the web filter?

This documentation:Bridge interfaces - Sophos Firewall

Explain it: "Sophos Firewall drops traffic related to bridge interfaces without an IP address if the traffic matches a firewall rule with web proxy filtering or if it matches a NAT rule. These dropped packets aren't logged. To prevent packet drop because of NAT rules, you must specify the override source translation setting."

I use an IP on the bridge interface:
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 3 years ago in reply to Gib GoDesk

In that case you, you make diagnose it via packet capture:

Monitor packet flow using the command line interface : https://support.sophos.com/support/s/article/KB-000035939?language=en_US
Monitor dropped packets using CLI : https://support.sophos.com/support/s/article/KB-000036858?language=en_US
Monitor traffic using Packet Capture Utility : https://support.sophos.com/support/s/article/KB-000035761?language=en_US
Create and download a packet capture : https://support.sophos.com/support/s/article/KB-000037007?language=en_US
How to filter packets using packet capture : https://support.sophos.com/support/s/article/KB-000035768?language=en_US

Invalid traffic events: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Logs/LogViewer/InvalidTrafficEvents/index.html

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Gib GoDesk over 3 years ago in reply to Vivek Jagad

Thanks for your time Vivek.

I've done package analysis. I see packages being reset.

One detail, the web filter's blocking notification screen doesn't work either. Only when I do MASQ.
Without MASQ it blocks but does not display the information to the user.

I have complex scenario. If you tell me that there is no need for MASQ for using Web Filter in bridge mode. I will open a ticket with Sophos.
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 3 years ago in reply to Gib GoDesk

Hey Gib GoDesk,

Sophos Firewall drops traffic related to bridge interfaces without an IP address if the traffic matches a firewall rule with web proxy filtering or if it matches a NAT rule. These dropped packets aren't logged. To prevent packet drop because of NAT rules, you must specify the override source translation setting.

Adding a Bridge interface: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Network/Interfaces/NetworkBridgeInterfaceAdd/index.html

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Gib GoDesk over 3 years ago in reply to Vivek Jagad

But I use IP addressing on my Bridge.

Can you clear my doubts?

1 - Is it recommended to use a WAN ZONE, within my bridge?

2 - What would be the most correct way to use vlans on a bridge?

All stations are in a vlan and the bridge interface is not.
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 3 years ago in reply to Gib GoDesk

That is fine if you use WAN and LAN together in a bridge, but if you are asking for a recommendation, then I would not recommend to use LAN and WAN in bridge.

With two LAN Ports I would say it's fine.

> Tag a bridge interface traffic with a VLAN ID: https://support.sophos.com/support/s/article/KB-000035910?language=en_US

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Gib GoDesk over 3 years ago in reply to Vivek Jagad

Thanks for the reply.

About marking the vlan ID on the bridge interface (br0) would mark only one vlan, but in my case I have more than one vlan.

Do you have any suggestions in these cases?
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 3 years ago in reply to Gib GoDesk

In that case, would recommend WAN on an entire different interface, you can select two-three LAN interface based on your requirement in a bridge interface and start adding the VLANs...

And do not give any IP details on the Bridge, just directly assign the IP to the various VLAN you create and tag that with the VLAN ID

Add a VLAN interface: https://support.sophos.com/support/s/article/KB-000035704?language=en_US

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

Bridge mode doubts NAT

Submitted a Tech Support Case lately from the Support Portal?