Bridge mode doubts NAT

Hello Gib GoDesk,

Thank you for reaching out to the community, With the routing enabled on the bridge pair interface will participate in routing decisions and it will route traffic to other network interface which is directly connected to your device. If routing is disabled then the traffic will be sent to upstream device. 

MASQ is IP address of the applicable outbound interface
Concept of Linked NAT in the firewall rule: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/NATRules/RulesPoliciesCreateFirewalRuleWithLinkedNATRule/index.html#objectives

Hi Vivek Jagad.

Routing is disabled on my bridge interface. This is the question of my doubt. I understand that I don't need to do the MASQ.

Traffic is sent to the upstream device. We have internet. The problem is when I activate the Web Filter. I notice that I have a lot of dropped packages (Invalid Traffic) for the website. I can resolve this situation when I apply MASQ. My bridge interface continues with the routing option disabled:

So I want to understand, why do I need MASQ to solve my problem when I'm using the web filter?

This documentation:Bridge interfaces - Sophos Firewall

Explain it: "Sophos Firewall drops traffic related to bridge interfaces without an IP address if the traffic matches a firewall rule with web proxy filtering or if it matches a NAT rule. These dropped packets aren't logged. To prevent packet drop because of NAT rules, you must specify the override source translation setting."

I use an IP on the bridge interface:

Hi Vivek Jagad.

Routing is disabled on my bridge interface. This is the question of my doubt. I understand that I don't need to do the MASQ.

Traffic is sent to the upstream device. We have internet. The problem is when I activate the Web Filter. I notice that I have a lot of dropped packages (Invalid Traffic) for the website. I can resolve this situation when I apply MASQ. My bridge interface continues with the routing option disabled:

So I want to understand, why do I need MASQ to solve my problem when I'm using the web filter?

This documentation:Bridge interfaces - Sophos Firewall

Explain it: "Sophos Firewall drops traffic related to bridge interfaces without an IP address if the traffic matches a firewall rule with web proxy filtering or if it matches a NAT rule. These dropped packets aren't logged. To prevent packet drop because of NAT rules, you must specify the override source translation setting."

I use an IP on the bridge interface:

In that case you, you make diagnose it via packet capture: 

Monitor packet flow using the command line interface : https://support.sophos.com/support/s/article/KB-000035939?language=en_US
Monitor dropped packets using CLI : https://support.sophos.com/support/s/article/KB-000036858?language=en_US
Monitor traffic using Packet Capture Utility : https://support.sophos.com/support/s/article/KB-000035761?language=en_US
Create and download a packet capture : https://support.sophos.com/support/s/article/KB-000037007?language=en_US
How to filter packets using packet capture : https://support.sophos.com/support/s/article/KB-000035768?language=en_US

Invalid traffic events: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Logs/LogViewer/InvalidTrafficEvents/index.html

Thanks for your time Vivek.

I've done package analysis. I see packages being reset.

One detail, the web filter's blocking notification screen doesn't work either. Only when I do MASQ.
Without MASQ it blocks but does not display the information to the user.

I have complex scenario. If you tell me that there is no need for MASQ for using Web Filter in bridge mode. I will open a ticket with Sophos.

Hey Gib GoDesk,

Sophos Firewall drops traffic related to bridge interfaces without an IP address if the traffic matches a firewall rule with web proxy filtering or if it matches a NAT rule. These dropped packets aren't logged. To prevent packet drop because of NAT rules, you must specify the override source translation setting.

Adding a Bridge interface: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Network/Interfaces/NetworkBridgeInterfaceAdd/index.html

But I use IP addressing on my Bridge.

Can you clear my doubts?

1 - Is it recommended to use a WAN ZONE, within my bridge?

2 - What would be the most correct way to use vlans on a bridge?

All stations are in a vlan and the bridge interface is not.

That is fine if you use WAN and LAN together in a bridge, but if you are asking for a recommendation, then I would not recommend to use LAN and WAN in bridge. 

With two LAN Ports I would say it's fine.

 > Tag a bridge interface traffic with a VLAN ID: https://support.sophos.com/support/s/article/KB-000035910?language=en_US

Thanks for the reply.

About marking the vlan ID on the bridge interface (br0) would mark only one vlan, but in my case I have more than one vlan.

Do you have any suggestions in these cases?

In that case, would recommend WAN on an entire different interface, you can select two-three LAN interface based on your requirement in a bridge interface and start adding the VLANs...

And do not give any IP details on the Bridge, just directly assign the IP to the various VLAN you  create and tag that with the VLAN ID

Add a VLAN interface: https://support.sophos.com/support/s/article/KB-000035704?language=en_US