This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WiFi on different Public IP

I am running an SG450, our ISP has given us a /27 block of public IP addresses. We are running a Wi-Fi network that I want to present a different public IP address than what is presented for the wired network. The Wi-Fi is separate from the wired completely and there are issues logging into some cloud services that use SAML and redirect to a local authentication server that is inaccessible from the Wi-Fi.

The redirection is based on source IP which is why I am looking to change.

I have added an additional address to our current Public interface. I have created a masquerading rule for the Wi-Fi network that uses the public interface and the additional address I configured. Wi-Fi is able to get out to the internet but still presents the Public interfaces address, not the additional address configured in the masquerading rule.

I have tried the additional address with a /32 and a /27 subnet.

Thoughts?

This thread was automatically locked due to age.

0 Scott_Klassen over 10 years ago

Let me guess, this is web surfing traffic and you are using the Web Protection proxy for the wi-fi clients? If this is the case, you'll need an SNAT. See the thread at https://community.sophos.com/products/unified-threat-management/astaroorg/f/56/t/49800, specifically post 5, for the basics of what you'll need to do.

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel
0 JasonWhite over 10 years ago in reply to Scott_Klassen

This works perfectly when the source network (Wi-Fi) is not subject to any web filtering. When I turn on web filtering then I see the IP of the Public interface and not the additional address as I see when filtering is off.

We are only filtering networks and not users.

Thanks for the help.
Cancel
Vote Up 0 Vote Down

Cancel
0 RFCat_vk_01 over 10 years ago in reply to JasonWhite

Hey Scott,
isn't the web proxy higher up the chain than a snat/packetfilter rule?
So traffic would never reach the snat rule with the proxy enabled on the wifi network?

Don't you need a policy based routing rule or something similar?

Ian
Cancel
Vote Up 0 Vote Down

Cancel
0 JasonWhite over 10 years ago in reply to RFCat_vk_01

Hey Scott,
isn't the web proxy higher up the chain than a snat/packetfilter rule?
So traffic would never reach the snat rule with the proxy enabled on the wifi network?

Don't you need a policy based routing rule or something similar?

Ian

This certainly seems to be the behavior. What I am not following is where traffic is directed out a default interface/IP combination.
Cancel
Vote Up 0 Vote Down

Cancel
0 apijnappels over 10 years ago in reply to JasonWhite

This certainly seems to be the behavior. What I am not following is where traffic is directed out a default interface/IP combination.

Normally when you use a proxy (any proxy, not just Sophos UTM) it's not your client that is accessing the internet but the proxy server. So it doesn't matter in which network your client is, it only matters in which network your proxy is.

I'm not sure whether you can solve this with webfiltering switched on and if the SNAT talked about would work, than it would probably only replace the Webfilter, so it's either webfiltering or using the different address I guess.

Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.
Cancel
Vote Up 0 Vote Down

Cancel
0 Hallowach2 over 10 years ago

If you have two uplink interfaces you could use a multipath rule to change the outgoing address - even if the webproxy is in use.

Regards
Manfred
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 7 years ago

As of 03 June 2017, this is now possible! See How to change the outgoing interface for Web Filtering.

Rather than use the suggested method of enabling this capability, do the following as root:

cc set http enable_out_interface 1

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 brunomc over 7 years ago in reply to BAlfson

@balfson oddly that link you give does not work for me, can you check ?
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 7 years ago in reply to brunomc

Fixed now, Bruno - Thanks!

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 7 years ago in reply to BAlfson

Excellent work Mister B.

XG115W - v19.5.1 mr-1 - Home

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel