Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 4 subscribers
  • Views 16152 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WiFi on different Public IP

JasonWhite
I am running an SG450, our ISP has given us a /27 block of public IP addresses. We are running a Wi-Fi network that I want to present a different public IP address than what is presented for the wired network. The Wi-Fi is separate from the wired completely and there are issues logging into some cloud services that use SAML and redirect to a local authentication server that is inaccessible from the Wi-Fi.

The redirection is based on source IP which is why I am looking to change.

I have added an additional address to our current Public interface. I have created a masquerading rule for the Wi-Fi network that uses the public interface and the additional address I configured. Wi-Fi is able to get out to the internet but still presents the Public interfaces address, not the additional address configured in the masquerading rule.

I have tried the additional address with a /32 and a /27 subnet.

Thoughts?


This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to JasonWhite
    Hey Scott,
    isn't the web proxy higher up the chain than a snat/packetfilter rule?
    So traffic would never reach the snat rule with the proxy enabled on the wifi network?

    Don't you need a policy based routing rule or something similar?

    Ian
Children
  • 0 in reply to RFCat_vk_01
    Hey Scott,
    isn't the web proxy higher up the chain than a snat/packetfilter rule?
    So traffic would never reach the snat rule with the proxy enabled on the wifi network?

    Don't you need a policy based routing rule or something similar?

    Ian


    This certainly seems to be the behavior. What I am not following is where traffic is directed out a default interface/IP combination.
  • 0 in reply to JasonWhite
    This certainly seems to be the behavior. What I am not following is where traffic is directed out a default interface/IP combination.


    Normally when you use a proxy (any proxy, not just Sophos UTM) it's not your client that is accessing the internet but the proxy server. So it doesn't matter in which network your client is, it only matters in which network your proxy is.

    I'm not sure whether you can solve this with webfiltering switched on and if the SNAT talked about would work, than it would probably only replace the Webfilter, so it's either webfiltering or using the different address I guess.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

Unfiltered HTML